Chapter 8. Securing network services

Red Hat Enterprise Linux 9 supports many different types of network servers. Their network services can expose the system security to risks of various types of attacks, such as denial of service attacks (DoS), distributed denial of service attacks (DDoS), script vulnerability attacks, and buffer overflow attacks.

To increase the system security against attacks, it is important to monitor active network services that you use. For example, when a network service is running on a machine, its daemon listens for connections on network ports, and this can reduce the security. To limit exposure to attacks over the network, all services that are unused should be turned off.

8.1. Securing the rpcbind service

The rpcbind service is a dynamic port-assignment daemon for remote procedure calls (RPC) services such as Network Information Service (NIS) and Network File System (NFS). Because it has weak authentication mechanisms and can assign a wide range of ports for the services it controls, it is important to secure rpcbind.

You can secure rpcbind by restricting access to all networks and defining specific exceptions using firewall rules on the server.

Note
  • The rpcbind service is required on NFSv3 servers.
  • NFSv4 does not require the rpcbind service to listen on the network.

Prerequisites

  • The rpcbind package is installed.
  • The firewalld package is installed and the service is running.

Procedure

  1. Add firewall rules, for example:

    • Limit TCP connection and accept packages only from the 192.168.0.0/24 host via the 111 port:

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
    • Limit TCP connection and accept packages only from local host via the 111 port:

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept'
    • Limit UDP connection and accept packages only from the 192.168.0.0/24 host via the 111 port:

      # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop'

      To make the firewall settings permanent, use the --permanent option when adding firewall rules.

  2. Reload the firewall to apply the new rules:

    # firewall-cmd --reload

Verification steps

  • List the firewall rules:

    # firewall-cmd --list-rich-rule
    rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop
    rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept
    rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop

Additional resources

8.2. Securing the rpc.mountd service

The rpc.mountd daemon implements the server side of the NFS mount protocol. The NFS mount protocol is used by NFS version 3 (RFC 1813).

You can secure the rpc.mountd service by adding firewall rules to the server. You can restrict access to all networks and define specific exceptions using firewall rules.

Prerequisites

  • The rpc.mountd package is installed.
  • The firewalld package is installed and the service is running.

Procedure

  1. Add firewall rules to the server, for example:

    • Accept mountd connections from the 192.168.0.0/24 host:

      # firewall-cmd --add-rich-rule 'rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop'
    • Accept mountd connections from the local host:

      # firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="127.0.0.1" service name="mountd" accept'

      To make the firewall settings permanent, use the --permanent option when adding firewall rules.

  2. Reload the firewall to apply the new rules:

    # firewall-cmd --reload

Verification steps

  • List the firewall rules:

    # firewall-cmd --list-rich-rule
    rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop
    rule family="ipv4" source address="127.0.0.1" service name="mountd" accept

Additional resources

8.3. Securing the NFS service

You can secure Network File System version 4 (NFSv4) by authenticating and encrypting all file system operations using Kerberos. When using NFSv4 with Network Address Translation (NAT) or a firewall, you can turn off the delegations by modifying the /etc/default/nfs file. Delegation is a technique by which the server delegates the management of a file to a client.

In contrast, NFSv3 do not use Kerberos for locking and mounting files.

The NFS service sends the traffic using TCP in all versions of NFS. The service supports Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module.

NFS allows remote hosts to mount file systems over a network and interact with those file systems as if they are mounted locally. You can merge the resources on centralized servers and additionally customize NFS mount options in the /etc/nfsmount.conf file when sharing the file systems.

8.3.1. Export options for securing an NFS server

The NFS server determines a list structure of directories and hosts about which file systems to export to which hosts in the /etc/exports file.

Warning

Extra spaces in the syntax of the exports file can lead to major changes in the configuration.

In the following example, the /tmp/nfs/ directory is shared with the bob.example.com host and has read and write permissions.

/tmp/nfs/     bob.example.com(rw)

The following example is the same as the previous one but shares the same directory to the bob.example.com host with read-only permissions and shares it to the world with read and write permissions due to a single space character after the hostname.

/tmp/nfs/     bob.example.com (rw)

You can check the shared directories on your system by entering the showmount -e <hostname> command.

