Backport Fail2Ban IPv6 Support to Plesk Onyx 17.x
As of now, feature with 178 votes is available in Plesk Onyx 17.9 Preview only: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/17924536-fail2ban-now-supports-ipv6-please-upgrade
It would be awesome to have this feature available on earlier versions of Plesk Onyx without the necessity to wait until Plesk Onyx 17.9 becomes stable.
We don’t plan to backport this feature, but if the demand is really high, we’ll consider it.
Martin Dias commented
@PB, as far as I know HostEurope does allow OS Upgrades only over changing the machine, I had a server there, and they gave me a 2nd one for free for some time to migrate.
Also, if they update it in 17.8 u still will not get the update as the OS is not supported anymore.
So the best solution is to migrate to a newer Ubuntu and whitelist the new IP again (better even on a dedicated server or not openvZ/virtuozzo server so that you can upgrade without issues)
Ubuntu 14 is a big security trap as there are no OS nor Plesk updates anymore
please add FAIL2BAN IPv6 support for Plesk Onyx 17.8.11 - I am stuck with Ubuntu 14.04.6 LTS
because my VPS provider does NOT allow OS upgrade - just for the shame record it is HostEurope.de
if you do OS upgrade yourself VPS doesn't work anymore, if you let them do the OS upgrade you can't keep your current Public IP address, whitelisted at many business partners
so while waiting for them to resolve this non-sense limbo of upgrade-not-allowed, please add support for Fail2Ban IPv6 because I can see a LOT of entries in /var/log/fail2ban.log
WARNING Unable to find a corresponding IP address for --cut IPv6 cut-- [Errno -9] Address family for hostname not supported
+1, this should be implemented in 17.x.
IPv6 is not something of the future, it is actively being deployed. More and more access providers are providing their customers with IPv6 and bad actors will be using it as well.
Elsewhere... In a recent Plesk reply on a different matter ( https://bre.is/PlP0pGLwC ) the latest "estimated" release date for Plesk Onyx 17.9 has been given as Q4 / 2019....
So in theory, that's the earliest date, that anybody who is happy with General Release status Plesk upgrades could concieve switching from Plesk 17.8 to 17.9 as opposed to this overdue feature being backported to 17.8
For historical reasons, many will justifiably wait for the Late Adopter status Plesk upgrade anyway, which will be even longer...
Assuming the Plesk posted reply is correct, THIS ALONE and regardless of all the other overwhelming data that's already been posted is sufficient reason for making 17.8 "catch up with the rest of the world" re: Fail2Ban and IPv6.
@Admin Up To Date Plesk replies are very conspicuous by their absence on here now....
Fred Laxton commented
I actually can't believe fail2ban doesn't work with IPv6 on Plesk. I have two servers on 17.5 and one on 17.8, and I cannot upgrade them without a huge risk to my business. Instead at some point I'll provision a new server and put the latest Plesk on it, and migrate *one* server contents to it. So that means it will be more than ONE YEAR from now before I will have IPv6 support on all servers.
Why do I migrate this way? I've been in IT for FORTY YEARS and learned the hard way about upgrade-in-place. Too much can and does go wrong. And it's happened multiple times with me with Plesk over the years. Not doing that.
This way I can test things out for weeks or months until everything is stable and THEN I migrate live clients to it. Works great and no problems.
Except for fail2ban and IPv6.
Further to @wahim's helpful post below
Running Plesk 17.8.11 on Ubuntu 18.04.* (as we are) means that you are forced to use the earlier (out of date / non IPv6 ) version of Fail2Ban as a result... That's far from ideal and a long way behind where everyone should be now.
A simple CLI check clearly shows, both the forced Plesk version and, the much later version, which is sat waiting in the distro-repo:
~# apt-cache policy fail2ban
*** 1:0.9.6-ubuntu18.04.18061312 500
500 http://autoinstall.plesk.com/ubuntu/PSA_17.8.11 bionic/extras amd64 Packages
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages
The Ubuntu distro-repo versions are all clearly shown here:
With the 18.04.* download and related packages page shown here:
If using an OS other than Ubuntu 18.04 with Plesk 17.8.11, obviously you will need to check other sources for all the correct data.
Finally, the opening section of the Fail2Ban Changelog (which commences with an old version release but one that is still ahead of the current Plesk release) is pretty self-explanatory:
ver. 0.9.8 (2016/XX/***) - wanna-be-released
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
Ubuntu 18.04 has IPv6-ready 0.10.2-2 in repo and Plesk 17.8.11 uses a backported 0.9.6 version instead. Why not add support for all platforms with the right version already in distro-repo? Would be appreciated very much!
All the previous commments posted here are both valid and self-explanatory. The comment that refers to "voting twice for the same request" is extremely relevant. Plesk should never have conveniently opted for "...only available via our latest preview software". That's more like avoidance than actively providing a solution. All 17.8 Plesk customers RIGHTLY wanted this change / update a very long time ago. @Admin, please confirm that this IS going to happen, as opposed to leaving it sat here with zero updates or additional information being provided. Thanks!
@Admin This request make no sense! Why we must vote for the same request again? The original request https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/17924536-fail2ban-now-supports-ipv6-please-upgrade want ipv6 support and not ipv6 support only for a feature version 17.9.x with no release date yet. I'm 100% sure that all supporter for this request have not 17.9.x preview installed and need this feature asap in stable version 17.8. You can say that you don't plan backport this feature, but voting again for the SAME request is absurd.
Erik Kraijenoord commented
Same issue Azurel is facing, please consider this!
I need this asap. Not only for security, I need this against ipv6 bad crawlers that slow down my server daily and fail2ban 0.9.6 detect nothing.
Fully support all the previous very valid comments.
One additional minor point on this. You have been able to use IPv6 addresses as valid inputs here: https://**YourFQDN**:8443/admin/control-panel-access/list for some time now, which is great in terms of added security (i.e. controlling access to the Plesk Panel itself - we're on 17.8.11)
However, to have effective IPv6 address verification in one security area, but completely absent in another and the latter being of a much higher, more frequent security risk, is just plain wrong in our view.
It shoud just be a "...when will it will be backported?" question, not an "...IF it will be backported" dilemma!
Bitpalast GmbH commented
I can only add that we are seeing a strongly increasing number of attacks coming from IPv6 sources, but we cannot update all our hosts to the latest Plesk, because the risk of too many bugs in early adopter and even early stable version is too high.
Other providers who are serving many customers, too, will not easily do the update, so we are looking at around a year more waiting time from now at least until an update to 17.9 can be considered. Too long.
Peter Wise commented
... what @Florian said.
Rob Taylor commented
Well, a security feature w/o IPv6 support is totally useless as soon as you enable IPv6 for just one subscription. On the other hand no IPv6 support for subscriptions makes Plesk totally useless for any ISP serving international customers.
So I suspect the answer is yes, the demand is really high for your target customer base.