Views:

Perform the following steps to disable IPv6 in the Trend Micro Smart Protection Server using the command line.

  1. Modify the value of following parameter:

    -bash-3.2# vi /etc/modprobe.conf
    alias net-pf-10 off

  2. Modify the value of following parameter:

    -bash-3.2# vi /etc/sysconfig/network
    NETWORKING_IPV6=no

  3. Execute the following commands:

    -bash-3.2# /etc/init.d/ip6tables stop
    -bash-3.2# chkconfig --level 2345 ip6tables off
    -bash-3.2# modprobe -r -v ip6_tables

  4. Edit the value of following parameter:

    -bash-3.2# vi /etc/snmp/snmpd.conf
    agentaddress udp:161

  5. Comment the following sentences:

    -bash-3.2# vi /var/tmcss/cpmpatch/svaiptables
    # FW6_SYS = "/etc/init.d/ip6tables "
    # os.system("/sbin/ip6tables -F")

    # os.system("/sbin/ip6tables -X")
    # os.system("/sbin/ip6tables -Z")
    # os.system("iptables-save | grep -v icmp |grep -v
    SNMP_SERV_IN |grep -v CPM_SERV_IN |ip6tables-restore")
    # os.system("ip6tables -A LOCAL_SERV_IN -p icmpv6 -j ACCEPT")

    # os.system(SVAFirewall.FW6_SYS + "start")
    # os.system(SVAFirewall.FW6_SYS + "stop")

    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL PSH,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL PSH,FIN,ACK -j ACCEPT")

    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.ssh_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -I LOCAL_SERV_IN -p icmpv6 --icmpv6-type echo-request -j DROP > /dev/null 2>&1");
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + iwsva.port_service + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.frs_http_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.frs_https_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport 546 -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p udp --dport 546 -j ACCEPT")
    # os.system("/sbin/ip6tables -D SERV_GATE -p tcp --dport " + self.wrs_http_port + " -j DROP > /dev/null 2>&1");
    # os.system("/sbin/ip6tables -A SERV_GATE -p tcp --dport " + self.wrs_http_port + " -j DROP");

    -bash-3.2# cp /var/tmcss/cpmpatch/svaiptables /etc/init.d/svaiptables

  6. Comments the following sentences:

    -bash-3.2# vi /etc/lighttpd/lighttpd.conf
    # listen to ipv6
    #$SERVER["socket"] == "[::]:" + var.frs-http-port {
    # $HTTP["host"] =~ "^(.*)$" {
    # url.redirect = ( "^/$" => "https://%1:4343/",
    # "^/tmcss/$" => "http://%1/$1")
    # }
    #}

    #$SERVER["socket"] == "[::]:4343" {
    #ssl.engine = "enable"
    #ssl.pemfile = "/etc/lighttpd/server.pem"
    #ssl.cipher-list = ssl-cipher-list
    #accesslog.filename = "/var/log/lighttpd/mgt_access.log"
    #server.document-root = var.AdminUI.document-root
    #fastcgi.server = ( ".php" =>
    # ( "localhost" =>
    # (
    # "socket" => "/tmp/php-fastcgi.socket",
    # "bin-path" => "/usr/bin/php-cgi",
    # "max-procs" => 4,
    # "bin-environment" =>
    # (
    # "PHP_FCGI_CHILDREN" => "8",
    # "PHP_FCGI_MAX_REQUESTS" => "1000"
    # )
    # )
    # )
    # )
    #}

    #Setting for LWCS
    #$SERVER["socket"] == "[::]:" + var.wrs-http-port {
    #server.document-root = "/var/www/iCRC/tmcss/"
    #accesslog.filename = "/var/log/lighttpd/lwcs_access.log"
    #server.indexfiles = ("lwcsfcgi")
    #server.error-handler-404 = "/lwcsfcgi"
    #fastcgi.server = ( "" =>
    # ( "" =>
    # (
    # "socket" => "/tmp/lwcsfcgi-fastcgi.socket",
    # "bin-path" => "/var/www/iCRC/tmcss/lwcsfcgi",
    # "max-procs" => 90,
    # "idle-timeout" => 30
    # )
    # )
    # )
    #}

    #$SERVER["socket"] == "[::]:" + var.frs-https-port {
    #ssl.engine = "enable"
    #ssl.pemfile = "/etc/lighttpd/server.pem"
    #ssl.cipher-list = ssl-cipher-list
    # $HTTP["host"] =~ "^(.*)$" {
    # url.redirect = ( "^/$" => "https://%1:4343/",
    # "^/tmcss/$" => "https://%1/$1")
    # }
    #}

