Certified Kubernetes Security Specialist (CKS)
System Hardening
Minimize external access to the network
In this lesson, we explore tools and techniques that restrict network access to your servers. Understanding how services bind to ports is critical for establishing a secure environment. For instance, an SSH server typically listens on port 22, meaning that any device on the network could potentially access it unless proper restrictions are in place.
Verifying Port Bindings
You can verify if a port is actively listening for incoming connections with the following commands. Notice that when port 22 is bound to IP address 0.0.0.0, it indicates that the service is accessible from any network interface:
systemctl status ssh
cat /etc/services | grep ssh
ssh 22/tcp # SSH Remote Login Protocol
Without any additional configuration, any device on the network can establish a connection to the server on the open ports. To see a broader picture of the active ports, the netstat command can be used to list all listening ports:
netstat -an | grep -w LISTEN
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN
tcp 0 0 10.53.64.6:2379 0.0.0.0:* LISTEN
tcp 0 0 10.53.64.6:2380 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:42893 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:46607 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10257 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::10250 :::* LISTEN
tcp6 0 0 :::6443 :::* LISTEN
tcp6 0 0 :::10256 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::8888 :::* LISTEN
Security Best Practice
Applying the principle of least privilege is essential—limit access only to necessary ports and services to reduce your system’s attack surface.
Approaches to Network Security
In real-world environments with interconnected clients and servers across multiple routers and switches, adopting layered security measures is critical. There are two primary approaches to enforcing network security:
Network-wide Security:
Utilize external firewalls or dedicated security appliances such as Cisco ASA, Juniper NextGen Firewall, Barracuda NextGen Firewall, or Fortinet devices. These solutions allow you to define complex rules that control the flow of traffic across the entire network.Server-level Security:
Implement host-based firewalls using tools like iptables, firewalld, or UFW on Linux systems, and leverage built-in firewall capabilities on Windows servers. This approach restricts network access on a per-server basis.
Next Steps: Configuring UFW
In the next section, we will demonstrate how to use UFW (Uncomplicated Firewall) from the command line to configure a Linux firewall effectively. UFW simplifies the process of setting firewall rules for both incoming and outgoing connections.
For additional insights on firewall configuration and network security best practices, consider consulting the following resources:
This guide equips you with the foundational knowledge to minimize external network access and enhance your overall security posture.
Watch Video
Watch video content