Linux – how to prevent any service to bind to a given interface

linuxlinux-networkingnetworking

I need to set up a server (preferably RedHat/CentOS/Fedora but the Debian family would work out as well) with no services available on a given interface.

I cannot use iptables (which would be the simplest solution).

I could check which ones are enabled and either disable them by hand or force a bind to another interface but there is a risk that after an update/upgrade/additional soft installation the changes would be reverted or an extra service deployed.

Is there a way to configure a network interface so that it does not allow any service to bind to it, so that there is no port listening on it?

Best Answer

I think I finally understand the problem. Main misunderstanding of me (and I suppose some others) was I suggested that a scanner is somewhere outside.

If you plan to use this host as a scanner than iptables may be really overwhelmed.

If so, you need some setup protecting host applications but not creating session records for the scanner traffic.

The solution is simple: create a container (LXC or OpenVZ) and hide your scanner staff there. Use a bridged connection setup of your container to the real network.

Thus your scanner will have a dedicated IP address and host applications will never bind It. In basic setup container's traffic will skip iptables.

If you want to additionally protect the container, turn on iptable lookup for the bridge (net.bridge.bridge-nf-call-iptables = 1 in sysctl.conf) and add the rules as follow:

-I FORWARD -p ip -s <rogue_network> -d <scanner_ip>    -j ACCEPT
-I FORWARD -p ip -s <scanner_ip>    -d <rogue_network> -j ACCEPT
-I FORWARD -j REJECT --reject-with icmp-host-unreachable

UPD:
Previous is not working properly - forget to disable connection tracking:

-t raw -I PREROUTING -p ip -s <rogue_network> -d <scanner_ip>    -j NOTRACK
-t raw -I PREROUTING -p ip -s <scanner_ip>    -d <rogue_network> -j NOTRACK
-t raw -I PREROUTING -j REJECT --reject-with icmp-host-unreachable

Related Solutions

Fedora Linux – Issues with Using Fedora for Servers

There's nothing that dictates that Fedora is unsuited for use on servers, nor is there anything that dictates that "server distros" is the only choice for servers. It depends on your particular needs.

What you may gain from using the "server distros" is:

long term support
stable API's (little to no version-upgrades of libraries and applications)
backported securityfixes and bugfixes
paid support

My main "complaint" for the server-distros is that software/libraries tend to to be somewhat old, and the range of supported packages is much smaller than community driven efforts.

I.e. the long term support and the non-changing API's is something that commercial software vendors love, they won't have to rebuild their application for the newest libraries because the API suddenly changed. They can develop for Vendor Y Release X and know that this platform will be around for several years to come.

MySQL Configuration – How to Bind MySQL Server to Multiple IP Addresses

No, there isn't (I just checked 1 hour ago). You can comment the bind-address in my.cnf:

Note: « 1 hour ago » is now more than 10 years ago.

#skip-networking
#bind-address                   = 127.0.0.1

If you want only 2 IPs, you will then have to use a firewall.

For MySql version 8.0.13 and above, you can specify a list of comma-separated IP addresses.

bind-address = 10.0.0.1,10.0.1.1,10.0.2.1

Relevant MySql documentation.

Remember to restart your MySQL instance after changing the config file.

Best Answer

Related Solutions

Fedora Linux – Issues with Using Fedora for Servers

MySQL Configuration – How to Bind MySQL Server to Multiple IP Addresses

Related Topic