I have a suggestion that may look strange at first, but bear with me: Red Hat Enterprise Linux includes two core networking services that should be disabled.
Red Hat provides two operating systems, Fedora and Red Hat Enterprise Linux or RHEL. My suggestion makes more sense when we consider how RHEL is developed.
Both Fedora and RHEL are open-source, but RHEL includes some licensed content (logos and documentation) and, most importantly, support agreements. Fedora is completely free and it serves as the development environment for the next version of RHEL. A RHEL release is built from a subset of the components in a release of Fedora, selecting which packages and which versions of them.
The result is that some of the RHEL packages are quite appropriate for the personal workstation and laptop environment of Fedora, but they aren’t necessarily appropriate for your server.
Back in the days of RHEL 5, the network configuration was done by a set of scripts that read some simple configuration files and assigned an IP address and netmask to each interface and set up routing. Start it up and we’re done.
RHEL 6 added the NetworkManager persistent service. It supervises the networking configuration. It was designed to solve the problem of a Linux system that is disconnected from and reconnected to networks, both wired and wireless, while it’s running. You’re at home with your laptop plugged into your Ethernet switch leading to your router and thus the Internet. You disconnect your laptop without stopping it and carry it to the coffee shop down the street where it should seamlessly join that wireless network. Then without stopping it, you walk another block to a different coffee shop and it joins that network. Meanwhile you might have connected and disconnected both wired and wireless network interfaces on your USB ports. All of this without expert human supervision — that’s nice!
But it’s not what a server needs. A server will remain connected to the same Ethernet cables indefinitely.
Then RHEL 7 added the Firewall daemon. It will look very familiar to Windows users, with its concepts of zones, home network, work network, and so on, modifying the rule sets as NetworkManager moves the system from one network to the next. The firewall is configured with a graphical user interface that, as usual, makes it very easy to do something but rather difficult to tell just precisely what you have done.
Again, a server is going to remain plugged into the same network topology. It isn’t roaming across networks of varying levels of threat and trust.
The potential problem with these services is that they can cause some intermittent network configuration problems that are very difficult to diagnose. That is, until you become accustomed to this pattern and immediately suspect that NetworkManager has messed up your DNS resolution again. The constant rewriting of configuration files also gets in the way of cautious monitoring with Tripwire and AIDE. Let’s just avoid these problems on our servers!
The NetworkManager service may make some unwanted configuration changes as you shut it down and disable it, so do the following from the console and print out the existing configuration files before you start.
The following is just a quick how-to, see Learning Tree’s Linux server administration course for the details on systemd, the networking commands, and the configuration files. Our goal is to stop the unwanted services, reconfigure them so they won’t be automatically restarted in the future, clean up any mess, and test.
You don’t have all these files, only RHEL 7 has
/etc/hostname but it is missing
/etc/sysconfig/network. Print what you have:
# enscript -G /etc/resolv.conf \ /etc/hostname \ /etc/sysconfig/network \ /etc/sysconfig/network-scripts/ifcfg-*
Now you will know how to verify and restore any settings NetworkManager may have changed on its way out.
# /etc/init.d/NetworkManager stop # chkconfig NetworkManager off # vim /etc/resolv.conf \ /etc/sysconfig/network \ /etc/sysconfig/network-scripts/ifcfg-* # /etc/init.d/network restart # ifconfig # route # route -A inet6 # traceroute www.learningtree.com
# systemctl stop NetworkManager firewall # systemctl disable NetworkManager firewall # vim /etc/resolv.conf /etc/hostname \ /etc/sysconfig/network-scripts/ifcfg-* # systemctl restart network # ip addr # ip route # ip -6 route # traceroute www.learningtree.com
The next project would be to write a shell script using
ip6tables to set up firewall rules to protect your server against threats from inside your perimeter. The good news is that most servers need fairly simple packet filtering rule sets, so this script will be relatively easy to write and analyze.
Now your server has a much more appropriate network configuration!