Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 3. Securing services

It is important in an organization to monitor the active network services that are important to administers and Linux system admins. Red Hat Enterprise Linux 8 supports many network servers. When a network service is running on a machine, daemon keeps listening for connections on the network ports. These daemons can lead to any kind of attach. As a result, the services needs to be secured in order to prevent any mishappenings. This chapter helps you secure different services.

3.1. Securing rpcbind

The rpcbind service is a dynamic port assignment daemon for Remote Procedure Calls (RPC) services such as Network Information Service (NIS) and Network File Sharing (NFS). Because it has weak authentication mechanisms and can assign a wide range of ports for the services it controls, it is important to secure the rpcbind service.

You can secure the rpcbind service by adding firewall rules to the server. You can restrict access to all networks and define specific exceptions using the firewall rules.

Note
  • The rpcbind service is required by NFSv2 and NFSv3 servers and you should secure the rpcbind service when you are working on it.
  • NFSv4 does not require the rpcbind service to listen on the network.

Procedure

  • Following are examples for the firewalld commands:

    • Limit TCP connection and accept packages only from the 192.168.0.0/24 host via the 111 port:

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
    • Limit TCP connection and accept packages only from local host via the 111 port:

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept'
    • Limit UDP connection and accept packages only from the 192.168.0.0/24 host via the 111 port:

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop'
      Note
      • To make the firewall settings permanent, use the --permanent option when adding firewall rules.
      • Reload firewall to accept the new rules using # firewall-cmd --reload command.

Verification steps

  • Verify the firewall rules:

    # firewall-cmd --list-rich-rule
    rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop
    rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept
    rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop

Additional resources

3.2. Securing rpc.mountd

The rpc.mountd daemon implements the server side of the NFS mount protocol. The NFS mount protocol is used by NFS version 2 (RFC 1904) and NFS version 3 (RFC 1813).

You can secure the rpc.mountd service by adding firewall rules to the server. You can restrict access to all networks and define specific exceptions using the firewall rules.

Procedure

  • Following are examples for the firewalld commands:

    • Accept mountd connections from the 192.168.0.0/24 host:

      # firewall-cmd --add-rich-rule 'rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop'
    • Accept mountd connections from the local host:

      # firewall-cmd --add-rich-rule 'rule family="ipv4" source address="127.0.0.1" service name="mountd" accept'
      Note
      • To make the firewall settings permanent, use the --permanent option when adding firewall rules.
      • Reload firewall to accept the new rules using the # firewall-cmd --reload command.

Verification steps

  • Verify the firewall rules:

    # firewall-cmd --list-rich-rule
    rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop
    rule family="ipv4" source address="127.0.0.1" service name="mountd" accept

Additional resources