Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    How to properly disable IPv6 on Hetzner dedi?
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    How to properly disable IPv6 on Hetzner dedi?

    JohnRoeJohnRoe Member
    edited February 13 in Help

    Hi. Can anyone tell me the correct way to disable IPv6 on Hetzner?

    I Googled around and found this

    Edit /etc/sysctl.conf

    Paste these:

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    

    Execute sudo sysctl -p

    IPv6 successfullt disabled but the problem is, the server cannot be reached anymore after a reboot.

    These are files in /etc/sysctl.d/

    10-console-messages.conf
    10-kernel-hardening.conf
    10-magic-sysrq.conf
    10-ptrace.conf
    9999-vpn.conf
    99-sysctl.conf
    10-ipv6-privacy.conf
    10-link-restrictions.conf
    10-network-security.conf
    10-zeropage.conf
    99-hetzner.conf
    README

    And this is content of 99-hetzner.conf

    ### Hetzner Online GmbH installimage
    # sysctl config
    #net.ipv4.ip_forward=1
    net.ipv4.conf.all.rp_filter=1
    net.ipv4.icmp_echo_ignore_broadcasts=1
    # ipv6 settings (no autoconfiguration)
    net.ipv6.conf.default.autoconf=0
    net.ipv6.conf.default.accept_dad=0
    net.ipv6.conf.default.accept_ra=0
    net.ipv6.conf.default.accept_ra_defrtr=0
    net.ipv6.conf.default.accept_ra_rtr_pref=0
    net.ipv6.conf.default.accept_ra_pinfo=0
    net.ipv6.conf.default.accept_source_route=0
    net.ipv6.conf.default.accept_redirects=0
    net.ipv6.conf.all.autoconf=0
    net.ipv6.conf.all.accept_dad=0
    net.ipv6.conf.all.accept_ra=0
    net.ipv6.conf.all.accept_ra_defrtr=0
    net.ipv6.conf.all.accept_ra_rtr_pref=0
    net.ipv6.conf.all.accept_ra_pinfo=0
    net.ipv6.conf.all.accept_source_route=0
    net.ipv6.conf.all.accept_redirects=0
    

    Should I delete 99-hetzner.conf and retry method above? Is that a proper way?

    Thanks.

    OS: Ubuntu 18.04

    Sorry for my bad English

    Comments

    • rm_rm_ Member
      edited February 13

      JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

      The correct way is to not disable IPv6.

    • marvelmarvel Member without signature

      @rm_ said:

      JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

      The correct way is to not disable IPv6.

      This. I can't think of any reason to ever disable IPv6.

    • @rm_ said:

      JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

      The correct way is to not disable IPv6.

      I am trying to solve this issue.
      The obvious difference between before and after reinstall is I got IPv6 disabled back then.

      I am trying to eliminate possibilities. I have changed my webserver and the error still occurs. Cloudflare strongly suggest there is a network issue but Hetzner denied that. So I am at loss. I have terabytes of files stored on the server and it costs me 3-4 days to backup, restore, and reconfiguring the server. So reinstalling this server would be my last resort.

      Thanks

      Sorry for my bad English

    • JohnRoeJohnRoe Member
      edited February 13

      @marvel said:

      @rm_ said:

      JohnRoe said: Can anyone tell me the correct way to disable IPv6 on Hetzner?

      The correct way is to not disable IPv6.

      This. I can't think of any reason to ever disable IPv6.

      I don't remember why I disabled it last time. But you can read my reply above.

      Sorry for my bad English

    • what's your OS, if debian, just comment off ipv6 setting in /etc/network/interfaces

    • @webdev said:
      what's your OS, if debian, just comment off ipv6 setting in /etc/network/interfaces

      Ubuntu 18.04, so I can use the same method. Should I just ignore /etc/sysctl.d/99-hetzner.conf?

      Sorry for my bad English

    • RickBakkrRickBakkr Member, LIR

      JohnRoe said: Cloudflare strongly suggest there is a network issue but Hetzner denied that

      Ditch CloudFlare, or just its proxy? Or just remove the AAAA record to force CF to internally use v4?

      All better than ditching V6... :(

    • @RickBakkr said:

      JohnRoe said: Cloudflare strongly suggest there is a network issue but Hetzner denied that

      Ditch CloudFlare, or just its proxy? Or just remove the AAAA record to force CF to internally use v4?

      All better than ditching V6... :(

      I don't really want to expose my server IP to visitors. But if nothing can solve this including reinstalling, I have no choice. Also I don't have any AAAA configured.

      Sorry for my bad English

    • indeed, remove AAAA record would be much simple.

    • @webdev said:
      indeed, remove AAAA record would be much simple.

      I don't have any configured.

      Sorry for my bad English

    • RickBakkrRickBakkr Member, LIR
      edited February 13

      JohnRoe said:
      I don't really want to expose my server IP to visitors.

      If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

      Thanked by 1benj0x
    • @RickBakkr said:

      JohnRoe said:
      I don't really want to expose my server IP to visitors.

      If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

      Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

      Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

      Sorry for my bad English

    • JohnRoe said: I don't have any configured.

