mediumnetworkverified ✓
Ensure only approved services are listening on a network interface
approved-listening-services · RHEL ≥ 8 · 1 impl
Description
No plaintext or legacy insecure service (telnet, rsh/rlogin, tftp, ftp, finger) may be listening on a network interface. Full approval of the remaining listeners is a site-policy review, but these known-insecure listeners are never approved.
Rationale
Legacy plaintext services expose credentials and data in transit and are a common initial-access vector. Their presence on a listening socket is an unambiguous finding regardless of site policy.
Check → Remediate
Checkcommand
# Fail on any listener bound to a well-known insecure service port.
bad=$(ss -H -plntu 2>/dev/null | awk '{print $5}' | grep -oE '[0-9]+$' \
| grep -wE '21|23|69|79|512|513|514' | sort -u | tr '\n' ' ')
if [ -n "$bad" ]; then
echo "FAIL: insecure legacy service(s) listening on port(s): $bad"
exit 1
fi
echo "OK: no known-insecure legacy listeners (review remaining listeners against site policy)"
- expected_exit:
- 0
Remediatemanual
- note:
- Enumerate listeners with `ss -plntu` and compare against the approved-services baseline for this host role; disable or remove any listener that is not required, and never expose telnet/rsh/tftp/ftp.
Framework references
CIS
rhel9 2.1.22rhel8 2.1.24rhel10 2.1.22
NIST 800-53
CM-7
Live verification
rhel9:check
#network#services#attack-surface