Disabling ipv6

[mikeshinn]

If the issue is that you just don't want to get the IPv6 module loading alerts, then I recommend you add in a custom OSSEC rule to ignore them. The other options just increase your risk.

For what its worth, IPv6 can be disabled on your box. We didn't do anything special on our boxes, just the normal procedure in this thread, wish I had some magic sauce to share, all I can say is its not that you haven't disabled it - its that an application on your system is trying to *enable it*.

So you may have dig into whats trying to turn it on. It could be your hosting provider and their DHCP responses, maybe something in a package you are using has IPv6 enabled (which then tells the kernel to dynamically enable IPv6 even when you disable it) who knows.

Again, if the issue is igorning the alerts, thats easy enough to do - just add in a custom OSSEC rule and be done with it. ASL will prevent IPv6 from being enabled, and you can ignore the alerts.

[webfeatus]

its that an application on your system is trying to *enable it*.

Last ClamAV update process started at Thu Aug 5 04:11:27 2010
Last Status:
Using IPv6 aware code
Querying current.cvd.clamav.net

- or has the system already been *told*

[mikeshinn]

That would mean that clamd is configured to support IPv6 (which is the default behavior for clamd and has been since 2007 I think).

[breun]

I don't see any settings in /etc/clamd.conf for IPv6.

[mikeshinn]

Its in the actual code in clamd: "Using IPv6 aware code". The default build for clamd is to support ipv6. If you don't want that support, you have to build it with --disable-ipv6.

[biggles]

If the issue is that you just don't want to get the IPv6 module loading alerts, then I recommend you add in a custom OSSEC rule to ignore them. The other options just increase your risk.

For what its worth, IPv6 can be disabled on your box. We didn't do anything special on our boxes, just the normal procedure in this thread, wish I had some magic sauce to share, all I can say is its not that you haven't disabled it - its that an application on your system is trying to *enable it*.

So you may have dig into whats trying to turn it on. It could be your hosting provider and their DHCP responses, maybe something in a package you are using has IPv6 enabled (which then tells the kernel to dynamically enable IPv6 even when you disable it) who knows.

Again, if the issue is igorning the alerts, thats easy enough to do - just add in a custom OSSEC rule and be done with it. ASL will prevent IPv6 from being enabled, and you can ignore the alerts.

According to this thread the ipv6-module is always loaded in the asl kernel. when was this kernel introduced in atomic channel? For me tthe inability to disable ipv6 started with kernel 2.6.32.13-2

[mikeshinn]

Nope, not for a long time. We removed all the IPv6 modules from ASL last year. ASL has not loaded any IPv6 modules for at least 9 months or longer.

We used to force them to load because some customers were upset that the module wasn't loaded by default and they wanted to dynamically start IPv6 way after boot. After further reflection, we have since removed all IPv6 modules from ASL as this not an ASL issue. If you want IPv6, plan accordingly and load the modules before you lock the kernel (as with all modules). In some other cases, we force some modules to load when its likely they will be needed (but are usually forgotten by some application developers who choose to let the kernel dynamically do all the work) and are low risk to have always loaded. We don't have to do this, but we chose to do it to make life easier for all our customers, including the ones that have no idea what we are talking about.

You can see all the modules we force to load here:

/etc/init.d/asl-mod

Note: This is a list of the modules ASL will load if its necessary to load it and if that module or method exists in that kernel. That list includes modules that exist in different generations of the kernel over time and some may not exist in other versions. ASL is smart enough to know which ones to load depending on the generation of the kernel its using, do not worry about this list. If a module with a name name on this list is not in the version of the ASL kernel you have installed its deprecated and not missing - ASL knows what to do. If you are not a kernel person, you should probably forget about this list now.

