Restrict open ports to trusted IPs and required services only.
389-NS-002 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-NS-002 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | SC-7 |
| DISA SRG | SRG-APP-000142 |
Rationale¶
Exposing LDAP (port 389) and LDAPS (port 636) to unrestricted networks turns the directory server into a publicly reachable authentication oracle. Any host that can reach the service can attempt credential-stuffing attacks, perform unauthenticated bind probes to enumerate directory structure, or exploit protocol-level vulnerabilities before a single access-control rule is evaluated. Restricting ingress to known trusted CIDRs at the host firewall eliminates reachability for unauthorized clients entirely, enforcing a network-layer boundary that operates independently of and in addition to application-level access controls. This implements the boundary-protection principle of NIST SP 800-53 SC-7 and satisfies DISA SRG-APP-000142, which requires that network services accept connections only from authorized sources.
Check¶
Review the host firewall rules restricting access to the LDAP/LDAPS ports.
firewall-cmd --list-all
Remediation¶
Limit the LDAPS port to trusted source networks and reload the firewall.
firewall-cmd --permanent --remove-service=ldap --remove-service=ldaps
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<trusted_cidr>" port port="636" protocol="tcp" accept'
firewall-cmd --reload
References¶
Implementation Notes¶
This control operates at the OS/network layer via firewalld and is not
configurable through dsconf; verify the rules cover all interfaces the
directory service listens on. Plain LDAP (port 389) should be blocked entirely
(not merely restricted) once LDAPS is enforced, unless StartTLS on 389 is
required for specific clients; include replication peer CIDRs in the trusted
source(s) before reloading. When replication is in use, ensure replica
and agreement peer IP ranges are included in the trusted-CIDR allow list
before reloading the firewall, or replication will break immediately.