IPv6: Need help to understand concepts

alvinoo · March 6, 2022, 8:06am

Hi there,

I neeed help to understand.

Why are some ports being assigned to tcp6
Why are tcp6 reachable from the outside?

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      510/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      709/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      5079/cupsd          
tcp6       0      0 :::80                   :::*                    LISTEN      848/httpd           
tcp6       0      0 :::21                   :::*                    LISTEN      1253/proftpd: (acce 
tcp6       0      0 :::22                   :::*                    LISTEN      709/sshd: /usr/sbin 
tcp6       0      0 ::1:631                 :::*                    LISTEN      5079/cupsd          
tcp6       0      0 :::443                  :::*                    LISTEN      848/httpd           
tcp6       0      0 :::3306                 :::*                    LISTEN      1087/mysqld

I am trying to harden the system.

Separately, I would like to understand how to kill off the Ipv6 process?
I understand for IPv4 is just

fuser -k httpd

drysdalk · March 6, 2022, 8:38am

Hello,

The most straightforward answer as to why there are services listening on IPv6 addresses is that your system has at least one IPv6 address assigned to it, and some services are set to bind to all available IPs rather than specific IP addresses (which is what most services tend to do by default). So in the case of sshd, for example, it binds to TCP port 22 on all your available IPv4 and IPv6 addresses, which is the meaning of the 0.0.0.0 address in the case of IPv4, and of :: in the case of IPv6.

If you do not want services to be reachable on an IPv6 address, then you have a few choices:

Configure the service in question to only bind to the specific IPv4 IP addresses or interfaces you want it to use
Firewall off the IPv6 addresses or ports that you do not want people to be able to connect to
Disable the IPv6 addresses or interfaces on your system that you do not actually want to use

In terms of how you'd kill these connections; your fuser syntax doesn't seem quite right there, no. Normally you wouldn't want to literally "kill" anything anyway, unless you were dealing with a process or service that was not responding to normal controls.

What you will want to do is use the correct command for the service in question to stop it or shut it down (e.g. systemctl stop sshd.service to shut down your SSH service on a systemd-enabled Linux distribution, for example). You could not kill the processes that are listening on the IPv6 addresses specifically, since (if you check your list) you'll see that the PIDs for the listening IPv4 and IPv6 ports are the same, since it's the same process doing the listening in each case.

So, in summary: if you actually don't need or want to use IPv6, the simplest thing is just to disable it for your operating system entirely. If you need it for some things, but not others, then either configure the services you don't want to use IPv6 to only bind to IPv4 addresses, or alternatively firewall off incoming IPv6 connections to those IPs and ports you don't want people to be able to reach.

Hope this helps !

MadeInGermany · March 6, 2022, 10:51am

The classic fuser command works on files. In Unix many things are implemented as devices that are special files and behave like files.
But network is implemented differently; you need other commands.

In Linux a p option lists associated processes

netstat -luntp
ss -luntp

In Unix it might be impossible, or there is an OS-specific way to get the processes.
Maybe you can install lsof that can do more than fuser.
Enabling/disabling IPv6 is OS-specific, too.
If you tell us your OS, then we certainly can tell you more. Try to get the OS from

cat /etc/*release

EmersonPrado · March 9, 2022, 11:06pm

Besides @drysdalk answer: if you find ports which you don't want to open at all, whether in IPv4 or 6, find the service that listens on it and disable, or even uninstall.

For example: I don't want SSH port open on my home computer, so I just make sure openssh-server is never installed. Or, if I need it, but only sometimes (like rsync'ing files between computers at home), I disable them with systemctl disable sshd.service, then stop them in the current session with systemctl stop sshd.service.

bendingrodriguez · March 10, 2022, 6:57pm

you shouldn't let mysql listen to any (:::)) address, that's a very bad idea. Unless its port 3306 is protected by a packet filter, like e.g. nftables or pf.

Neo · March 10, 2022, 7:58pm

Sorry, I do not understand why you would ask such a question without stating clearly what your OS is.

This is an OS specific question, generally speaking.

For example, in linux redhat systems, you simply do this:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

On linux debian systems, you can also add these lines to /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

You might need to reboot.

Either way, with linux operating systems, this it's trivial to turn off IPv6.

On macos, it used to be something like this:

sudo networksetup -setv6off Ethernet

I only use macos and linux on a daily basis, so I would need to google around for other OS.

Please note, generally speaking, if you do not use IPv6, you should "turn it off". This is what I do, generally speaking, BTW.

system · May 9, 2022, 7:58pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.