Disable IPv6 on Debian VPS (Virtuozzo!)

Question

Note: This question is still unresolved - the answer was auto-accepted.

I have a Debian Lenny VPS, that's running virtualized by Parallels/Virtuozzo. Currently, the network interface doesn't have an IPv6 address - and that's good, because I don't have an ip6tables configuration.

But I assume, that I could wake up one day, and ifconfig will show me an ipv6 address for the interface - because I have no control over the kernel or its modules - they're under the control of the hosting company. That would leave the server completely vulnerable to attacks from IPv6 addresses.

What would be the best way to disable IPv6 (for the interface or maybe for the entire host)? Usually I would simply disable the kernel module, but that's not possible in this case.

Update

Maybe I should add, that I can use iptables and everything normally (I'm root on the VPS), but I can't make changes to the kernel or load kernel modules because of the way Virtuozzo works (shared kernel).

lsmod always returns nothing.

I can't call ip6tables -L (it says that I need to insmod, or that the kernel would have to be upgraded).

I don't think, that changes to /etc/modprobe.d/aliases would have any effect, or do they?

Networking Config?

I thought, that maybe I can turn IPv6 off from /etc/network/... Is that possible?

@kbyrd Yes I'm root on the VPS, so no restrictions there - but I must admit, that I have no idea, if changes in this directory will have any effect? — Chris Lercher, Apr 10 '10 at 19:29
I deleted my comment, that won't work if you're just in a chroot jail like you said. How do you get access to the firewall rules? — kbyrd, Apr 11 '10 at 01:46
@kbyrd: I'm really not sure, if it could still work! But how can I find out/how would I see if it worked or not? `lsmod` never shows anything at all. I can call `iptables` normally. — Chris Lercher, Apr 11 '10 at 09:45
I noticed nobody explained Avahi, which you mentioned. Avahi is the mDNS service, and only deals with host and service discovery on the network. (Apple calls this Bonjour.) It does not deal with IPv6 address assignment. (Except avahi-autoipd, which does *IPv4* link-local address assignment. That doesn't apply to your situation.) Normally, IPv6 addresses are assigned by the kernel automatically (both link-local and through router advertisements). — Shtééf, Apr 17 '10 at 20:06

score 7 · Accepted Answer · answered Apr 16 '10 at 19:55

7

I've only tested this on Ubuntu, but you could try the following:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

And if this appears to work, you can make it permanent by adding the following to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1

answered Apr 16 '10 at 19:55

Shtééf

1,225
2
12
19

@Shtééf: Sounds so good! I just thought: That's it :-) Unfortunately, I get `bash: disable_ipv6: Operation not permitted`, although I call it as root. Virtuozzo specific problem once again, it seems. +1 though, because it was so close :-) – Chris Lercher Apr 16 '10 at 19:59
Okay, perhaps there's two variations on this you can try. Try setting the option with the command: `sysctl net.ipv6.conf.all.disable_ipv6=1`. If that still doesn't work, perhaps replace `all` with the specific interface, for example: `sysctl net.ipv6.conf.eth0.disable_ipv6=1` – Shtééf Apr 16 '10 at 20:04
Thanks. Unfortunately no luck, it results in `error: "Operation not permitted" setting key "net.ipv6.conf.all.disable_ipv6"` etc. – Chris Lercher Apr 16 '10 at 20:10
Please note: This answer was auto-accepted (I was busy and came too late to accept an answer ... ) I think, that's ok - Shtééf deserves the bounty, because I learned something new from this answer. – Chris Lercher Apr 23 '10 at 13:32

score 1 · Answer 2 · answered Apr 10 '10 at 19:04

1

Best solution is to set up an iptables config that covers v6.

Failing that, most daemons will let you specify interfaces addresses to bind to, with default of all. Explicitly list the v4 addresses you want, and then they won't leave open ports on v6 addresses, should you later get any. Outgoing connections would still prefer v6 addresses, though.

answered Apr 10 '10 at 19:04

techieb0y

4,161
16
17

Thanks! Setting up an ip6tables config is definitely the solution I have planned, if I can't disable IPv6 in a more general way. I just think, that it's a bit of unnecessary overhead and maybe even additional risk, and would prefer if I could disable it on the network interface level. Applications should ideally have no chance to bind on IPv6. – Chris Lercher Apr 10 '10 at 19:54
I found out in the meantime, that I can't even call the ip6tables command. So this is unfortunately not an option. – Chris Lercher Apr 16 '10 at 08:13

score 1 · Answer 3 · answered Apr 14 '10 at 10:31

1

There's a fairly simple way to not be vulnerable to attack on IPv6.

Don't have services listening that shouldn't be open to the world. At the very least simply forcing services to bind to a specific IPv4 address should ensure they're not listening on IPv6. netstat -tupl can help with this.

Firewalls should exist for two reasons: * Protecting services with limited access to the world (TCP wrappers also helps here) * Protecting you from your own mistakes

answered Apr 14 '10 at 10:31

LapTop006

6,466
19
26

1

@LapTop006: I agree partially. But there are exceptions, e.g.: What about non-privileged users starting a service? Without a firewall, an attacker won't need to gain root permissions. – Chris Lercher Apr 14 '10 at 19:05
That would still require the non privileged user to be able to access the system enough to do that. Which will not be any easier in the case an ipv6 address appears with NO services listening on it – rackandboneman May 09 '12 at 23:41

score 1 · Answer 4 · answered Apr 16 '10 at 16:22

1

I believe currently the best way to disable IPv6 in Debian Lenny is to create a file in /etc/modprobe.d named ipv6.conf with blacklist ipv6 in it, then run depmod -ae as root, followed by update-initramfs -u.

There is a write-up on this on the debian.org wiki here: http://wiki.debian.org/KernelModuleBlacklisting

Good luck!

