Note: This question is still unresolved - the answer was auto-accepted.
I have a Debian Lenny VPS, that's running virtualized by Parallels/Virtuozzo. Currently, the network interface doesn't have an IPv6 address - and that's good, because I don't have an ip6tables configuration.
But I assume, that I could wake up one day, and ifconfig will show me an ipv6 address for the interface - because I have no control over the kernel or its modules - they're under the control of the hosting company. That would leave the server completely vulnerable to attacks from IPv6 addresses.
What would be the best way to disable IPv6 (for the interface or maybe for the entire host)? Usually I would simply disable the kernel module, but that's not possible in this case.
Update
Maybe I should add, that I can use iptables and everything normally (I'm root on the VPS), but I can't make changes to the kernel or load kernel modules because of the way Virtuozzo works (shared kernel).
lsmod always returns nothing.
I can't call ip6tables -L (it says that I need to insmod, or that the kernel would have to be upgraded).
I don't think, that changes to /etc/modprobe.d/aliases would have any effect, or do they?
Networking Config?
I thought, that maybe I can turn IPv6 off from /etc/network/... Is that possible?
I've only tested this on Ubuntu, but you could try the following:
And if this appears to work, you can make it permanent by adding the following to
/etc/sysctl.conf:Best solution is to set up an iptables config that covers v6.
Failing that, most daemons will let you specify interfaces addresses to bind to, with default of all. Explicitly list the v4 addresses you want, and then they won't leave open ports on v6 addresses, should you later get any. Outgoing connections would still prefer v6 addresses, though.
There's a fairly simple way to not be vulnerable to attack on IPv6.
Don't have services listening that shouldn't be open to the world. At the very least simply forcing services to bind to a specific IPv4 address should ensure they're not listening on IPv6.
netstat -tuplcan help with this.Firewalls should exist for two reasons: * Protecting services with limited access to the world (TCP wrappers also helps here) * Protecting you from your own mistakes
I believe currently the best way to disable IPv6 in Debian Lenny is to create a file in
/etc/modprobe.dnamedipv6.confwithblacklist ipv6in it, then rundepmod -aeas root, followed byupdate-initramfs -u.There is a write-up on this on the debian.org wiki here: http://wiki.debian.org/KernelModuleBlacklisting
Good luck!
--jed
Going out on a limb here, but wouldn't the host provider communicate any potential kernel changes like this to it's customers? Have you experienced anything (kernel upgrade, etc.) that would lead you to believe that this would happen without advanced notice? Also, are they even routing IPv6 traffic to/from their network? Might be best just to express your concern to support and go from there.
I can't test it on debian right now, but on Redhat you can modify the /etc/sysconfig/network file and add "NETWORKING_IPV6=no"
Not sure if this will help but OpenVZ (Virtuozzo open source) does not seem to support IPv6.
Wouldn't blocking everything in ip6tables solve your problem? It also allows you to implement ipv6 iptables whenever you'd want to without having to enable ipv6 again.
Another option is to configure some totally bogus IPv6 settings so even if the provider does enable it, it won't work on this system at all (yes, it is super kludgy, but it would work to prevent anyone from doing anything with IPv6 on your system).
Good luck,
--jed
ip route del ::/0
take away the default route which will effectively break IPv6 connectivity.