4.2.1 Ensure firewalld drops unnecessary services and ports

Information

Services and ports can be accepted or explicitly rejected or dropped by a zone.

For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP.

- ACCEPT - you accept all incoming packets except those disabled by a specific rule.
- REJECT - you disable all incoming packets except those that you have allowed in specific rules and the source machine is informed about the rejection.
- DROP - you disable all incoming packets except those that you have allowed in specific rules and no information sent to the source machine.

Note:

- - IF - NFTables is being used, this recommendation can be skipped.
- Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy.

To reduce the attack surface of a system, all services and ports should be blocked unless required

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If Firewalld is in use on the system:

Run the following command to remove an unnecessary service:

# firewall-cmd --remove-service=<service>

Example:

# firewall-cmd --remove-service=cockpit

Run the following command to remove an unnecessary port:

# firewall-cmd --remove-port=<port-number>/<port-type>

Example:

# firewall-cmd --remove-port=25/tcp

Run the following command to make new settings persistent:

# firewall-cmd --runtime-to-permanent

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 315273dd2fb6888073e540f28889b206563a938a6de8d148801de0cc8149462b