IPv6 Linux Security

By | 2013/12/09

Rolling out IPv6 on Linux? Here are a few security tidbits to keep in mind.


iptables and ufw

For Linux and iptables, be aware you will be maintaining two iptables configs.

iptables for IPv4 and ip6tables for IPv6

Display iptables (IPv4) rules:

$ sudo iptables -L

Display ip6tables (IPv6) rules:

$ sudo ip6tables -L

If you use ufw (command line frontend for iptables) it handles IPv4 and IPv6 for you if the following option is enabled:

(Debian/Ubuntu)

/etc/default/ufw

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
...

When your firewall is set, audit your hosts by running nmap over IPv6 against them:

$ sudo nmap -6 myipv6server.com

No IPv6 Support in fail2ban or denyhosts

At the moment, fail2ban is only protecting you over IPv4. Here is the bug report with discussion on IPv6 support.

Also, denyhosts does not currently support IPv6 and only protects over IPv4.

If ssh brute forcing is critical for your servers, consider using sshguard which _does_ have support for IPv6!

Another option for a workaround is to only allow ssh traffic over IPv4 in iptables or ufw.

mod_security _does_ support IPv6 but adds some additional work to create and test both IPv4 and IPv6 regex for all rules.


Configure and secure running servers or services for IPv6

On Linux most mainstream server apps are IPv6 aware and work great over IPv6. However, it is critical to look over each app’s config and make sure any configs to enable IPv6 are on and working.

postfix

Enable IPv4 and IPv6:

inet_protocols = ipv4, ipv6

apache

Use *:443 and *:80 so virtual host configs will apply to both IPv4 and IPv6.

<Virtualhost *:443>
ServerName scottlinux.com

...
</VirtualHost>

nginx

Listen on both IPv4 and IPv6:

listen [::]:80 ipv6only=on;
listen 80; 

bind

Enable bind to listen on IPv6:

listen-on-v6 { any; };

ssh

Listen on both IPv4 and IPv6

ListenAddress 0.0.0.0
ListenAddress ::

Hack on,