The TFTP(Trivial File Transfer Protocol) is a decades old protocol and is still widely used due to its simplicity. But it is also known for minimal security features, which can make it vulnerable to various attacks. This post will discuss some practical security controls for TFTP in RHEL9.

Ensure SELINUX is enabled and in enforcing mode

In the year 2023, it is expected that SELINUX is enabled and in enforcing mode by default. But it is still worth mentioning here.

Ensure the SELINUX label for the TFTP root directory is correct and continually enforced

The default directory in RHEL9 is /var/lib/tftpboot, and the SELINUX label should be continually enforced.

Ensure the TFTP service is running as a non-root user

Ensure the TFTP service is running as a non-root user:

mkdir -p /etc/systemd/system/tftp.service.d
cat > /etc/systemd/system/tftp.service.d/secure_tftp.conf << EOF
[Service]
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
RemoveIPC=yes
ExecStart=
ExecStart=/usr/sbin/in.tftpd --user tftp --secure  /var/lib/tftpboot
EOF

Check here for details regarding DynamicUser

The --user option is used to specify the user to run the TFTP service as, the main process will still run as root, but the child process will run as the specified user.

Ensure the TFTP service is running in a chroot jail

The "--secure" option is used by default.

Do not allow upload of files

  • Do not use “-c” and “-p” options
  • Ensure the TFTP root directory permission is ‘0755’, and the files in TFTP root directory ‘0644’. This is the default permission in RHEL9.

I recommend to useDynamicUser=yes equivalient options(ProtectSystem, ProtectHome, PrivateTmp and RemoveIPC) whenever it is not possible to use the DynamicUser option. And the TFTP root directory should be owned by the root user, this will prevent the TFTP service from writing to the TFTP root directory.

Use Segmentation

Segment the network to isolate the TFTP server from critical systems and sensitive data. This limits the potential impact of a security breach.

  • With virtualazation, the VM can be attached to the TFTP network for provisioning, and then moved to the production network.
  • With physical servers, the same approach can be used, but it is requires more work.

Use access control lists on network devices or the TFTP server to control and limit TFTP traffic. This can help in preventing unauthorized access.

Implement network monitoring and intrusion detection systems to detect and respond to any suspicious or malicious activities related to the TFTP server.

Enable logging on the TFTP server to monitor and record all TFTP-related activities. This can help in identifying any unauthorized access or suspicious activities. You may need to consider sending the logs to a central log server for analysis as well.