3.1.1 Disable IPv6

Information

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.

Rationale:

If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.

Impact:

If IPv6 is disabled through sysctl config, SSH X11forwarding may no longer function as expected. We recommend that SSH X11fowarding be disabled, but if required, the following will allow for SSH X11forwarding with IPv6 disabled through sysctl config:

Add the following line the /etc/ssh/sshd_config file:

AddressFamily inet

Run the following command to re-start the openSSH server:

# systemctl restart sshd

Solution

Use one of the two following methods to disable IPv6 on the system:
To disable IPv6 through the GRUB2 config:
Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:

GRUB_CMDLINE_LINUX='ipv6.disable=1'

Ru the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

OR
To disable IPv6 through sysctl settings:
Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
# sysctl -w net.ipv6.route.flush=1

See Also

https://workbench.cisecurity.org/files/2925

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: 8583f58455cbe6d57bab008a7e3e0e25489d45534e873b5bd0e894f5b18b0d78