Disable IPv6 on Debian VPS (Virtuozzo!)

Note: This question is still unresolved - the answer was auto-accepted.

I have a Debian Lenny VPS, that's running virtualized by Parallels/Virtuozzo. Currently, the network interface doesn't have an IPv6 address - and that's good, because I don't have an ip6tables configuration.

But I assume, that I could wake up one day, and ifconfig will show me an ipv6 address for the interface - because I have no control over the kernel or its modules - they're under the control of the hosting company. That would leave the server completely vulnerable to attacks from IPv6 addresses.

What would be the best way to disable IPv6 (for the interface or maybe for the entire host)? Usually I would simply disable the kernel module, but that's not possible in this case.

Update

Maybe I should add, that I can use iptables and everything normally (I'm root on the VPS), but I can't make changes to the kernel or load kernel modules because of the way Virtuozzo works (shared kernel).

lsmod always returns nothing.

I can't call ip6tables -L (it says that I need to insmod, or that the kernel would have to be upgraded).

I don't think, that changes to /etc/modprobe.d/aliases would have any effect, or do they?

Networking Config?

I thought, that maybe I can turn IPv6 off from /etc/network/... Is that possible?


Solution 1:

I've only tested this on Ubuntu, but you could try the following:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

And if this appears to work, you can make it permanent by adding the following to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1

Solution 2:

Best solution is to set up an iptables config that covers v6.

Failing that, most daemons will let you specify interfaces addresses to bind to, with default of all. Explicitly list the v4 addresses you want, and then they won't leave open ports on v6 addresses, should you later get any. Outgoing connections would still prefer v6 addresses, though.

Solution 3:

There's a fairly simple way to not be vulnerable to attack on IPv6.

Don't have services listening that shouldn't be open to the world. At the very least simply forcing services to bind to a specific IPv4 address should ensure they're not listening on IPv6. netstat -tupl can help with this.

Firewalls should exist for two reasons: * Protecting services with limited access to the world (TCP wrappers also helps here) * Protecting you from your own mistakes

Solution 4:

I believe currently the best way to disable IPv6 in Debian Lenny is to create a file in /etc/modprobe.d named ipv6.conf with blacklist ipv6 in it, then run depmod -ae as root, followed by update-initramfs -u.

There is a write-up on this on the debian.org wiki here: http://wiki.debian.org/KernelModuleBlacklisting

Good luck!

--jed