This is the current list of module ASL will force load on boot:

Code: Select all

ip_tables
iptable_filter
iptable_nat
iptable_mangle
nf_nat
x_tables
ipt_stealth
ipt_owner
ipt_REJECT
ipt_recent
ipt_REDIRECT
xt_tcpudp
xt_conntrack
nf_conntrack
nf_conntrack_ipv4
nf_conntrack_netbios_ns
nf_conntrack_ftp
nf_conntrack_sane
nf_nat_ftp
xt_state
xt_length
xt_limit
xt_mac
xt_physdev
xt_pkttype
xt_multiport
xt_mac
xt_MARK
xt_DSCP
xt_tcpmss
xt_TCPMSS
xt_mark
xt_connlimit
xt_string
xt_owner
xt_iprange
ipt_ECN
ipt_ecn
ipt_LOG
tun
fuse
cifs
aes_generic
aes_x86_64
twofish_x86_64
twofish_common
sha256_generic
cbc
ecb
dm_crypt
crypto_blkcipher

The module names cover several generations of Linux kernels, which is deliberate to ensure that new and old kernels have the right minimum modules loaded. If your kernel doesnt have any of these modules loaded, they dont exist for that kernel and are deprecated - they are not missing. Its fail safe for anyone that cares about the nomenclature.

Also, if by some chance you did have the IPv6 module loaded you would not get the message that the kernel was blocking the module from loading. So if ASL was loaded the module you would know it - because you wouldnt get the message from the kernel that module is not allowed to load.

To recap for anyone reading this message first, the kernel message is caused when an application tries to enable IPv6, the IPv6 module is NOT loaded and ASL prevents it from being loaded. Thereby guaranteeing that IPv6 can not be started on your system. So, if you get that kernel messages that means nothing, including ASL, loaded the IPv6 module.

If anyone is concerned about running IPv6, a simple solution is just load the module and setup an iptables rule to drop all IPv6 traffic and be done with it. Its pretty clear that the process of disabling IPv6 at the network level doesnt seem to work very well. Or, just let ASL do all the work and write a custom exclude rule for the IPv6 module loading prevented message.

I'll throw one up here momentarily.

[mikeshinn]

I havent had a chance to try this yet, but give this a shot in your local_rules.xml file in /var/ossec/rules/:

<rule id="99999" level="0">
<program_name>grsec</program_name>
<match>denied kernel module auto-load of net-pf-10</match>
<description>Ignore that IPv6 attempted to start</description>
</rule>

That should ignore the ASL warning.

[biggles]

Thanks a lot for the detailed explanation!

BTW and a bit OT. If those modules aren't availible, how can you acquire them? For example xt_tcpudp.ko is missing for 2.6.32.16-2 kernel which gives errors when loading afp... (http://atomicorp.com/forums/viewtopic.php?f=1&t=4349)

[mikeshinn]

The module names change (and the code and methods changes change), so if you kernel doesnt have a module with those names don't worry about it. If APF isnt loading the right modules you'll want to ask them what they need to load. Maybe they expect the modules to be able to load dynamically, and dont force them to load on boot.

If you want us to force load a module, just let us know.

[webfeatus]

<rule id="99999" level="0">
<program_name>grsec</program_name>
<match>denied kernel module auto-load of net-pf-10</match>
<description>Ignore that IPv6 attempted to start</description>
</rule>

Has anyone had success with this?
Is a restart required?
(I thought OSSEC restarted with auto updates?)
I am still seeing the output.

[biggles]

<rule id="99999" level="0">
<program_name>grsec</program_name>
<match>denied kernel module auto-load of net-pf-10</match>
<description>Ignore that IPv6 attempted to start</description>
</rule>

Has anyone had success with this?
Is a restart required?
(I thought OSSEC restarted with auto updates?)
I am still seeing the output.

My rules is

Code: Select all

   <rule id="101004" level="2">
    <if_sid>1002</if_sid>
    <regex>denied kernel module auto-load of net-pf-10</regex>
    <options>no_email_alert</options>
   </rule>

And it's working like a charm. I always restart ossec to pick up new rules, but I donät know if it's necessary.