Отключить IPv6 на Linux
Если адреса IPv6 не используется на компьютере или сервере с Linux, то стоит отключить их функционал совсем. Это необходио для обеспечения безопасности. Потому что можно забыть настроить правило фаервола для IPv6, сделав это для IPv4.
Отключение IPv6 на работающей системе
Для отключения поддержки IPv6 в системе необходимо перейти в файл конфигурации /etc/sysctl.conf от лица суперпользователя и прописать в конце файла следующие строки:
# IPv6 disabled net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
$ sysctl net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.all.disable_ipv6 = 1 $ sysctl net.ipv6.conf.default.disable_ipv6 net.ipv6.conf.default.disable_ipv6 = 1 $ sysctl net.ipv6.conf.lo.disable_ipv6 net.ipv6.conf.lo.disable_ipv6 = 1
Если после каждого запроса возвращается строка с «= 1«, то это означает, что для ядра ОС выставлены параметры, которые не позволяют использовать протокол IPv6.
Обратите внимание, что внесённые изменения в файл настройки будут читаться системой каждый раз во время загрузки. Поэтому IPv6 будет отключена всегда (перезагрузка не сбросит значения). Если нужно отключить IPv6 только для текущего сеанса, то необходимо не менять файл, а выполнить такие три команды:
sysctl -w net.ipv6.conf.all.disable_ipv6 sysctl -w net.ipv6.conf.default.disable_ipv6 sysctl -w net.ipv6.conf.lo.disable_ipv6
Отключение ipv6 из автозагрузки
Чтобы не утруждать систему загрузкой библиотек для работы с IPv6 можно отключить их на стадии старта системы. Делается это с помощью передачи параметра загрузчику GRUB. Для этого необходимо открыть от лица суперпользователя файл /etc/default/grub и добавить параметр ipv6.disable=1 в следующие ключи:
GRUB_CMDLINE_LINUX_DEFAULT GRUB_CMDLINE_LINUX
OEL 7 – How to disable IPv6 on Oracle Linux 7
In case you are not interested in IPv6, you can use the following HowTo to disable it on Oracle Linux 7. Unless you have something very very special on your System, these 10 Steps should do it.
- First of all, check if IPv6 is active at all
- Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
- Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
- Disable IPv6 in /etc/sysconfig/network
- Remove the “::1” line from the /etc/hosts file
- Remove the “restrict -6” line from the /etc/ntp.conf
- Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
- Regenerate a GRUB configuration file and overwrite the existing one
- Reboot the server
- Confirm if IPV6 is disabled
First of all, check if IPv6 is active at all
[[email protected] ~]# /sbin/ip -6 addr 1: lo: mtu 65536 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qlen 1000 inet6 fe80::ad02:9b6a:bf40:5a3a/64 scope link valid_lft forever preferred_lft forever 3: enp0s8: mtu 1500 qlen 1000 inet6 fe80::a00:27ff:feb8:3544/64 scope link valid_lft forever preferred_lft forever
Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
#-- Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
cat /etc/sysconfig/network-scripts/ifcfg-enp0s3 | grep IPV6INIT IPV6INIT=no
Disable IPv6 in /etc/sysconfig/network
cat /etc/sysconfig/network | grep NETWORKING_IPV6 NETWORKING_IPV6=no
Remove the following line from the /etc/hosts file
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Remove the following line from the /etc/ntp.conf
cat /etc/ntp.conf | egrep ' -6' restrict -6 default kod nomodify notrap nopeer noquery restrict -6 ::1
Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
[[email protected] /]# cat /etc/default/grub | grep GRUB_CMDLINE_LINUX GRUB_CMDLINE_LINUX="ipv6.disable=1 crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet numa=off transparent_hugepage=never"
Regenerate a GRUB configuration file and overwrite the existing one
[[email protected] /]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file . Found linux image: /boot/vmlinuz-4.1.12-61.1.19.el7uek.x86_64 Found initrd image: /boot/initramfs-4.1.12-61.1.19.el7uek.x86_64.img Found linux image: /boot/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 Found initrd image: /boot/initramfs-4.1.12-61.1.18.el7uek.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-547c48bd53614a2ca2d16909b3c14419 Found initrd image: /boot/initramfs-0-rescue-547c48bd53614a2ca2d16909b3c14419.img done
Confirm if IPV6 is disabled
[[email protected] ~]# /sbin/ip -6 addr [[email protected] ~]# lsmod | grep -i v6
In case the ip and the lsmod command do not return anything back, then you have successfully disabled IPv6.
OEL 7 – How to disable IPv6 on Oracle Linux 7
In case you are not interested in IPv6, you can use the following HowTo to disable it on Oracle Linux 7. Unless you have something very very special on your System, these 10 Steps should do it.
- First of all, check if IPv6 is active at all
- Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
- Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
- Disable IPv6 in /etc/sysconfig/network
- Remove the “::1″ line from the /etc/hosts file
- Remove the “restrict -6″ line from the /etc/ntp.conf
- Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
- Regenerate a GRUB configuration file and overwrite the existing one
- Reboot the server
- Confirm if IPV6 is disabled
First of all, check if IPv6 is active at all
Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
Disable IPv6 in /etc/sysconfig/network
Remove the following line from the /etc/hosts file
Remove the following line from the /etc/ntp.conf
Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
GRUB_CMDLINE_LINUX= «ipv6.disable=1 crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet numa=off transparent_hugepage=never»
Regenerate a GRUB configuration file and overwrite the existing one
Confirm if IPV6 is disabled
In case the ip and the lsmod command do not return anything back, then you have successfully disabled IPv6.
