This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this consensus, these services are not installed as part of RHEL5 by default.
Organizations which are running these services should prioritize switching to more secure services which provide the needed functionality. If it is absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software (see Section 2.5.5) to restrict access to the vulnerable service to only those remote hosts which have a known need to use it.
3.2.1 Inetd and Xinetd
Is there an operational need to run the deprecated inetd or xinetd software packages? If not, ensure that they are removed from the system:
# yum erase inetd xinetd
CCE 4234-1, 4252-3, 4023-8, 4164-0
Beginning with Red Hat Enterprise Linux 5, the xinetd service is no longer installed by default. This change represents increased awareness that the dedicated network listener model does not improve security or reliability of services, and that restriction of network listeners is better handled using a granular model such as SELinux than using xinetd’s limited security options.
3.2.2 Telnet
Is there a mission-critical reason for users to access the system via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure that the telnet server is removed from the system:
# yum erase telnet-server
CCE 3390-2, 4330-7
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the session to gain authenticated access to the telnet server. Organizations which use telnet should be actively working to migrate to a more secure protocol.
See Section3.5for information about the SSH service.
3.2.2.1 Remove Telnet Clients
In order to prevent users from casually attempting to use a telnet server, and thus exposing their credentials over the network, remove the telnet package, which contains a telnet client program:
# yum erase telnet
If Kerberos is not used, remove the krb5-workstation package, which also includes a telnet client:
# yum erase krb5-workstation
3.2.3 Rlogin, Rsh, and Rcp
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
3.2.3.1 Remove the Rsh Server Commands from the System
Is there a mission-critical reason for users to access the system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and scp? If not, ensure that the rsh server is removed from the system:
# yum erase rsh-server
CCE 3974-3, 4141-8, 3537-8, 4308-3
SSH was designed to be a drop-in replacement for the r-commands, which suffer from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a case in which these commands cannot be replaced with SSH.
3.2.3.2 Remove .rhosts Support from PAM Configuration Files
Check that pam rhosts authentication is not used by any PAM services. Run the command:
# grep -l pam rhosts /etc/pam.d/*
This command should return no output.
The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any PAM-based services, so, on an uncustomized system, this command should return no output. If any files do use pam rhosts, modify them to make use of a more secure authentication method instead. For more information about PAM, see Section2.3.3.
3.2.3.3 Remove the Rsh Client Commands from the System
In order to prevent users from casually attempting to make use of an rsh server and thus exposing their credentials over the network, remove the rsh package, which contains client programs for many of r-commands described above:
# yum erase rsh
Users should be trained to use the SSH client, and never attempt to connect to an rsh or telnet server. The krb5-workstation package also contains r-command client programs and should be removed as described in Section3.2.2.1, if Kerberos is not in use.
3.2.4 NIS
The NIS client service ypbind is not activated by default. In the event that it was activated at some point, disable it by executing the command:
# chkconfig ypbind off
The NIS server package is not installed by default. In the event that it was installed at some point, remove it from the system by executing the command:
# yum erase ypserv
CCE 3705-1, 4348-9
The Network Information Service (NIS), also known as “Yellow Pages” (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information.
3.2.5 TFTP Server
Is there an operational need to run the deprecated TFTP server software? If not, ensure that it is removed from the system:
# yum erase tftp-server
CCE 4273-9, 3916-4
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems fre-quently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found.
3.2.6 Talk
The Talk software makes it possible for a user to send messages to the terminal session of another user on another system. The talk-server package is not installed by default, although the talk client package is. Both are obsolete and can be removed.
3.2.6.1 Remove talk-server Package
To remove the talk daemons from the system, run the following command:
# yum erase talk-server
3.2.6.2 Remove talk Package
To remove the talk daemons from the system, run the following command:
# yum erase talk