Restrict SSH access to the 389DS server to authorized IPs only
389-SH-003 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-SH-003 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-17, SC-7 |
| DISA SRG | SRG-APP-000142, SRG-APP-000148 |
Rationale¶
The SSH daemon on the directory server host provides a privileged management plane that grants full shell access to the underlying OS, the 389DS data files, the NSS certificate database, and all replication credentials. Left reachable from broad network ranges or the public internet, this port is a high-value target for credential-stuffing campaigns, brute-force attacks, and exploitation of SSH implementation vulnerabilities. A compromise of the management plane bypasses all directory-level access controls - an attacker with shell access can read or modify the raw database files, extract private keys, and install backdoors with no LDAP audit trail. Restricting SSH to known administrative source networks at the host firewall eliminates the vast majority of opportunistic and targeted attack surface against the management plane, independent of credential strength. This control satisfies the remote-access restriction requirements of NIST SP 800-53 AC-17 and the boundary-protection requirements of SC-7, and is assessed by DISA SRG-APP-000142 (information flow enforcement) and SRG-APP-000148 (remote access management).
Check¶
Inspect sshd configuration and firewall rules to confirm SSH is restricted to admin networks.
grep -E '^(AllowUsers|AllowGroups|Match)' /etc/ssh/sshd_config
firewall-cmd --list-all | grep -E 'ssh|22'
Remediation¶
Restrict SSH to admin source networks via firewall (and optionally sshd Match/AllowUsers).
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<admin_cidr>" service name="ssh" accept'
firewall-cmd --reload
References¶
Implementation Notes¶
This is an OS-level network control, not a 389DS configuration setting; it must
be applied on the host running the directory server and is not managed through
dsconf. Before applying firewall rules, verify that your current administrative
IP address or CIDR range is included in <admin_cidr> to avoid locking yourself
out of the host. On RHEL-family systems firewalld is the standard host firewall;
adjust the commands for iptables or ufw as appropriate for your OS. Pair this
control with key-based SSH authentication (disabling password authentication) and
disabled root login (PermitRootLogin no in sshd_config) for a layered
approach. On hosts with multiple network interfaces, ensure the rich rule targets
the correct zone. The sshd Match directive in sshd_config can be used to
additionally restrict which OS users or groups are permitted to authenticate via
SSH, complementing the firewall-level restriction.