Information
Services and ports can be accepted or explicitly rejected or dropped by a zone.
For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP.
- ACCEPT - you accept all incoming packets except those disabled by a specific rule.
- REJECT - you disable all incoming packets except those that you have allowed in specific rules and the source machine is informed about the rejection.
- DROP - you disable all incoming packets except those that you have allowed in specific rules and no information sent to the source machine.
Note:
- - IF - NFTables is being used, this recommendation can be skipped.
- Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy.
To reduce the attack surface of a system, all services and ports should be blocked unless required
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If Firewalld is in use on the system:
Run the following command to remove an unnecessary service:
# firewall-cmd --remove-service=<service>
Example:
# firewall-cmd --remove-service=cockpit
Run the following command to remove an unnecessary port:
# firewall-cmd --remove-port=<port-number>/<port-type>
Example:
# firewall-cmd --remove-port=25/tcp
Run the following command to make new settings persistent:
# firewall-cmd --runtime-to-permanent