Why would I pick IPv4 or IPv6 for SSH access?

Question

I'm setting up a Linode server and the Getting Started security guide suggests disabling ssh access over either IPv4 or IPv6 so that I only have one of the two enabled.

I understand the general theory of reducing attack surface, but why would I pick one over the other? How do I know which one I need?

Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon.

score 6 · Accepted Answer · answered Jan 24 '17 at 12:58

6

There can be several reasons to disable one or the other. My home and office have stable IPv6 addresses but always changing IPv4 addresses. So firewalling IPv6 is much easier and safer and therefore I close IPv4.

When I need to do maintenance I either ssh from a known network or I open a VPN and get IPv6 addresses that are allowed through the firewall.

It all depends on your environment, but this is what works for me :)

answered Jan 24 '17 at 12:58

Sander Steffann

7,712
19
29

1

So stability, and IPv6 ability? – Moshe Jan 24 '17 at 16:07
Yeah, that's my reason :) – Sander Steffann Jan 24 '17 at 21:38

score 2 · Answer 2 · answered Jan 24 '17 at 17:25

As you may know there are many automated bots out there trying to break into systems on the Internet. Some of these attempt to connect to every system on the Internet via ssh and try common passwords.

Everyone who has ever put a system on the network has seen their logs fill up with messages about break in attempts. But, they are all on IPv4! There are none on IPv6. Bots attempt to connect to every IPv4 address that exists, but this is impossible with IPv6 as there are too many of them.

I usually leave both protocols enabled, but when I do disable one, it is IPv4.

not to mention the entire v4 network fits into a /96 ipv6 subnet ;) — Jacob Evans, Jan 24 '17 at 18:04

score 1 · Answer 3 · answered Jan 26 '17 at 05:39

There are much more efficient ways to secure your ssh server. What I consider the two most important steps to secure ssh are:

Set up key based authentication and disable password authentication.
Keep the software up to date.

With those two in place there is very little security to be gained by disabling IPv4 or IPv6.

There are arguments in favor of having ssh configured to listen on both IPv4 and IPv6, even if you usually don't use both of them.

If one of the protocols is inaccessible due to a misconfiguration either on your server or on one of the provider's routers it is useful to be able to log in using the other protocol. In such situations having both IPv4 and IPv6 enabled will make problems much easier to debug.

got it. I've done those other things, but still was curious. — Moshe, Jan 26 '17 at 13:22

Why would I pick IPv4 or IPv6 for SSH access?

3 Answers3