Ipv6 Security Implications
Apr 15, 2008
Using CentOS server hosted with The Planet.
When I do an ifconfig I see a regular IP as well as an IPv6 one.
Does this mean my server is accessible via IPv6 as well, and would that bypass any firewall I have set on the regular IP? I noticed theres a ip6tables as well but I don't have it started. I'm fairly new to iptables in general so I'm not touching ipv6 now, unless I have to. Would it be safe to just block everything through ipv6 or would that be bad?
I'm kind of interested in learning more about IPv6 and eventually actually supporting it, but for now I rather not until I learn more about it.
View 1 Replies
ADVERTISEMENT
Jan 31, 2008
I recently changed one of my development servers from suPHP to FastCGI. I will admit, FastCGI is much quicker at PHP page generation and the system seems much more responsive.
However, I am looking into how FastCGI differs from suPHP in terms of security. Both run as a form of CGI outside of Apache itself -- which in theory is more secure. However, suPHP prevented users from setting insecure permissions (for instance, the max for files was 644, and for folders it was 755) -- something which FastCGI does not appear to do (although it could due to how it runs as a user).
Does anyone have any comments on this? Is there a way to force these same restrictions via FastCGI?
Also, any other comments in regards to the security of FastCGI vs. suPHP? I have run numerous searches and I don't seem to be able to find much. Google just returns a bunch of providers whose 'customers' are celebrating due to the provider choosing to implement FastCGI.
View 2 Replies
View Related
Aug 6, 2008
I've read that Virtuozzo 4.0 supported ipv6. I'm having problems finding anything to help setup the node for ipv6. I can't anything on the web except for some people talking about how to disable ipv6. So I was just wondering if anyone else has seen anything.
Edit: I don't think I posted in the correct section. Opps. Could a moderator move this to the right section?
View 2 Replies
View Related
Jul 28, 2009
we would like to extend our services with providing IPv6 for dedicated servers.
Our colo will provide us /48.
Am pretty new to IPv6. Can anobydy give some hints about IPv6 addressing for such scenario.
How should we cut that /48? How much IPs shoud I provide to every server?
Any real hosting world scenarios?
View 2 Replies
View Related
Apr 13, 2008
If you took every dns A record that exists for an ipv4, converted it to an AAAA ipv6 address record, what would the disk space difference be amongst every computer that hosts a dns server today?
View 1 Replies
View Related
Sep 12, 2007
to buy some more Layer 3 switches but I'd like to get ipv6 support. I like the Cisco 3550 but it does not support ipv6.
Can someone recommend a switch in the same price range (less than $1400 for 48 ports) that supports ipv6? This will be used for connecting to customer servers.
View 4 Replies
View Related
Jun 20, 2008
I did a little research about availability of dedicated servers with native IPv6 and my results are... Well, let's just say that they are worse than I expected them to be.
Only providers that I found (with IPv6 carriers in brackets) are:
- OVH, FR (Teleglobe, Global Crossing),
- CoreIX, UK (Tiscali, Teleglobe),
- Goscomb, UK (NTT/Verio, Global Crossing),
- FDCServers, US (NTT/Verio, Hurricane Electric).
There is also LeaseWeb (and I found one IPv6 server running on their network), but I didn't find any information regarding IPv6 on their page.
If you know others, please update the list (with IPv6 transit providers if you know them, no peering/IX please).
As you can see, there are at least 5 carriers who provide native IPv6. What bothers me is the fact that most of the US providers use NTT/Verio, Global Crossing or both of them in their BGP mix. Why don't they enable IPv6 connectivity? All their hardware supports it as IPv6 isn't anything new, so I really don't see a reason why they don't do it... Anyone want to enlight me?
As this isn't 'offers request' thread, I guess it wouldn't be against the rules for providers to say 'we do IPv6'
View 14 Replies
View Related
Jul 26, 2008
In terms of dedicated servers how does this work? Is this something you can ask for, and is there any advantage to having it? Is it also possible to have an IPv4 AND IPv6 on same server?
View 1 Replies
View Related
Apr 28, 2008
if there are any shared hosting providers offering ipv6-based hosting right now?
View 8 Replies
View Related
May 25, 2007
I want to start a private ircd that is only accessible to ipv6 clients, but I can't find a provider who can provide me with this. I've contacted FDC Servers about this, but they can't provide me with an ipv6 address on a vps.
