In this article I will go through a series of steps to configure the most relevant settings to harden a RHEL server.
Services
Linux servers run network services. Each services has an application (daemon) listening for connections on one or many network ports.
Each service and port could potentially receive a network attack.
Here is a list of potential risks on having ports open to provide services:
Before we start you might want to check what services are running on your system with the netstat command.
Here is an example of a server with few services running.
I’m going to go through the most common services that require attention.
rpcbind is a service daemon that dynamically assigns ports to services line RPC, NIS and NFS.
This service has a week authentication mechanism and can assign a wide range of ports and needs to be protected by the .
If this service is needed and you are going to protect it with the firewall you will first need to make a case study to understand which networks should reach rpcbind and which not. Once you know this run this command to enable each network.
To limit TCP:
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop' --permanent
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept' --permanent
To limit UDP:
firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop' –permanent
Repeat the last three steps for each subnet that will need access.
NIS is well known for authenticating users across the network. This service is outdated because it sends unencrypted information through the network, including passwords. Unless needed for specific reasons it’s better to not use it at all.
If your network has NIS authentication or you are planning on setting one make sure you have rpcbind behind a firewall as specified above and then go through this steps.
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
TCP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835" protocol="tcp" drop' --permanent
UDP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835" protocol="udp" drop' --permanent
NFS exports could also generate security risks such as symlink attacks. For this reason use NFSv4.0 when possible which can require authentication and can operate behind a firewall.
Here are some considerations you should follow:
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=32769
TCP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="20048" protocol="tcp" drop' --permanent
UDP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="20048" protocol="udp" drop' –permanent
TCP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="2049" protocol="tcp" drop' --permanent
UDP
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="2049" protocol="udp" drop' --permanent
References
+ This article is based on the Red Hat Enterprise Linux 7 Security Guide that can be downloaded from the RedHat network here.
Disclaimer - Views expressed in this blog are author's own and do not necessarily represents the policies of aclnz.com