0

I am designing a security policy for a server program on Linux. I wish to reserve a tcp port number-say 8888, to and only to that executable of the program to listen to. Then I could turn the program files as r-x in nosudo user and allow only the port 8888 to be in and nothing out on firewall. (Might turn SSH in allow as well) . A trojan cannot spoof that program and hijack port 8888, or auto-connect to hacker's server.

Thus the whole three will leave hackers no vulnerability to attack except for those in the the program itself. Recent news that ASUS server has been hacked and installed trojans to many ASUS computers through fake updates, further proves the necessity of this policy.

However I have not found an application like ufw or SELinux to enforce the tcp port reserve policy. Is there a way to implement it?

Dave M
  • 4,494
  • 21
  • 30
  • 30
George Y
  • 380
  • 2
  • 11
  • 1
    SELinux should be able to do this. https://serverfault.com/questions/563872/selinux-allow-httpd-to-connect-to-a-specific-port – Sven Mar 26 '19 at 11:40
  • Does SELinux automatically recognize this behavior at permissive mode or do I have to tell it about it through special commands? – George Y Mar 27 '19 at 00:37
  • `# semanage port -a -t http_port_t -p tcp 6379` this line seems only to allow port 6379 open, instead of binding it to some Redis binary? – George Y Mar 27 '19 at 00:39

0 Answers0