View 4 Replies
View Related
May 2, 2007
for a linux VPS package provider that can provide both IPv4 and IPv6 (not tunneled) connectivity. IRC client/bots are not a priority but would be a bonus.
View 2 Replies
View Related
Aug 5, 2014
Nginx is listening on port 7080 with ipv6 protocol only.ipv6 isn't use on the server (ipv4 only).If I disable ipv6 support on the server, is this stopping nginx to use ipv6 ? (and some other process)How can I disable IPv6 on Plesk 12 ?
View 3 Replies
View Related
Oct 11, 2009
Can you make a recommendation for a switch-based L3 router which can
- hold a moderate number of routes (interface routes, a few hundred statics + default)
- OSPF and BGP
- MST
- 1024 layer-3 dot1q subinterfaces (or maybe VLAN interfaces)
with
+ traffic policing in and out per subinterface/vlan
+ VRRP/HSRP/NSRP
- IPv4 & IPv6 native
- 2x GigE ports
- Not tip-over under 1gbps DDoS towards a VLAN interface.
I've been using 3560Gs, but they seem to lack the output traffic policing. I'd prefer to have subinterfaces which don't run spanning-tree, versus Vlan Interfaces to a trunk interface which runs spanning-tree. These switches sit at the L3 boundary between two L2 networks.
Cost is a big factor; but I also must carry vendor licenses & support contract, if the vendor asserts that not doing so is illegal in US.
View 2 Replies
View Related
Jun 29, 2015
I'm running plesk 12.0.18 on centOS 6.6 and I have some problems with ipv6 support for a domain. This is what I see in my apache logs for that domain:
2001:8d8:90b:c900::2a:19d1 - - [29/Jun/2015:17:44:55 +0200] "GET /hello.html HTTP/1.0" 404 1208 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
2001:8d8:90b:c900::2a:19d1 - - [29/Jun/2015:17:49:39 +0200] "GET /hello.html HTTP/1.0" 200 384 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
2001:8d8:90b:c900::2a:19d1 is the ipv6 from my server, and it appears there because of nginx working as reverse proxy.
As you can see, facebook can't get /hello.html (404 response), but I can get it from another server using curl (200 response). I tried disabling nginx and this is what I see now:
2a03:2880:2110:dff3:face:b00c:0:1 - - [29/Jun/2015:17:55:11 +0200] "GET /hello.html HTTP/1.1" 404 1208 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
2001:8d8:8b3:6000::4e:c5a0 - - [29/Jun/2015:17:54:52 +0200] "GET /hello.html HTTP/1.1" 200 361 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
Still not able to get /hello.html. This is a problem for me because I can't share anything on facebook, since their bot can't find anything on my site.
I've already configured ipv6 for my domain.
View 1 Replies
View Related
May 15, 2014
Plesk Firewall has no effect on IPv6?
I am writing today regarding the Plesk Firewall. It seemed to be pretty handy for quickly blocking troublesome users from *replace-with-whatever-IP-block-is-giving-you-trouble*. Yet I am unable to block IPv6 addresses, and the fire wall seems to let some blocked IPv4s right in. I did not see any distinction as to v4 or v6 in the Firewall dialog for adding custom rules, so...
The question is...
(1) Is the Plesk Firewall *supposed* to apply rules to IPv6 by default?
If yes...
(2) Is there a setting or a switch that has to be configured for this to work?
If yes...
(3) Where are said configuration options located?
Okay, when I run /sbin/ip6tables -L (CentOS) I get output that resembles the iptables (no 6) output, only... what, converted to IP6? Not sure. Example output:
DROP tcp ::ffff:31.0.0.0/104 ::/0 tcp dpts:1:10000
In that particular instance I added a drop for the 31.0.0.0/8 block (using the Plesk Firewall interface), in order to create the script that's loaded into iptables (and ip6tables as well, apparently) when one elects to "Apply Configuration". It worked great, executed perfectly, and the iptables output list output looked to be (and remember, I have grossly insufficient background knowledge in this area) accurate.
Yet at the time of this writing I can see via live traffic monitor that an address in the 31.0.0.0/8 block (IPv4) is pounding away at a website. This is curious, as the live traffic monitor indicates an IPv4 address. So... can an IPv4 address be detected and recorded from a host that is only able to connect via IPv6? While an interesting question, I was more concerned with just blocking the IPv6 address and get more academic with it later.