Use the following export options on the /etc/exports file:

Warning

Export an entire file system because exporting a subdirectory of a file system is not secure. An attacker can possibly access the unexported part of a partially-exported file system.

ro
Use the ro option to export the NFS volume as read-only.
rw

Use the rw option to allow read and write requests on the NFS volume. Use this option cautiously because allowing write access increases the risk of attacks.

Note

If your scenario requires to mount the directories with the rw option, make sure they are not writable for all users to reduce possible risks.

root_squash
Use the root_squash option to map requests from uid/gid 0 to the anonymous uid/gid. This does not apply to any other uids or gids that might be equally sensitive, such as the bin user or the staff group.
no_root_squash
Use the no_root_squash option to turn off root squashing. By default, NFS shares change the root user to the nobody user, which is an unprivileged user account. This changes the owner of all the root created files to nobody, which prevents the uploading of programs with the setuid bit set. When using the no_root_squash option, remote root users can change any file on the shared file system and leave applications infected by trojans for other users.
secure
Use the secure option to restrict exports to reserved ports. By default, the server allows client communication only through reserved ports. However, it is easy for anyone to become a root user on a client on many networks, so it is rarely safe for the server to assume that communication through a reserved port is privileged. Therefore the restriction to reserved ports is of limited value; it is better to rely on Kerberos, firewalls, and restriction of exports to particular clients.

Additionally, consider the following best practices when exporting an NFS server:

  • Exporting home directories is a risk because some applications store passwords in plain text or in a weakly encrypted format. You can reduce the risk by reviewing and improving the application code.
  • Some users do not set passwords on SSH keys which again leads to risks with home directories. You can reduce these risks by enforcing the use of passwords or using Kerberos.
  • Restrict the NFS exports only to required clients. Use the showmount -e command on the NFS server to review what the server is exporting. Do not export anything that is not specifically required.
  • Do not allow unnecessary users to log in to a server to reduce the risk of attacks. You can periodically check who and what can access the server.

Additional resources

8.3.2. Mount options for securing an NFS client

You can pass the following options to the mount command to increase the security of NFS-based clients:

nosuid
Use the nosuid option to disable the set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program and you can use this option opposite to setuid option.
noexec
Use the noexec option to disable all executable files on the client. Use this to prevent users from accidentally executing files placed in the shared file system.
nodev
Use the nodev option to prevent the client’s processing of device files as a hardware device.
resvport
Use the resvport option to restrict communication to a reserved port and you can use a privileged source port to communicate with the server. The reserved ports are reserved for privileged users and processes such as the root user.
sec
Use the sec option on the NFS server to choose the RPCGSS security flavor for accessing files on the mount point. Valid security flavors are none, sys, krb5, krb5i, and krb5p.
Important

The MIT Kerberos libraries provided by the krb5-libs package do not support the Data Encryption Standard (DES) algorithm in new deployments. DES is deprecated and disabled by default in Kerberos libraries because of security and compatibility reasons. Use newer and more secure algorithms instead of DES, unless your environment requires DES for compatibility reasons.

Additional resources

8.3.3. Securing NFS with firewall

To secure the firewall on an NFS server, keep only the required ports open. Do not use the NFS connection port numbers for any other service.

Prerequisites

  • The nfs-utils package is installed.
  • The firewalld package is installed and running.

Procedure

  • On NFSv4, the firewall must open TCP port 2049.
  • On NFSv3, open four additional ports with 2049:

    1. rpcbind service assigns the NFS ports dynamically, which might cause problems when creating firewall rules. To simplify this process, use the /etc/nfs.conf file to specify which ports to use:

      1. Set TCP and UDP port for mountd (rpc.mountd) in the [mountd] section in port=<value> format.
      2. Set TCP and UDP port for statd (rpc.statd) in the [statd] section in port=<value> format.
    2. Set the TCP and UDP port for the NFS lock manager (nlockmgr) in the /etc/nfs.conf file:

      1. Set TCP port for nlockmgr (rpc.statd) in the [lockd] section in port=value format. Alternatively, you can use the nlm_tcpport option in the /etc/modprobe.d/lockd.conf file.
      2. Set UDP port for nlockmgr (rpc.statd) in the [lockd] section in udp-port=value format. Alternatively, you can use the nlm_udpport option in the /etc/modprobe.d/lockd.conf file.

