Network Security Rocky Linux/Centos/RHEL 8

Introduction

Hardening network security devices minimize the risk of unauthorized access into a network’s infrastructure. Vulnerabilities in device management and configurations exploit weaknesses for a malicious cyber actor to exploit in order to gain presence and maintain persistence within a network.

In addition to, Hackers have shifted their focus from exclusively exploiting traditional endpoints to increasingly exploiting specialized and devices, including routers and switches. They do this through common weaknesses in configurations, specific routing protocols, and implanting malware in the OS.

So Ensure that all network security configurations are correct. Including static IP address assignments, DNS, WINS, whether or not to register a specific interface, binding order, and disabling settings on DMZ, 00B management, or backup networks. Also, check CSF configuration.

Minimize the External Footprint

  • Install on an intranet
  • Firewall Installation/Configuration
  • Examine Options for External User Access, including:
  • Require VPN and Reverse Proxy for external network connections
    • Further blocks direct access to sensitive servers/data
    • Use IP Filtering
  • Consider Hosting with IIS
    • Restrict or White-list IP address ranges
    • Client Certificate Authentication
    • Other Authorization Rules
  • Consider a Hardware Firewall, etc. 

Please check network Baseline Security

Firewall and Network Security Configuration

Firewall

Establishing the default firewalld zone to drop. Makes any packets that are not explicitly authorized to be rejected.

# sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf

Unless firewalld is required. Mask it and substitute with iptables:

# systemctl stop firewalld.service
# systemctl mask firewalld.service
# systemctl daemon-reload
# yum install iptables-services
# systemctl enable iptables.service ip6tables.service

So Apply the next to /etc/sysconfig/iptables to allow only insignificant outgoing traffic (DNS, NTP, HTTP/S, and SMTPS):

*filter
-F INPUT
-F OUTPUT
-F FORWARD
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -m comment --comment local -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 10.0.0.0/8 -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 172.16.0.0/12 -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 192.168.0.0/16 -j ACCEPT
-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -d 127.0.0.0/8 -o lo -m comment --comment local -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A OUTPUT -p udp -m udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "iptables_output "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

Note:

Allowing all incoming SSH traffic should be removed limiting access to an IP whitelist. SSH should be behind a VPN.
Basically, outgoing rules should stay hardened by limiting to local DNS, NTP, and SMTP only.Red Hat Satellite patching system for internal use. Secure HTTP or SSL traffic.

Apply the next to /etc/sysconfig/ip6tables to deny all IPv6:

*filter
-F INPUT
-F OUTPUT
-F FORWARD
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT

So Apply changes in configuration

# iptables-restore < /etc/sysconfig/iptables
# ip6tables-restore < /etc/sysconfig/ip6tables

TCP Wrapper Network Security

Also Allows /etc/hosts.allow and allow local traffic and SSH:

ALL: 127.0.0.1
sshd: ALL

Deny /etc/hosts.deny should remain configured to deny all by default:

ALL: ALL

Kernel Based restrictions network security

Edit /etc/sysctl.conf and add the following:

# Disable packet forwarding
net.ipv4.ip_forward = 0

# Disable redirects, not a router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable source validation by reversed path
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log packets with impossible addresses to kernel log
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Against SYN flood attacks
net.ipv4.tcp_syncookies = 1

# Turning off timestamps could improve security but degrade performance.
# TCP timestamps are used to improve performance as well as protect against
# late packets messing up your data flow. A side effect of this feature is 
# that the uptime of the host can sometimes be computed.
# If you disable TCP timestamps, you should expect worse performance 
# and less reliable connections.
net.ipv4.tcp_timestamps = 1

# Disable IPv6 unless required
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Do not accept router advertisements
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

Network related Kernel modules

Apply /etc/modprobe.d/CIS.conf and restrict Bluetooth kernel modules:

install bnep /bin/true
install bluetooth /bin/true
install btusb /bin/true
install net-pf-31 /bin/true
install appletalk /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Restrict Wifi and WWAN radios from NetworkManager

# nmcli radio all off

Restrict default Zeroconf from network security system configuration

So Edit /etc/sysconfig/network and add parameters:

NOZEROCONF=yes

Restrict IPV6 usage from interface:

Edit /etc/sysconfig/network and add parameters:

NETWORKING_IPV6=no
IPV6INIT=no

Restrict promiscuous mode from network

The network sniffer should not be running and capturing packages. Execute the command to determine if any interface is running in promiscuous mode:

# ip link | grep PROMISC

Install Secure VPN connection

Also Install libreswan package implementation of IPsec and IKE.

# yum install libreswan -y

Restrict DHCP client

Static assignment of IP addresses gives a greater degree of administration.

The network interface that is available on the server, edit the corresponding file /etc/sysconfig/network-scripts/ifcfg-ethxx and configure the following parameters:

BOOTPROTO=none
IPADDR=
NETMASK=
GATEWAY=

Conclusion

Network security is the most critical aspect to consider when working over the internet, LAN, or another method, no matter how small or big your business is. A stable and efficient security system protects client data. In addition, security on your network helps companies reduce the risk of falling victim to data theft and sabotage.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x