[VoiceOps] IPv6 security defaults

[Alex Balashov]

This isn't overtly related to voice, but thought I would pose it here 
anyway in the context of SIP exploits:

Lots of dedicated servers and cloud servers from major providers are now 
spun up with IPv6 enabled by default, but I have yet to see an instance 
where firewall rules for IPv6 were enabled by default.

So, while it is typical for major Linux distributions (e.g. CentOS) to 
ship with a conservative-ish 'iptables' ruleset applied by default, I 
normally see:

--
root at server:~# ip6tables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
--

And yes, the canonical default services listen on the 6-net, too:

--
root at server:~# ss -6tln | awk '{print $4}'
Local
::1:53
:::22
::1:953
--

With something like ~10% (?) of Internet traffic passing over IPv6 now 
(right?), my expectation would be that script kiddie tools, dictionary 
scanners, and the likes of SIPvicious would have evolved to exploit the 
fact that IPv6 is often enabled but, in my experience, seldom firewalled.

Does this accord with your experience? Anecdotes welcome.

-- Alex

-- 
Alex Balashov | Principal | Evariste Systems LLC
1447 Peachtree Street NE, Suite 700
Atlanta, GA 30309
United States

Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/