3.1.1 Disable IPv6

Information

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.

Rationale:

If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.

Impact:

If IPv6 is disabled through sysctl config, SSH X11forwarding may no longer function as expected. We recommend that SSH X11fowarding be disabled, but if required, the following will allow for SSH X11forwarding with IPv6 disabled through sysctl config:

Add the following line the /etc/ssh/sshd_config file:

AddressFamily inet

Run the following command to re-start the openSSH server:

# service sshd restart

Solution

Use one of the two following methods to disable IPv6 on the system:
To disable IPv6 through the GRUB config:
Edit /boot/grub/grub.conf to include ipv6.disable=1 on all kernel lines:
Example:

kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=UUID=ed90a503-bea9-4f2c-b24a-e9191f6e154b rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet audit=1 ipv6.disable=1

OR
To disable IPv6 through sysctl settings:
Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/*.conf file:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
# sysctl -w net.ipv6.route.flush=1

Default Value:

None




Additional Information:

Disabling ipv6 via sysctl only disables (unhooks all of the calls) for the ipv6 module, but doesn't prevent it from loading.

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Unix

Control ID: ff166c74a624df52e54e05d05a5398b936d9e63a0e827251c1cb62d3370bb620