--jed

answered Apr 16 '10 at 16:22

Jed Daniels

7,172
2
33
41

@Jed: I'm not sure, if this works on my VPS, since `lsmod` always returns nothing? – Chris Lercher Apr 16 '10 at 17:10
@chris_l lsmod shows nothing relating to ipv6 on any of my debian based systems either, but I'm certain that this method works. You could also try creating a blacklist file as described in the debian docs: http://www.debian.org/doc/manuals/debian-reference/ch03.en.html#_the_kernel_module_initialization, but my guess is the wiki is more up to date (both methods probably work). – Jed Daniels Apr 16 '10 at 17:36
On my usual systems, `modprobe -l` shows a long list of modules. On my VPS however, I get zero modules. I have the feeling, that everything is compiled directly into the kernel, instead of using modules. Or that I simply have no access to the modules list. Since it's impossible to change the kernel, I assumed, that it's also impossible to change the modules for a Virtuozzo system - but I could be wrong. How can I find out? – Chris Lercher Apr 16 '10 at 19:01
@chris_l "How can I find out?" Can you ask your VPS provider? – Jed Daniels Apr 16 '10 at 19:23
I don't have official support there, because I only got the entry level VPS, but I can try to ask them on Monday. But I think this kind of setup is typical for Virtuozzo systems - I have seen it on one other system from a different provider, too. – Chris Lercher Apr 16 '10 at 19:30

score 1 · Answer 5 · answered Apr 16 '10 at 16:44

1

Going out on a limb here, but wouldn't the host provider communicate any potential kernel changes like this to it's customers? Have you experienced anything (kernel upgrade, etc.) that would lead you to believe that this would happen without advanced notice? Also, are they even routing IPv6 traffic to/from their network? Might be best just to express your concern to support and go from there.

answered Apr 16 '10 at 16:44

gravyface

13,947
16
65
100

1

+1, because the provider is pretty good at communicating changes, and maybe I really should talk about my concerns on their forum. However, since the effects could be dramatic if I miss the notice for some reason, I'd strongly prefer to solve this problem directly on my server. – Chris Lercher Apr 16 '10 at 17:14
I'd voice your concerns with them -- they may also be able to disable it for you. – gravyface Apr 16 '10 at 20:19

score 1 · Answer 6 · answered Apr 16 '10 at 17:41

1

I can't test it on debian right now, but on Redhat you can modify the /etc/sysconfig/network file and add "NETWORKING_IPV6=no"

answered Apr 16 '10 at 17:41

nbartolomeo

218
1
5

Thanks, I think this goes into the right direction. I would like to find something like that for Debian (there's no /etc/sysconfig). – Chris Lercher Apr 16 '10 at 18:55
hmmm... I looked into this more and it looks like if you can modify the grub config you can add "ipv6.disable = 1" to your kernel options to disable ipv6. – nbartolomeo Apr 16 '10 at 19:32
Good idea! But there's no grub or lilo on the system (/boot is empty). It's all a little bit different because of Virtuozzo.. – Chris Lercher Apr 16 '10 at 19:38

sybreon · Answer 7 · 2010-04-13T07:05:00.800

0

Not sure if this will help but OpenVZ (Virtuozzo open source) does not seem to support IPv6.

edited Apr 13 '10 at 07:05

answered Apr 12 '10 at 07:02

sybreon

7,357
1
19
19

OpenVZ actually supports IPv6. – PowerSp00n Apr 12 '10 at 08:53
According to their own wiki linked in my answer, it is not fully supported. – sybreon Apr 13 '10 at 06:56
I can't decide, which virtualization sulution (e.g. OpenVZ) is installed on the machine. I just have one VPS on the machine... – Chris Lercher Apr 13 '10 at 09:31
huh? if you can find a '/proc/user_beancounters' then it would be a VZ based system. – sybreon Apr 13 '10 at 17:25
I think I understand what you mean - but what I can't decide is, when they will upgrade to a newer version of Virtuozzo, that will support IPv6. That's what I'm afraid of: One day, suddenly IPv6 might be enabled... – Chris Lercher Apr 16 '10 at 08:02

score 0 · Answer 8 · answered Apr 16 '10 at 11:11

0

Wouldn't blocking everything in ip6tables solve your problem? It also allows you to implement ipv6 iptables whenever you'd want to without having to enable ipv6 again.

answered Apr 16 '10 at 11:11

HannesFostie

845
14
29

@HannesFostie: The question is: How can I do that, when I can't call ip6tables (see my question for more details)? I could maybe insert some calls on startup, that would simply fail until ip6tables works, but that wouldn't fit very nicely with the /etc/init.d/iptables script that came pre-installed with the server (based on iptables-restore). And since I can't test that ip6tables setup, it also doesn't feel quite right. – Chris Lercher Apr 16 '10 at 12:50
I'm sorry, must've missed it. – HannesFostie Apr 16 '10 at 13:08

score 0 · Answer 9 · answered Apr 16 '10 at 19:25

Another option is to configure some totally bogus IPv6 settings so even if the provider does enable it, it won't work on this system at all (yes, it is super kludgy, but it would work to prevent anyone from doing anything with IPv6 on your system).

Good luck,

--jed

score 0 · Answer 10 · answered Jan 27 '11 at 03:11

0

ip route del ::/0

take away the default route which will effectively break IPv6 connectivity.

answered Jan 27 '11 at 03:11

ramnet

345
2
3

Doesnt help for link-local communication. As we're talking about Virtuozzo here, it's not uncommon to find some thousand virtual machines in one large layer 2. (I guess thats what they call the cloud...) – Michuelnik Jul 20 '12 at 19:41

Disable IPv6 on Debian VPS (Virtuozzo!)

Update

Networking Config?

10 Answers10