← Rules Catalog
mediumnetworkverified

Ensure only approved services are listening on a network interface

approved-listening-services · RHEL ≥ 8 · 1 impl

Description

No plaintext or legacy insecure service (telnet, rsh/rlogin, tftp, ftp, finger) may be listening on a network interface. Full approval of the remaining listeners is a site-policy review, but these known-insecure listeners are never approved.

Rationale

Legacy plaintext services expose credentials and data in transit and are a common initial-access vector. Their presence on a listening socket is an unambiguous finding regardless of site policy.

Check → Remediate

Checkcommand
# Fail on any listener bound to a well-known insecure service port.
bad=$(ss -H -plntu 2>/dev/null | awk '{print $5}' | grep -oE '[0-9]+$' \
  | grep -wE '21|23|69|79|512|513|514' | sort -u | tr '\n' ' ')
if [ -n "$bad" ]; then
  echo "FAIL: insecure legacy service(s) listening on port(s): $bad"
  exit 1
fi
echo "OK: no known-insecure legacy listeners (review remaining listeners against site policy)"
expected_exit:
0
Remediatemanual
note:
Enumerate listeners with `ss -plntu` and compare against the approved-services baseline for this host role; disable or remove any listener that is not required, and never expose telnet/rsh/tftp/ftp.

Framework references

CIS

rhel9 2.1.22rhel8 2.1.24rhel10 2.1.22

NIST 800-53

CM-7

Live verification

rhel9:check
#network#services#attack-surface