IPv6 security

I am trying to figure out the best way to secure IPv6 on a new linode build. It is running Ubuntu 10.04 32bit.

My first thought is to simply disable IPv6. I only use my node to host websites (a few static and the rest on WordPress), so would I risk breaking anything if I did that?

If I need to keep IPv6 enabled, can anyone offer some assistance for setting up rules for ip6tables?

The only ports I need open are 80, 433, and an undisclosed port for ssh purposes. Of course, I also want the node to be well behaved when it comes to things like ICMP.

Thanks in advance for your help!

Carl

8 Replies

@cthorpe:

undisclosed port for ssh

For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

That said, as far as IPv6: allow ICMP, allow localhost, allow established/related, allow the ports you want, allow all output.

  • Les

@akerl:

For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.
unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.

@Dweeber:

@akerl:

For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.
unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.

Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.

Hi Carl,

You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years. You mind as well get started now while your ruleset is pretty simple. It's not hard to use ip6tables; it's almost as simple as replacing "iptables" with "ip6tables" ;-)

This ruleset blocks all ports except the ones you want, plus allows ICMPv6:

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 433 -j ACCEPT # (or did you mean 443 in your post)
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # (replace with your undisclosed port)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT

In my experience, the key places where ip6tables commands look different from their iptables counterparts are:

  • IP addresses are IPv6 instead of IPv4

  • Anything to do with ICMP (usually it's "icmpv6" or "icmp6" instead)

  • ip6tables doesn't (yet) support NAT

Cheers,

Andrew

@cthorpe:

Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.

As long as you disable root login, only allow SSH connections for specific users, rate limit port 22 in your firewall and make sure to only allow login with SSH keys (I use 8192 bit keys for SSH) you are pretty safe even if you leave SSH on port 22.

@cthorpe:

@Dweeber:

@akerl:

For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.
unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.

Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.

Does nothing for security, however. And depending on what you changed your port to, you may have made your system, and any authentication method you use to connect, dramatically less secure.

-Tim

@AGWA:

You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years.
So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?

> So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?

The next replacement of the buried conduit to the garage will have that, yes, although primarily for solar PV backhaul. The car sits outside. Why do you ask?

(Ninja edit: all cars don't have to be electric for it to make sense, just your own car.)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct