Verify the ufw is enabled on the system with the following command:
# sudo ufw statusIf the above command returns the status as "inactive" or any type of error, this is a finding.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Ubuntu 22.04 LTS functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components.
The ufw
package can be installed with the following command:
$ sudo yum install ufw
ufw controls the Linux kernel network packet filtering code. ufw allows system operators to set up firewalls and IP masquerading, etc.
The ufw
package can be removed with the following command:
$ sudo yum erase ufw
Running iptables.persistent with ufw enabled may lead to conflict and unexpected results.
The ufw
service can be enabled with the following command:
$ sudo systemctl enable ufw.service
The ufw service must be enabled and running in order for ufw to protect the system
A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.
With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to allow acceptable usage than to block unacceptable usage.
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command:
$ sudo ufw show raw Chain OUTPUT (policy ACCEPT) target prot opt sources destination Chain INPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. Check all the services listening to the ports with the following command:
$ sudo ss -l46ut Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 128 [::]:ssh [::]:*For each entry, verify that the ufw is configured to rate limit the service ports with the following command:
$ sudo ufw statusIf any port with a state of "LISTEN" is not marked with the "LIMIT" action, run the following command, replacing "service" with the service that needs to be rate limited:
$ sudo ufw limit "service"Rate-limiting can also be done on an interface. An example of adding a rate-limit on the eth0 interface follows:
$ sudo ufw limit in on eth0
This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
The iptables-persistent
package can be removed with the following command:
$ sudo yum erase iptables-persistent
Running both ufw and the services included in the iptables-persistent package may lead to conflict.