Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
 Post subject: IPv6 security
PostPosted: Fri Jun 22, 2012 10:45 am 
Offline
Senior Newbie

Joined: Wed Jul 01, 2009 8:12 pm
Posts: 16
I am trying to figure out the best way to secure IPv6 on a new linode build. It is running Ubuntu 10.04 32bit.

My first thought is to simply disable IPv6. I only use my node to host websites (a few static and the rest on WordPress), so would I risk breaking anything if I did that?

If I need to keep IPv6 enabled, can anyone offer some assistance for setting up rules for ip6tables?

The only ports I need open are 80, 433, and an undisclosed port for ssh purposes. Of course, I also want the node to be well behaved when it comes to things like ICMP.


Thanks in advance for your help!




Carl


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 10:53 am 
Offline
Senior Member

Joined: Mon Jul 05, 2010 5:13 pm
Posts: 392
cthorpe wrote:
undisclosed port for ssh


For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

That said, as far as IPv6: allow ICMP, allow localhost, allow established/related, allow the ports you want, allow all output.

- Les


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 11:35 am 
Offline
Senior Member
User avatar

Joined: Thu Nov 24, 2011 12:46 pm
Posts: 139
Location: Mesa AZ
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.

_________________
Kevin a.k.a. Dweeber


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 11:48 am 
Offline
Senior Newbie

Joined: Wed Jul 01, 2009 8:12 pm
Posts: 16
Dweeber wrote:
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.


Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 1:02 pm 
Offline
Junior Member
User avatar

Joined: Tue Dec 27, 2005 1:33 am
Posts: 43
Location: USA
Hi Carl,

You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years. You mind as well get started now while your ruleset is pretty simple. It's not hard to use ip6tables; it's almost as simple as replacing "iptables" with "ip6tables" ;-)

This ruleset blocks all ports except the ones you want, plus allows ICMPv6:

Code:
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 433 -j ACCEPT # (or did you mean 443 in your post)
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # (replace with your undisclosed port)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT


In my experience, the key places where ip6tables commands look different from their iptables counterparts are:

* IP addresses are IPv6 instead of IPv4
* Anything to do with ICMP (usually it's "icmpv6" or "icmp6" instead)
* ip6tables doesn't (yet) support NAT

Cheers,
Andrew


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 1:47 pm 
Offline
Senior Member

Joined: Wed Oct 20, 2010 12:35 pm
Posts: 111
Location: United Kingdom
cthorpe wrote:
Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.


As long as you disable root login, only allow SSH connections for specific users, rate limit port 22 in your firewall and make sure to only allow login with SSH keys (I use 8192 bit keys for SSH) you are pretty safe even if you leave SSH on port 22.


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 2:50 pm 
Offline
Sysop

Joined: Sat Nov 27, 2010 3:32 am
Posts: 180
Website: https://blog.timheckman.net/
Location: San Francisco, CA
cthorpe wrote:
Dweeber wrote:
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.


Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.


Does nothing for security, however. And depending on what you changed your port to, you may have made your system, and any authentication method you use to connect, dramatically less secure.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 2:52 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
AGWA wrote:
You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years.

So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.


Top
   
 Post subject: Re: IPv6 security
PostPosted: Fri Jun 22, 2012 7:15 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
Quote:
So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?


The next replacement of the buried conduit to the garage will have that, yes, although primarily for solar PV backhaul. The car sits outside. Why do you ask?

(Ninja edit: all cars don't have to be electric for it to make sense, just your own car.)

_________________
Code:
/* TODO: need to add signature to posts */


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group