And 10 reasons why by disabling IPv6 you are costing your company and customer money!
Enabling IPv6:
1. Identify application problems such as hard-coded IPv4 addresses 2. Identify misconfigured network, applications, virtualized systems, and containers 3. Eliminate overlapping IPv4 addresses 4. Eliminate DHCPv4 address exhaustion (2^8 vs. 2^64 per network) 5. Reduce battery usage on IoT and mobile devices between 12% and 30% 6. Offer customers new IOT solution [Machine2Machine, Machine2Cloud, Machine2Cloud+Customer, Customer to Macine+Cloud)
7. Harder for attackers to scan, harder to target, easier to find attackers 8. Reduction in customer latency between 10% and 40% 9. Reduction in Opex/Capex for data centers – 10-30% 10. Reduction in SPAM (to 7%) and DDOS (2%)
Bonus: Eliminate NAT all devices end-to-end Contact me if you want details.
Joe Klein, CTO Disrupt6; IPv6 Forum – Fellow
How to Disable IPv6 in RHEL 8/CentOS 8/Oracle Linux 8
The internet has become an integral part of our lives, and networking protocols like IPv4 and IPv6 are the foundation of this technology. While IPv4 is the current standard for internet protocol, many experts believe that IPv6 will eventually replace it due to its improved security features.
IPv6 was developed to replace IPv4, which had become outdated due to its limited address space. IPv6 has a much larger address space, which allows for more devices to be connected to the internet.
IPv6 is an important part of the internet, however it is also a potential source of malicious traffic if not properly configured and manage. By disabling IPv6, it is possible to reduce the attack surface of a network and protect it from malicious actors. With IPv4-only networks, firewall rules can be implemented more easily and securely, making it harder for attackers to gain access to the network. This article will provide steps to disable IPv6 in RHEL 8/CentOS 8/Oracle Linux 8.
1. How to check whether IPv6 is enabled on your server :
inet6 ::1/128 scope host inet6 fe80::20c:29ff:fe31:2a7b/64 scope link
2. Create /etc/sysctl.d/custom-ipv6.conf with following contents:
# vi /etc/sysctl.d/custom-ipv6.conf
3. Disable IPv6 use the following command.
# sysctl --load /etc/sysctl.d/custom-ipv6.conf
4. Verify again whether IPv6 is disabled on your server
Conclusion :
With the increasing use of the internet, it is becoming more important for everyone to understand and disable IPv6 in order to secure their network. IPv6 is a newer version of the Internet Protocol (IP) which provides users with more features and capabilities than its predecessor, IPv4. Although it has its advantages, it also comes with certain security risks that can be avoided by understanding and disabling IPv6.
OEL 7 – How to disable IPv6 on Oracle Linux 7
In case you are not interested in IPv6, you can use the following HowTo to disable it on Oracle Linux 7. Unless you have something very very special on your System, these 10 Steps should do it.
- First of all, check if IPv6 is active at all
- Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
- Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
- Disable IPv6 in /etc/sysconfig/network
- Remove the “::1″ line from the /etc/hosts file
- Remove the “restrict -6″ line from the /etc/ntp.conf
- Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
- Regenerate a GRUB configuration file and overwrite the existing one
- Reboot the server
- Confirm if IPV6 is disabled
First of all, check if IPv6 is active at all
Add the disable_ipv6 = 1 entries to the /etc/sysctl.conf file
Disable IPv6 in all /etc/sysconfig/network-scripts/ifcfg-* files, e.g.
Disable IPv6 in /etc/sysconfig/network
Remove the following line from the /etc/hosts file
Remove the following line from the /etc/ntp.conf
Add ipv6.disable=1 to the GRUB_CMDLINE_LINUX entry in the /etc/default/grub file
GRUB_CMDLINE_LINUX= «ipv6.disable=1 crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet numa=off transparent_hugepage=never»
Regenerate a GRUB configuration file and overwrite the existing one
Confirm if IPV6 is disabled
In case the ip and the lsmod command do not return anything back, then you have successfully disabled IPv6.
And 10 reasons why by disabling IPv6 you are costing your company and customer money!
Enabling IPv6:
1. Identify application problems such as hard-coded IPv4 addresses 2. Identify misconfigured network, applications, virtualized systems, and containers 3. Eliminate overlapping IPv4 addresses 4. Eliminate DHCPv4 address exhaustion (2^8 vs. 2^64 per network) 5. Reduce battery usage on IoT and mobile devices between 12% and 30% 6. Offer customers new IOT solution [Machine2Machine, Machine2Cloud, Machine2Cloud+Customer, Customer to Macine+Cloud)
7. Harder for attackers to scan, harder to target, easier to find attackers 8. Reduction in customer latency between 10% and 40% 9. Reduction in Opex/Capex for data centers – 10-30% 10. Reduction in SPAM (to 7%) and DDOS (2%)
Bonus: Eliminate NAT all devices end-to-end Contact me if you want details.
Joe Klein, CTO Disrupt6; IPv6 Forum – Fellow