topic Re: Security issue in Operating System - HP-UX

Security issue

Joeriz Agtay_3 — Thu, 04 Sep 2003 08:44:46 GMT

a. how can i remove the inital info (below) when i try to access my host?

"HP-UX timk370 B.11.11 U 9000/898 (ta)"

b. how can i denied login of "root", the 1st time, from any connection except console?

Many thanks.

Re: Security issue

Michael Tully — Thu, 04 Sep 2003 08:49:46 GMT

First change the /etc/issue file and place whatever you like. I just use the server name. Make sure that you update /etc/inetd.conf file at the end telnetd line '-b /etc/issue' and '-B /etc/issue for the 'rlogind' line.
restart inetd 'inetd -c'

If you want to disallow root as a direct login create a file called /etc/securetty and insert the word console and save it.
Make sure the permissions and ownership of the file is root:root and 400

Re: Security issue

T G Manikandan — Thu, 04 Sep 2003 08:54:01 GMT

a./etc/issue

b.
# touch /etc/securetty
#chown root:bin /etc/securetty
# chmod 600 /etc/securetty

Re: Security issue

E. Wong — Thu, 04 Sep 2003 20:44:19 GMT

It is always good to create /etc/securetty file with only one line that says "console"

this will force any user trying to gain root access to run # su which will then be logged in /var/adm/sulog.

As for removing the initial info, you may want to edit the /etc/issue file with a warning note something like: you are accessing a private network for authorized users only, etc.

Re: Security issue

Bill Hassell — Fri, 05 Sep 2003 01:53:29 GMT

NOTE: If you spell the word console incorrectly, or use /dev/console in the /etc/securetty file, then root cannot login from *ANY* location (the same effect would occur if securetty is empty). But you can always use su - root to gain root access.

As far as the message in /etc/issue, be careful what you put there. That file is presented *prior* to login and authentication. It is a good idea NOT to identify the operating system and version or even the type of machine. A sugestion is to have just the simple hostname and perhaps (if your lawyers require it) a warning about access.

Re: Security issue

Sridhar Bhaskarla — Fri, 05 Sep 2003 02:11:03 GMT

Hi,

The reason why security insists on removing the default banner is because it shows the system type as well the OS.

The suggestions were already made to get you what you need.

However, there are other ways one can get the OS version and the system type. You will need to take care of them too.

1. ftp: Use ftpaccess file. Look at ftpaccess man page. Use "suppressversion" and and "suppress hostname" with "banner" pointing to your customized warning message.

2. Sendmail: If you are running sendmail, you can turn of this by editing /etc/mail/sendmail.cf file. Search for "GreetingMessage" and put two quotes after = sign.

3. Turn of snmpd if you don't use. If you send traps or use snmp to monitor anything, configure your snmpd.conf file with a non-default community name.

-Sri