But this raises another question; why would Plesk populate ip6tables and not provide an interface to actually submit IPv6 addresses.
View 1 Replies
View Related
Jan 19, 2008
I've been happily banning ip's using the output from
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:
tcp6 0 0 ::ffff:12.123.123.123:80 ::ffff:12.123.12.:12382 ESTABLISHED-
(actual ip addresses changed)
As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.
View 0 Replies
View Related
Jul 23, 2014
I added a AAAA ipv6 zone to my dns the idea was to run the SPF validation by google (who checked the ipv6 and not ipv4 (??) )Out today I have a client who called me and because it can no longer connect to my site...I take his computer in hand by teamviewer and actually the ping of my domain solves the ipv6 not ipv4 in the management of IP in plesk I
Mask IP address subnet Retailer Sites Interface
178.xx.xxx.xxx (shared) 255.255.255.0 eth0 0187
2001: xxxx: x: xxxx :: 1 (dedicated) 64 0 0 eth0
therefore 187 sites under the ipv4 and ipv6 0 on..I actually do not care about ipv6, it's just for spf..I lack some knowledge with dns I think...must I do something on dns to indicate that ipv4 is that actually hosts the site? or at plesk for all requests to be redirected to the ipv6 on ipv4?
View 3 Replies
View Related
Mar 26, 2015
On a new install, if I create IPv4 and IPv6 pools (one of each enabled for branding), and create a brand using "IP address"="Shared IPv4 and dedicated IPv6", it fails without an onscreen error. A webspace is created but marked "No hosting" in PPA and Failed in Hosting Panel. A DNS zone is created. At that point I can't delete the webspace from Hosting Panel and there doesn't seem to be a way to delete it from PPA, however, I can delete the DNS zone.
This is in poa.log, not sure if it's relevant:
Mar 26 09:19:20 ppa: ERR [UI:ecc45799:1427379560608 1:18157:b25ffb70 lib]: [Facade:leskResponse:arse] Plesk error 1013
Mar 26 09:19:22 ppa: ERR [openapi-firewall:b09ffb70 1:18032:b09ffb70 lib]: [iqxmlrpc-server] Server: Server error. Method 'system.methodSignature' not found.
Also after the DNS zone is created, the below is logged in poa.log...it doesn't seem relevant to the branding error but does seem to be a problem...
Mar 26 09:28:27 ppa: ERR [task:181:1932 1:18142:b33ffb70 lib]: [task:181 InteractiveHostOps:erform] ExSystem: module_id:'Common', ex_type_id:'1',Message:'Destination host 'ppa.example.net' (#1), IP '99.99.99.99' : Internal error: /usr/sbin/rndc /usr/sbin/rndc reconfig failed with code 1 saying: STDOUT: '' STDERR 'WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
rndc: connection to remote host closed
[Code] ....
View 3 Replies
View Related
Nov 9, 2012
I've discovered an annoying problem in Plesk 11.
When you register a .fr domain name, you need to have a Success ZoneCheck at [URL] ....
The test fail because the server didn't answer to ICMP IPv6 requests.
Error: The server does not listen to or does not answer in UDP on the port 53 (on the IpV6)
My question is: How to open port 53 on IPv6 for ICMP requests ?
This is functional with IPv4 But not IPv6.
There are some rules in the Plesk Firewall, but it seems not working at all.
View 4 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Aug 8, 2013
I'm runnung a server with Apache2 (Apache/2.2.16 (Debian 6.0))
I would like Apache2 listen on port 8080 for IPv4 and on port 80 for IPv6.
This is what I have now:
/etc/apache2/ports.conf
View 4 Replies
View Related
Jul 16, 2009
I have regarding hosting/designing my application. Users of my website upload highly sensitive files to the server. I'll use SSL but will that be enough since the files are not encrypted on the server. I tried to encrypt the files but that is adding a huge overhead.
My first question is - is it a good idea to store the files on the server rather than a database? My other question is regarding hosting; I'm thinking of building my own server and host it in a colo. Is colo more secure than dedicated hosting? Currently i'm still in the process of developing my App and my environment is Windows Server 2008/SQL Server 2005.
View 13 Replies
View Related
Feb 9, 2007
Is there any problems with having duplicate rules in different files as I have downloaded some rules and am going to make them all into one file to give me the best protection, but this is going to take time and I really need some sort of protection now
View 2 Replies
View Related
