https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925788#M110586 Hi Tim,<BR /><BR />For starters, some of these vunerabilities can be removed by simply dening the service from inetd.<BR /><BR />vi /etc/inetd.conf<BR />Place a comment in from of these services:<BR />#bootps dgram udp wait root /usr/lbin/bootpd bootpd<BR />#finger stream tcp nowait bin /usr/lbin/fingerd fingerd<BR /><BR />#uucp stream tcp nowait root /usr/sbin/uucpd uucpd<BR />#ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd<BR /><BR />#daytime stream tcp nowait root internal<BR />#daytime dgram udp nowait root internal<BR />#time stream tcp nowait root internal<BR />#time dgram udp nowait root internal<BR />#echo stream tcp nowait root internal<BR />#echo dgram udp nowait root internal<BR />#discard stream tcp nowait root internal<BR />#discard dgram udp nowait root internal<BR />#chargen stream tcp nowait root internal<BR />#chargen dgram udp nowait root internal<BR /><BR />You could also comment out things like shell (remote remsh) and exec (rexecd) if they are not used.<BR />Once the inetd file has been changed, you need to resubmit it.<BR /># inetd -c<BR /><BR />Cheers<BR />Michael Thu, 13 Mar 2003 00:34:07 GMT Michael Tully 2003-03-13T00:34:07Z https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925787#M110585 We were recently audited and one of the things they did was run a series of scripts on the network to expose weaknesses in our Unix security.<BR /><BR />All of our Unix servers are behind a firewall and accessed by internal customers only, so I haven't been overly concerned about locking things down.<BR /><BR />They identified the following ports as being vulnerable. I don't even know what half of this stuff is or if I need it?? The Unix servers are used to run Oracle databases only. There are no other applications on them.<BR /><BR />Pardon my networking ignormance, but is there a way to determine which of these are really in use and need to stay?<BR /><BR />Thanks, Tim<BR /><BR />echo (7/tcp) (Security warnings found) <BR />discard (9/tcp) <BR />daytime (13/tcp) (Security warnings found) <BR />chargen (19/tcp) (Security warnings found) <BR />ftp (21/tcp) (Security hole found) <BR />telnet (23/tcp) (Security warnings found) <BR />smtp (25/tcp) (Security hole found) <BR />time (37/tcp) (Security notes found) <BR />sunrpc (111/tcp) (Security notes found) <BR />auth (113/tcp) (Security warnings found) <BR />epmap (135/tcp) (Security warnings found) <BR />hp-managed-node (382/tcp) <BR />exec (512/tcp) (Security warnings found) <BR />login (513/tcp) <BR />shell (514/tcp) (Security warnings found) <BR />printer (515/tcp) (Security notes found) <BR />klogin (543/tcp) <BR />kshell (544/tcp) <BR />unknown (901/tcp) (Security notes found) <BR />telnets (992/tcp) (Security notes found) <BR />general/tcp (Security notes found) <BR />unknown (49157/tcp) (Security hole found) <BR />unknown (49153/udp) (Security hole found) <BR />nfs (2049/tcp) (Security hole found) <BR />sunrpc (111/udp) (Security notes found) <BR />unknown (49152/tcp) (Security notes found) <BR />unknown (49153/tcp) (Security notes found) <BR />unknown (49156/udp) (Security notes found) <BR />unknown (49154/tcp) (Security notes found) <BR />unknown (49157/udp) (Security notes found) <BR />unknown (49155/tcp) (Security notes found) <BR />unknown (49158/udp) (Security warnings found) <BR />lockd (4045/udp) (Security warnings found) <BR />lockd (4045/tcp) (Security notes found) <BR />unknown (49156/tcp) (Security notes found) <BR />unknown (49167/udp) (Security hole found) <BR />unknown (49729/udp) (Security notes found) <BR />unknown (49272/tcp) (Security notes found) <BR />nfsd (2049/udp) (Security hole found) <BR />dtspc (6112/tcp) (Security hole found) <BR />snmp (161/udp) (Security hole found) <BR />xdmcp (177/udp) (Security warnings found) <BR />unknown (32789/udp) (Security hole found) <BR />epmap (135/udp) (Security notes found) <BR />unknown (49190/udp) (Security notes found) <BR />unknown (49159/tcp) (Security notes found) <BR />unknown (49790/udp) (Security notes found) <BR />unknown (49317/tcp) (Security notes found) <BR />unknown (49793/udp) (Security notes found) <BR />unknown (49319/tcp) (Security notes found) <BR />echo (7/udp) (Security warnings found) <BR />daytime (13/udp) (Security warnings found) <BR /> Wed, 12 Mar 2003 23:50:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925787#M110585 Tim Medford 2003-03-12T23:50:58Z https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925788#M110586 Hi Tim,<BR /><BR />For starters, some of these vunerabilities can be removed by simply dening the service from inetd.<BR /><BR />vi /etc/inetd.conf<BR />Place a comment in from of these services:<BR />#bootps dgram udp wait root /usr/lbin/bootpd bootpd<BR />#finger stream tcp nowait bin /usr/lbin/fingerd fingerd<BR /><BR />#uucp stream tcp nowait root /usr/sbin/uucpd uucpd<BR />#ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd<BR /><BR />#daytime stream tcp nowait root internal<BR />#daytime dgram udp nowait root internal<BR />#time stream tcp nowait root internal<BR />#time dgram udp nowait root internal<BR />#echo stream tcp nowait root internal<BR />#echo dgram udp nowait root internal<BR />#discard stream tcp nowait root internal<BR />#discard dgram udp nowait root internal<BR />#chargen stream tcp nowait root internal<BR />#chargen dgram udp nowait root internal<BR /><BR />You could also comment out things like shell (remote remsh) and exec (rexecd) if they are not used.<BR />Once the inetd file has been changed, you need to resubmit it.<BR /># inetd -c<BR /><BR />Cheers<BR />Michael Thu, 13 Mar 2003 00:34:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925788#M110586 Michael Tully 2003-03-13T00:34:07Z https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925789#M110587 Tim,<BR /><BR />Here is a good discussion on a similar item.<BR /><BR /><A href="http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb7aae7613948d5118fef0090279cd0f9,00.html" target="_blank">http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb7aae7613948d5118fef0090279cd0f9,00.html</A><BR /><BR />Cheers<BR />Michael Thu, 13 Mar 2003 00:40:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925789#M110587 Michael Tully 2003-03-13T00:40:15Z https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925790#M110588 Hi,<BR /><BR />If you aren't sure what process is using some of those higher numbered ports [49152..], you can use lsof to see which processes have them open. You can get a copy of lsof from here:<BR /><BR /><A href="ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/" target="_blank">ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/</A> <BR /><BR />As for the rest of them, you have to balance your security needs against your functionality. For example, it might be a problem to have the port open for telnet, but if you need telnet you have to use it. Michael gave a good list of some ports that really aren't used and can be disabled.<BR /><BR />JP<BR /> Thu, 13 Mar 2003 00:43:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-holes/m-p/2925790#M110588 John Poff 2003-03-13T00:43:54Z