SSH (Hosts.allow, Hosts.deny) blacklist IPv6 but not IPv4

by Wayne Smith
Combat Helmet

To blacklist all IPV6 addresses from your server SSH services add sshd: [2000::]/3 to your /etc/hosts.deny file. Note there is no space after the 3. All rules in the hosts files must end in a new line or enter charactor. See V6 notation after the explanation of /3.

Many people use iptables instead of the hosts files because the format of the host files requires an understanding of decimal, hexadecimal, and binary. The hosts files also use several notation systems to compress the file size. These allow an entire range of IP addresses to be specified in a rule.

The IP V4 format is in decimal, which in binary becomes 10101000.00110010.00000000.00000101 using the /bits option in the hosts files counts the significant binary bits. counts the first 13 bits ... 10101000.00110xxx.xxxxxxxx.xxxxxxxx or the network address of -- The network address should normally be used with the /bits notation unless there is a good use case to highlight a specific address within the block. Specifies the entire range from to Specifies the range from to Specifies the range from to always check your math. Yes, or should stand out as a wrong entry because the normal notation is to list the first address in the block when using the /bits.

An ARIN Whois/RDAP search tells you what network a given IP is on. Additional useful resources are ipinfo's CIDR to IP Range Converter to check your math and AIZAWA Hina's IPv4 database to give you ranges by country. Shodan can be used for counterintelligence for zombie systems and other bad actors.

For It would be the Texas Department of Information Resources, on the network. If the Government of Texas should not be logging in to your account Arin gives you the contact information for the Network Security Operations Center. They can be contacted, if there is a rouge employee or a compromised system attempting to gain access to your system without a warrant. Meanwhile put sshd: in your hosts.deny file.

V6 Notation

For IP V6 the address is enclosed in [] and zeros are compressed. The addresses are also in 4 digit hexadecimal charactors seperated by :s.

[2000:0000:0000:0000:0000:0000] becomes [2000::]

The first and second binary digits are zeros at this time and the 3rd digit set to one is a valid IP address. The valid IP V6 addresses start with either a two or a three -- [2XXX:XXXX: ... ] [3XXX.XXXX: ...] -- and the three require the use of the 4th digit, which we can ignore/include with the /3 bits.

[2000::]/3 matches 2000:0000:0000:0000:0000:0000 - 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF

So [2000::]/3 in the hosts.deny file blacklists all of the IPv6 address space. As hosts.allow is checked first and the first rule that matches wins, any IPv6 address or range can specificially be whitelisted.