I am trying to figure out the best way to secure IPv6 on a new linode build. It is running Ubuntu 10.04 32bit.

My first thought is to simply disable IPv6. I only use my node to host websites (a few static and the rest on WordPress), so would I risk breaking anything if I did that?

If I need to keep IPv6 enabled, can anyone offer some assistance for setting up rules for ip6tables?

The only ports I need open are 80, 433, and an undisclosed port for ssh purposes. Of course, I also want the node to be well behaved when it comes to things like ICMP.


Thanks in advance for your help!




Carl

For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

That said, as far as IPv6: allow ICMP, allow localhost, allow established/related, allow the ports you want, allow all output.

- Les

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.

_________________
Kevin a.k.a. Dweeber

Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.

Hi Carl,

You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years. You mind as well get started now while your ruleset is pretty simple. It's not hard to use ip6tables; it's almost as simple as replacing "iptables" with "ip6tables"

This ruleset blocks all ports except the ones you want, plus allows ICMPv6:

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 433 -j ACCEPT # (or did you mean 443 in your post)
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # (replace with your undisclosed port)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT

In my experience, the key places where ip6tables commands look different from their iptables counterparts are:

* IP addresses are IPv6 instead of IPv4
* Anything to do with ICMP (usually it's "icmpv6" or "icmp6" instead)
* ip6tables doesn't (yet) support NAT

Cheers,
Andrew

As long as you disable root login, only allow SSH connections for specific users, rate limit port 22 in your firewall and make sure to only allow login with SSH keys (I use 8192 bit keys for SSH) you are pretty safe even if you leave SSH on port 22.

Does nothing for security, however. And depending on what you changed your port to, you may have made your system, and any authentication method you use to connect, dramatically less secure.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

The next replacement of the buried conduit to the garage will have that, yes, although primarily for solar PV backhaul. The car sits outside. Why do you ask?

(Ninja edit: all cars don't have to be electric for it to make sense, just your own car.)

_________________

/* TODO: need to add signature to posts */