  7. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/snmp_set.sh
    #IP6TABLES='/sbin/ip6tables'
    # $IP6TABLES -F $SNMP_CHAIN 2> /dev/null
    # $IP6TABLES -D INPUT -j $SNMP_CHAIN 2> /dev/null
    # $IP6TABLES -X $SNMP_CHAIN 2> /dev/null

    # $IP6TABLES -N $SNMP_CHAIN
    # $IP6TABLES -A INPUT -j $SNMP_CHAIN
    # $IP6TABLES -A $SNMP_CHAIN -p udp --dport $SNMP_PORT -s $1/$2 -j ACCEPT
    # $IP6TABLES -A $SNMP_CHAIN -p udp --dport $SNMP_PORT -s $1/$2 -j ACCEPT

  8. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/patchcpm_set.sh
    #IP6TABLES='/sbin/ip6tables'

    # $IP6TABLES -F $CPM_CHAIN > /dev/null 2>&1
    # $IP6TABLES -D INPUT -j $CPM_CHAIN > /dev/null 2>&1
    # $IP6TABLES -X $CPM_CHAIN > /dev/null 2>&1

    # $IP6TABLES -N $CPM_CHAIN
    # $IP6TABLES -A INPUT -j $CPM_CHAIN

    # $IP6TABLES -A $CPM_CHAIN -p tcp --dport $1 -j ACCEPT
    # $IP6TABLES -A $CPM_CHAIN -p udp --dport $1 -j ACCEPT

  9. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/CollectSystemInfo.sh
    # echo -e "\n[ip6table] (Run Command \"ip6tables -L\")" >> $target_file_location/$target_file_name

    # echo "`date` [$Module_Name] > ip6tables -L" | tee -a $CDT_LOG_FILE_NAME | more
    # ip6tables -L >> $target_file_location/$target_file_name 2>>$CDT_LOG_FILE_NAME

  10. Comment and modify the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/tlogger
    #cmdip6tables = "/sbin/ip6tables"

    tin = long(getTraffic(cmdiptables, "WCS_SERV_IN")) + long(getTraffic(cmdip6tables, "WCS_SERV_IN"))
    tout= long(getTraffic(cmdiptables, "WCS_SERV_OUT")) + long(getTraffic(cmdip6tables, "WCS_SERV_OUT"))
    --->>>
    tin = long(getTraffic(cmdiptables, "WCS_SERV_IN"))
    tout= long(getTraffic(cmdiptables, "WCS_SERV_OUT"))

  11. Reboot the SPS.

  1. Log in to the Trend Smart Protection Server server using SSH connection using root account.
  2. Execute the following commands to disable IPv6:

    # service ip6tables stop
    # chkconfig ip6tables off

  3. Comment out all IPv6-related settings in /etc/lighttpd/lighttpd.conf with the following:
    1. Execute the command:

      # vi /etc/lighttpd/lighttpd.conf

    2. Press INSERT key to enter Edit mode.
    3. Uncomment line 153 and change it to:

      server.use-ipv6 = "disable"

  4. Comment all IPv6 configurations on these lines:

    lines 157 through 163
    lines 290 through 309
    lines 330 through 346
    lines 370 through 377

  5. Press the ESC key then press ":wq!"" to save and close the file.
  6. Comment out all IPv6-related settings in the /etc/snmp/snmpd.conf.
    1. Execute the following command:

      # vi /etc/snmp/snmpd.conf

    2. Press the INSERT key to enter Edit mode.
    3. Change line 465 from "agentaddress udp:161,udp6:161" to:

      agentaddress    udp:161

    4. Press the ESC key, then press ":wq!"" to save and close the file.
  7. Change the value of NETWORKING_IPV6 inside the /etc/sysconfig/network file.
    1. Execute the following command:

      # vi /etc/sysconfig/network

    2. Press the INSERT key to enter Edit mode.
    3. Set NETWORKING_IPV6=no.
    4. Press the ESC key, then press ":wq!"" to save and close the file.
  8. Run the following commands to restart the lighttpd and snmpd daemons to apply the new settings.

    # service lighttpd restart
    # service snmpd restart

Keywords: IPv6,Smart Protection Server,SPS,Smart Scan Server,disable IPv6