Verification steps

  • List the active ports and RPC programs on the NFS server:

    $ rpcinfo -p

Additional resources

8.4. Securing the FTP service

You can use the File Transfer Protocol (FTP) to transfer files over a network. Because all FTP transactions with the server, including user authentication, are unencrypted, you should ensure it is configured securely.

RHEL 9 provides two FTP servers:

  • Red Hat Content Accelerator (tux) - a kernel-space web server with FTP capabilities.
  • Very Secure FTP Daemon (vsftpd) - a standalone, security-oriented implementation of the FTP service.

The following security guidelines are for setting up the vsftpd FTP service.

8.4.1. Securing the FTP greeting banner

When a user connects to the FTP service, FTP shows a greeting banner, which by default includes version information that could be useful for attackers to identify weaknesses in a system. You can prevent the attackers from accessing this information by changing the default banner.

You can define a custom banner by editing the /etc/banners/ftp.msg file to either directly include a single-line message, or to refer to a separate file, which can contain a multi-line message.

Procedure

  • To define a single line message, add the following option to the /etc/vsftpd/vsftpd.conf file:

    ftpd_banner=Hello, all activity on ftp.example.com is logged.
  • To define a message in a separate file:

    • Create a .msg file which contains the banner message, for example /etc/banners/ftp.msg:

      ######### Hello, all activity on ftp.example.com is logged. #########

      To simplify the management of multiple banners, place all banners into the /etc/banners/ directory.

    • Add the path to the banner file to the banner_file option in the /etc/vsftpd/vsftpd.conf file:

      banner_file=/etc/banners/ftp.msg

Verification

  • Display the modified banner:

    $ ftp localhost
    Trying ::1…
    Connected to localhost (::1).
    Hello, all activity on ftp.example.com is logged.

8.4.2. Preventing anonymous access and uploads in FTP

By default, installing the vsftpd package creates the /var/ftp/ directory and a directory tree for anonymous users with read-only permissions on the directories. Because anonymous users can access the data, do not store sensitive data in these directories.

To increase the security of the system, you can configure the FTP server to allow anonymous users to upload files to a specific directory and prevent anonymous users from reading data. In the following procedure, the anonymous user must be able to upload files in the directory owned by the root user but not change it.

Procedure

  • Create a write-only directory in the /var/ftp/pub/ directory:

    # mkdir /var/ftp/pub/upload
    # chmod 730 /var/ftp/pub/upload
    # ls -ld /var/ftp/pub/upload
    drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
  • Add the following lines to the /etc/vsftpd/vsftpd.conf file:

    anon_upload_enable=YES
    anonymous_enable=YES
  • Optional: If your system has SELinux enabled and enforcing, enable SELinux boolean attributes allow_ftpd_anon_write and allow_ftpd_full_access.
Warning

Allowing anonymous users to read and write in directories might lead to the server becoming a repository for stolen software.

8.4.3. Securing user accounts for FTP

FTP transmits usernames and passwords unencrypted over insecure networks for authentication. You can improve the security of FTP by denying system users access to the server from their user accounts.

Perform as many of the following steps as applicable for your configuration.

Procedure

  • Disable all user accounts in the vsftpd server, by adding the following line to the /etc/vsftpd/vsftpd.conf file:

    local_enable=NO
  • Disable FTP access for specific accounts or specific groups of accounts, such as the root user and users with sudo privileges, by adding the usernames to the /etc/pam.d/vsftpd PAM configuration file.
  • Disable user accounts, by adding the usernames to the /etc/vsftpd/ftpusers file.

8.4.4. Additional resources

  • ftpd_selinux(8) man page

8.5. Securing HTTP servers

8.5.1. Security enhancements in httpd.conf

You can enhance the security of the Apache HTTP server by configuring security options in the /etc/httpd/conf/httpd.conf file.

Always verify that all scripts running on the system work correctly before putting them into production.

