https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140915#M155285 Hi,<BR /><BR />it depends on how big the hole is, you punched into the firewall. ;-) You only need a hole the size of the port that is needed for ntp, or am I wrong?<BR /><BR />be careful,<BR /><BR />Michael<BR /> Wed, 10 Dec 2003 08:42:21 GMT Michael Schulte zur Sur 2003-12-10T08:42:21Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140913#M155283 I recently punched a hole through the firewall so my HPUX time server could get to the outside world for a valid time source, all is well. Question, are there any process I should shut down on this HPUX box to prevent intrusion? I am a little worried about an outsider coming in on one of my services. Wed, 10 Dec 2003 08:31:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140913#M155283 Nobody's Hero 2003-12-10T08:31:11Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140914#M155284 Generally the rule is if you don't need it then turn it off. Go to /etc/services and comment out ("#") any lines. Also check the /etc/inetd.conf file and remove any services that you do not need. If the only purpose of this HPUX server is to function as a time server than you can get rid of a whole lot.<BR /><BR />-Hazem Wed, 10 Dec 2003 08:34:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140914#M155284 Hazem Mahmoud_3 2003-12-10T08:34:19Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140915#M155285 Hi,<BR /><BR />it depends on how big the hole is, you punched into the firewall. ;-) You only need a hole the size of the port that is needed for ntp, or am I wrong?<BR /><BR />be careful,<BR /><BR />Michael<BR /> Wed, 10 Dec 2003 08:42:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140915#M155285 Michael Schulte zur Sur 2003-12-10T08:42:21Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140916#M155286 The NTP port (123) is considered to be safe. If your firewall has just one port open, then the rest of the services can't be seen or reached from outside the firewall (assuming you have a good firewall and a good administrator). But good security demands that all ports be closed by default and then an explicit decision to run a service (open a port) made based on corporate guidelines. Most security problems come from inside the firewall. Wed, 10 Dec 2003 08:44:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140916#M155286 Bill Hassell 2003-12-10T08:44:49Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140917#M155287 You can close the services that you do not want. (Check /etc/services and /etc/inetd.conf)<BR /><BR />A tool like nmap can give you idea on what ports are open on ur server.<BR /><BR /> Wed, 10 Dec 2003 08:45:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140917#M155287 RAC_1 2003-12-10T08:45:05Z https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140918#M155288 A agree with Bill Hassell. Port 123 is safe.<BR /><BR />My employer disagrees with that, so they have the firewall act as a time server and ntp must be configured to take time off of that port.<BR /><BR />If you are worried and don't trust your firewall, ipfilter can be installed on the hp box and configured to allow only one way traffic on port 123. Your machine will be able to go out and get the time but nothing will be able to come in on 123.<BR /><BR />I can probably dig up a configuration for you if you are interested.<BR /><BR />SEP Wed, 10 Dec 2003 10:44:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/ntp-external/m-p/3140918#M155288 Steven E. Protter 2003-12-10T10:44:50Z