HOWTO: disable IPv6 networking in Debian

UPDATE 3 Ohai! now it’s 2015 and Debian lists an offical way to disable ipv6 in /etc/sysctl.conf, just add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

Then reboot, or issue the command sysctl -p

So, while I’m (still) all for IPv6 becoming the new standard, until it does I’m going to turn if off on my servers if it’s not being used.

UPDATE 2 It’s 2014 now, and this is much easier. Edit /etc/sysctl.conf and add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Now restart sysctl

sysctl -p

Done, it’s off, notice you may need to address individual services to stop them from listening on ipv6 interfaces.


UPDATE It’s been some time since I posted this, but I just read a post called Linux Hardening - Quick Wins that reinforces my thinking on this point; if you don’t need a service, you shouldn’t have it running:

Disable IPv6: Unless you know that you need it, disabling IPv6 is a good idea as it is hard to monitor, making it attractive for hackers, and it’s also hard to spot security vulnerabilities in the protocol.

Again, this is no shot at IPv6, merely my point that if you’re not using it, you shouldn’t be running it.

Tonight I did ran netstat (netstat -plunt) on my Debian server and saw that I had some ports listening via IPv6.  It’s a shame IPv6 hasn’t caught on as it’s better than IPv4 in virtually every way, and it should, especially since TCP/IPv4 was standardized in ARPANET RFC’s… in 1981!  Also, IPv6 provides network level security via IPSec, which enables authentication of sender and encryption of communication path, to secure communications, all fun stuff, but while some point to the fact that the Beijing Olympics used IPv6 exclusively as a point in how far it’s come, that’s hardly saying much when the protocol went Alpha… in 1996!  I mean I put things off and get distracted, sure, but come on!  So while its adoption can be argued to be a case of the chicken before the egg, since I’m not using anything IPv6, nor do I or my ISP even have the capability to use it, it’s silly and perhaps dangerous to leave it running with open ports.  So, if you’re not using it, disable it - it’s easy, just put on your pointy hat and follow along…

First we need to edit:

/etc/modprobe.d/aliases

By default you will have a line like this:

alias net-pf-10 ipv6

Replace that line with:

alias net-pf-10 off
alias ipv6 off

(The second line may/may not be required with newer (2.26.+) kernels, but it won’t hurt anything)

Also, while we’re at it, on your desktop machines, help out Firefox by disabling IPv6 there too.  It’s simple, in the location bar enter:

about:config

Then search for:

network.dns.disableIPv6

and toggle its value to true

Well, that’s it, you’re now surfing with 1980s technology (just like 99.098% of the internet!)

 
comments powered by Disqus