Ensure that only the root user has write permissions to any directory containing scripts or Common Gateway Interfaces (CGI). To change the directory ownership to root user with write permissions, enter the following commands:

# chown root directory-name
# chmod 755 directory-name

In the /etc/httpd/conf/httpd.conf file, you can configure the following options:

FollowSymLinks
This directive is enabled by default and follows symbolic links in the directory.
Indexes
This directive is enabled by default. Disable this directive to prevent visitors from browsing files on the server.
UserDir
This directive is disabled by default because it can confirm the presence of a user account on the system. To activate user directory browsing for all user directories other than /root/, use the UserDir enabled and UserDir disabled root directives. To add users to the list of disabled accounts, add a space-delimited list of users on the UserDir disabled line.
ServerTokens

This directive controls the server response header field which is sent back to clients. You can use the following parameters to customize the information:

ServerTokens Full

provides all available information such as web server version number, server operating system details, installed Apache modules, for example:

Apache/2.4.37 (Red Hat Enterprise Linux) MyMod/1.2
ServerTokens Full-Release

provides all available information with release versions, for example:

Apache/2.4.37 (Red Hat Enterprise Linux) (Release 41.module+el8.5.0+11772+c8e0c271)
ServerTokens Prod / ServerTokens ProductOnly

provides the web server name, for example:

Apache
ServerTokens Major

provides the web server major release version, for example:

Apache/2
ServerTokens Minor

provides the web server minor release version, for example:

Apache/2.4
ServerTokens Min / ServerTokens Minimal

provides the web server minimal release version, for example:

Apache/2.4.37
ServerTokens OS

provides the web server release version and operating system, for example:

Apache/2.4.37 (Red Hat Enterprise Linux)

Use the ServerTokens Prod option to reduce the risk of attackers gaining any valuable information about your system.

Important

Do not remove the IncludesNoExec directive. By default, the Server Side Includes (SSI) module cannot execute commands. Changing this can allow an attacker to enter commands on the system.

Removing httpd modules

You can remove the httpd modules to limit the functionality of the HTTP server. To do so, edit configuration files in the /etc/httpd/conf.modules.d/ or /etc/httpd/conf.d/ directory. For example, to remove the proxy module:

echo '# All proxy modules disabled' > /etc/httpd/conf.modules.d/00-proxy.conf

8.5.2. Securing the Nginx server configuration

Nginx is a high-performance HTTP and proxy server. You can harden your Nginx configuration with the following configuration options.

Procedure

  • To disable version strings, modify the server_tokens configuration option:

    server_tokens off;

    This option stops displaying additional details such as server version number. This configuration displays only the server name in all requests served by Nginx, for example:

    $ curl -sI http://localhost | grep Server
    Server: nginx
  • Add extra security headers that mitigate certain known web application vulnerabilities in specific /etc/nginx/ conf files:

    • For example, the X-Frame-Options header option denies any page outside of your domain to frame any content served by Nginx, mitigating clickjacking attacks:

      add_header X-Frame-Options "SAMEORIGIN";
    • For example, the x-content-type header prevents MIME-type sniffing in certain older browsers:

      add_header X-Content-Type-Options nosniff;
    • For example, the X-XSS-Protection header enables Cross-Site Scripting (XSS) filtering, which prevents browsers from rendering potentially malicious content included in a response by Nginx:

      add_header X-XSS-Protection "1; mode=block";
  • You can limit the services exposed to the public and limit what they do and accept from the visitors, for example:

    limit_except GET {
        allow 192.168.1.0/32;
        deny  all;
    }

    The snippet will limit access to all methods except GET and HEAD.

  • You can disable HTTP methods, for example:

    # Allow GET, PUT, POST; return "405 Method Not Allowed" for all others.
    if ( $request_method !~ ^(GET|PUT|POST)$ ) {
        return 405;
    }
  • You can configure SSL to protect the data served by your Nginx web server, consider serving it over HTTPS only. Furthermore, you can generate a secure configuration profile for enabling SSL in your Nginx server using the Mozilla SSL Configuration Generator. The generated configuration ensures that known vulnerable protocols (for example, SSLv2 and SSLv3), ciphers, and hashing algorithms (for example, 3DES and MD5) are disabled. You can also use the SSL Server Test to verify that your configuration meets modern security requirements.

