Linode Forum
https://forum.linode.com/

IPv6 security
https://forum.linode.com/viewtopic.php?f=19&t=9041		 Page 1 of 1
Author:  cthorpe [ Fri Jun 22, 2012 10:45 am ]
Post subject:  IPv6 security
I am trying to figure out the best way to secure IPv6 on a new linode build. It is running Ubuntu 10.04 32bit.

My first thought is to simply disable IPv6. I only use my node to host websites (a few static and the rest on WordPress), so would I risk breaking anything if I did that?

If I need to keep IPv6 enabled, can anyone offer some assistance for setting up rules for ip6tables?

The only ports I need open are 80, 433, and an undisclosed port for ssh purposes. Of course, I also want the node to be well behaved when it comes to things like ICMP.


Thanks in advance for your help!




Carl
Author:  akerl [ Fri Jun 22, 2012 10:53 am ]
Post subject:  Re: IPv6 security
cthorpe wrote:
undisclosed port for ssh


For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

That said, as far as IPv6: allow ICMP, allow localhost, allow established/related, allow the ports you want, allow all output.

- Les
Author:  Dweeber [ Fri Jun 22, 2012 11:35 am ]
Post subject:  Re: IPv6 security
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.
Author:  cthorpe [ Fri Jun 22, 2012 11:48 am ]
Post subject:  Re: IPv6 security
Dweeber wrote:
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.


Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.
Author:  AGWA [ Fri Jun 22, 2012 1:02 pm ]
Post subject:  Re: IPv6 security
Hi Carl,

You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years. You mind as well get started now while your ruleset is pretty simple. It's not hard to use ip6tables; it's almost as simple as replacing "iptables" with "ip6tables" ;-)

This ruleset blocks all ports except the ones you want, plus allows ICMPv6:

Code:
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 433 -j ACCEPT # (or did you mean 443 in your post)
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # (replace with your undisclosed port)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT


In my experience, the key places where ip6tables commands look different from their iptables counterparts are:

* IP addresses are IPv6 instead of IPv4
* Anything to do with ICMP (usually it's "icmpv6" or "icmp6" instead)
* ip6tables doesn't (yet) support NAT

Cheers,
Andrew
Author:  Cromulent [ Fri Jun 22, 2012 1:47 pm ]
Post subject:  Re: IPv6 security
cthorpe wrote:
Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.


As long as you disable root login, only allow SSH connections for specific users, rate limit port 22 in your firewall and make sure to only allow login with SSH keys (I use 8192 bit keys for SSH) you are pretty safe even if you leave SSH on port 22.
Author:  theckman [ Fri Jun 22, 2012 2:50 pm ]
Post subject:  Re: IPv6 security
cthorpe wrote:
Dweeber wrote:
akerl wrote:
For the record, your security is not increased by having a super sekrit number for SSHd, since anyone with nmap or whatever can just check your ports.

unless you prefer not to have your logs fill up with script kiddie and bot attempts by the boatload and want to see real attempts at your chosen ssh port plain and clear with good warning. It's a simple change that is easy to do and eliminates excessive logging and doesn't affect normal server services. Even banks and large financial institutions do it.


Exactly. Changing the port resulted in a dramatic decrease in attempts to gain access through ssh.


Does nothing for security, however. And depending on what you changed your port to, you may have made your system, and any authentication method you use to connect, dramatically less secure.

-Tim
Author:  vonskippy [ Fri Jun 22, 2012 2:52 pm ]
Post subject:  Re: IPv6 security
AGWA wrote:
You shouldn't disable IPv6 since increasingly more of the Internet will become IPv6 over the coming years.

So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?
Author:  hoopycat [ Fri Jun 22, 2012 7:15 pm ]
Post subject:  Re: IPv6 security
Quote:
So using that "logic", I'm sure you're wiring your garage for 220v so you're prepared for when all cars are electric - right?


The next replacement of the buried conduit to the garage will have that, yes, although primarily for solar PV backhaul. The car sits outside. Why do you ask?

(Ninja edit: all cars don't have to be electric for it to make sense, just your own car.)
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/