How do I remove my IPv6 from my Linode?
We're seeing unwanted traffic to our Linode over IPv6. Can we remove the IPV6 address from our Linode?
While there's no way to remove the public IPv6 address that's been assigned to your Linode, you can disable IPv6 by logging into your Linode via SSH and making configuration changes by running the following commands:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo bash -c 'cat <<EOF >> /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 EOF'
Additionally, you'll want to configure your SSH daemon to only listen over IPv4 by running the following:
echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
Finally, reboot your Linode. Your Linode's IPv6 address should now be disabled and unable to receive IPv6 traffic. Keep in mind that disabling IPv6 may have unintended effects on other processes that depend on it, so further configuration changes may be required.
Just as a follow-up, the method listed for Ubuntu 18.04 appears to not work. This looks like it's currently a bug with the operating system. So the preferred method if editing /etc/sysctl.conf does not work will instead be to use the
GRUB2 kernel and edit the kernel directly. You can do this by editing the
/etc/default/grub file and adding the following lines:
FROM: GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="" TO: GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1" GRUB_CMDLINE_LINUX="ipv6.disable=1"
After this, run
sudo update-grub and reboot the Linode, and you should see IPv6 is disabled.
[[@scrane] (/community/user/scrane)] (/community/user/scrane) what would be the best way to verify this method was successful?
You also want to disable IPv6 for email & www as well. How you do this will depend on the severs you use.
You can do a ping6 on your domain. Your node should not respond. Alternatively, you can look at your boot log…there should be some notation that IPv6 is enabled or not.
Also, there’s this:
You can also block IPv6 traffic with your firewall without disabling IPv6 (maybe not the best solution but doable…and probably preferable if this is a short-term thing since it's easy to undo).
Is this "unwanted IPv6 traffic" spam or malicious in some way? If I might ask, why is IPv6 traffic "unwanted"?
You can check if it worked using:
Only inet/IPv4 is available. You should not see any inet6/ipv6 on the reply something like this:-
1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether f2:3c:92:53:6b:85 brd ff:ff:ff:ff:ff:ff
inet 220.127.116.11/24 brd 18.104.22.168 scope global eth0
valid_lft forever preferred_lft forever</broadcast,multicast,up,lower_up></loopback,up,lower_up>