8.6. Securing PostgreSQL by limiting access to authenticated local users

PostgreSQL is an object-relational database management system (DBMS). In Red Hat Enterprise Linux, PostgreSQL is provided by the postgresql-server package.

You can reduce the risks of attacks by configuring client authentication. The pg_hba.conf configuration file stored in the database cluster’s data directory controls the client authentication. Follow the procedure to configure PostgreSQL for host-based authentication.

Procedure

  1. Install PostgreSQL:

    # yum install postgresql-server
  2. Initialize a database storage area using one of the following options:

    1. Using the initdb utility:

      $ initdb -D /home/postgresql/db1/

      The initdb command with the -D option creates the directory you specify if it does not already exist, for example /home/postgresql/db1/. This directory then contains all the data stored in the database and also the client authentication configuration file.

    2. Using the postgresql-setup script:

      $ postgresql-setup --initdb

      By default, the script uses the /var/lib/pgsql/data/ directory. This script helps system administrators with basic database cluster administration.

  3. To allow any authenticated local users to access any database with their usernames, modify the following line in the pg_hba.conf file:

    local   all             all                                     trust

    This can be problematic when you use layered applications that create database users and no local users. If you do not want to explicitly control all user names on the system, remove the local line entry from the pg_hba.conf file.

  4. Restart the database to apply the changes:

    # systemctl restart postgresql

    The previous command updates the database and also verifies the syntax of the configuration file.

8.7. Securing the Memcached service

Memcached is an open source, high-performance, distributed memory object caching system. It can improve the performance of dynamic web applications by lowering database load.

Memcached is an in-memory key-value store for small chunks of arbitrary data, such as strings and objects, from results of database calls, API calls, or page rendering. Memcached allows assigning memory from underutilized areas to applications that require more memory.

In 2018, vulnerabilities of DDoS amplification attacks by exploiting Memcached servers exposed to the public internet were discovered. These attacks took advantage of Memcached communication using the UDP protocol for transport. The attack was effective because of the high amplification ratio where a request with the size of a few hundred bytes could generate a response of a few megabytes or even hundreds of megabytes in size.

In most situations, the memcached service does not need to be exposed to the public Internet. Such exposure may have its own security problems, allowing remote attackers to leak or modify information stored in Memcached.

Follow the section to harden the system using Memcached service against possible DDoS attacks.

8.7.1. Hardening Memcached against DDoS

To mitigate security risks, perform as many of the following steps as applicable for your configuration.

Procedure

  • Configure a firewall in your LAN. If your Memcached server should be accessible only in your local network, do not route external traffic to ports used by the memcached service. For example, remove the default port 11211 from the list of allowed ports:

    # firewall-cmd --remove-port=11211/udp
    # firewall-cmd --runtime-to-permanent
  • If you use a single Memcached server on the same machine as your application, set up memcached to listen to localhost traffic only. Modify the OPTIONS value in the /etc/sysconfig/memcached file:

    OPTIONS="-l 127.0.0.1,::1"
  • Enable Simple Authentication and Security Layer (SASL) authentication:

    1. Modify or add the /etc/sasl2/memcached.conf file:

      sasldb_path: /path.to/memcached.sasldb
    2. Add an account in the SASL database:

      # saslpasswd2 -a memcached -c cacheuser -f /path.to/memcached.sasldb
    3. Ensure that the database is accessible for the memcached user and group:

      # chown memcached:memcached /path.to/memcached.sasldb
    4. Enable SASL support in Memcached by adding the -S value to the OPTIONS parameter in the /etc/sysconfig/memcached file:

      OPTIONS="-S"
    5. Restart the Memcached server to apply the changes:

      # systemctl restart memcached
    6. Add the username and password created in the SASL database to the Memcached client configuration of your application.
  • Encrypt communication between Memcached clients and servers with TLS:

    1. Enable encrypted communication between Memcached clients and servers with TLS by adding the -Z value to the OPTIONS parameter in the /etc/sysconfig/memcached file:

      OPTIONS="-Z"
    2. Add the certificate chain file path in the PEM format using the -o ssl_chain_cert option.
    3. Add a private key file path using the -o ssl_key option.