      If you have nothing, then the server has IPV6 or not does not matter. other choice would be use a new VPS for web server, your current server as storage/database server.

      have you tried other web server like openlitespeed?

    • benj0xbenj0x Member
      edited February 13

      @JohnRoe said:

      @RickBakkr said:

      JohnRoe said:
      I don't really want to expose my server IP to visitors.

      If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

      Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

      Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

      Hetzner doesn't offer DDoS Attacks for free. But you can use their quite good Anti-DDoS service. It's free.
      I have been experiencing already some attacks against my Hetzner dedicated server which all went quite well. I stayed online throughout the whole attack after their Anti-DDoS kicked in.
      Analytics you can get on your own. Setup Matomo or something else and you'll be fine. You could also analyze your apache2 logs. Just google a bit for services which could help you out.

      Just for your knowledge: Cloudflare doesn't make you un-DDoSable. Their free plan doesn't help really if someone seriously wants to attack you. They'll find ways to bypass Cloudflare and take you down.

      But please: don't disable IPv6. That's the wrong action to solve your issue. Please don't be that stupid and say that IPv6 is causing all of your issues.

      Thanked by 1Hetzner_OL

      is annoyed of VirMach's Black Friday Flash Sale Page.

    • @webdev said:

      JohnRoe said: I don't have any configured.

      If you have nothing, then the server has IPV6 or not does not matter. other choice would be use a new VPS for web server, your current server as storage/database server.

      have you tried other web server like openlitespeed?

      I also have Telegram Bots on the server which serve files. So web server needs to be on the same server.

      I have tried Caddy and Apache2. I have no intention to try another when these 2 got the same issue as well. I want to highlight here that whenever the 525 error code appears, there is no log get written in log files. Looks like something happen before the request could reach my webserver.

      Sorry for my bad English

    • But why would you disable IPv6 when you have NEVER mentioned your IPv6 address in Cloudflare's DNS settings? I honestly don't get why you'd see the issue in IPv6.

      Please stop this bullshit ☹️. I hate when companys recommend you to disable IPv6.

      Thanked by 2maverickp rm_

      is annoyed of VirMach's Black Friday Flash Sale Page.

    • @benj0x said:

      @JohnRoe said:

      @RickBakkr said:

      JohnRoe said:
      I don't really want to expose my server IP to visitors.

      If you are in a business where you cannot expose your IP, you are with the wrong kind of folks.. Never had to hide away and never had any trouble for the time I've been around :')

      Is it really safe? What about DDOS and other vulnerabilities? Does Hetzner offer DDOS for free? Of course I disabled root user and using strong password for SSH. But I am on this server alone and I am not an IT expert or that kind of stuff. I never feel safe whenever someone knew its IP address. Plus, Cloudflare have pretty fancy Analytics which wouldn't cost me anything especially resources.

      Anyway I am using this server to host my Telegram Bots, encode video, and to test stuff personally. Web server mainly used for users from Telegram Bots to fetch some files.

      Hetzner doesn't offer DDoS Attacks for free. But you can use their quite good Anti-DDoS service. It's free.

      I have been experiencing already some attacks against my Hetzner dedicated server which all went quite well. I stayed online throughout the whole attack after their Anti-DDoS kicked in.

      Extra money for something that I don't generate any money :/

      Analytics you can get on your own. Setup Matomo or something else and you'll be fine. You could also analyze your apache2 logs. Just google a bit for services which could help you out.

      Cloudflare analytics count every single request. Having matomo would require me to setup many things including embedding the code everywhere. I used matomo back then but then moved to Google Analytic because I don't want to waste any more time to optimize it. Also like I said, no extra resources needed.

      Just for your knowledge: Cloudflare doesn't make you un-DDoSable. Their free plan doesn't help really if someone seriously wants to attack you. They'll find ways to bypass Cloudflare and take you down.

      I am 100% aware this. But Cloudflare will prevent people who not serious to attack me from get to know my server IP address. Like I said, I am using this server mostly for personal things, so no one would seriously would want to take me down.

      But please: don't disable IPv6. That's the wrong action to solve your issue. Please don't be that stupid and say that IPv6 is causing all of your issues.

      I am surprised that you are saying I am stupid after all those nice conversation. I wrote in the 3rd comments that I just want to eliminate possibilities. I had IPv6 disabled before I reinstalled this server and it worked fine. So what is wrong to take notes of what are the differences between before and after reinstalling, then eliminate them 1 by 1?

      Sorry for my bad English

    • JohnRoeJohnRoe Member
      edited February 13

      @benj0x said:
      But why would you disable IPv6 when you have NEVER mentioned your IPv6 address in Cloudflare's DNS settings? I honestly don't get why you'd see the issue in IPv6.

      Please stop this bullshit ☹️. I hate when companys recommend you to disable IPv6.

      I am trying to eliminate possibilities. Read my reply above.
      There is nothing to lose to try right?

      So can we get back to then topic?

      Edit: Also Cloudflare never asked me to disable IPv6. I just want to disable it to eliminate possibilities. I will turn it back on when it is proved disabling IPv6 doesn't solve my issue.

      Sorry for my bad English

    Sign In or Register to comment.