https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410064#M202437 I would add:<BR />Give a try to <A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA</A><BR />If you are under HPUX11i<BR /><BR />If you can filter ping...<BR />Use ssh but dont allow root to use it, this means of course be sure installed and configured sudo <BR /><BR />All the best<BR />Victor Thu, 28 Oct 2004 11:14:46 GMT Victor BERRIDGE 2004-10-28T11:14:46Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410060#M202433 Hi,<BR /><BR />I recently put a server with Oracle Db behind a FW. NAT is used for LAN users to get services from the server, while its ip is in different subnet with LAN. Ports opened are only limited to ftp, telnet, oracle, ping.<BR /><BR />I am still challenged by some top gun with question of "can this server be seen while someone hack into LAN".<BR /><BR />I believed it is secured:<BR />1) it uses different subnet and uses NAT<BR />2) its services are limited and only those ports are open<BR />3) user accounts are already there.<BR /><BR />I really want to hear all different views to help me sort things out.<BR /><BR />VERY Appreciated!<BR /><BR />Steven<BR /><BR /> Thu, 28 Oct 2004 10:43:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410060#M202433 Steven Chen_1 2004-10-28T10:43:06Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410061#M202434 One thing I would do is get rid of telnet &amp; ftp - use the SSH suite instead. This will encrypt the login info, passwds, etc. There are multiple other services you can turn off as they are not needed for all tasks. <BR /><BR />Also look into getting the secure_patch_check. You can find numerous posts regarding this.<BR /><BR />Other things you might want to look at are bastion hosts, installing Bastille, etc.<BR /><BR /> Thu, 28 Oct 2004 10:48:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410061#M202434 Rick Garland 2004-10-28T10:48:20Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410062#M202435 With putting it behind a firewall and having opened only the required ports is a lot that you have done.<BR /><BR />You further secure it in different ways.<BR /><BR />1. convert it to trusted mode.<BR />2. secure it further by running baston ot and oding a study what further could be done<BR />2. have password policies in place - such as password life, password life time etc. (this is very much possible system intrsuted mode.<BR />3. you may also want to run SHC (system health check), CPM (custom patch manager)<BR />3. Run the security audit for it.<BR /><BR />Anil Thu, 28 Oct 2004 10:49:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410062#M202435 RAC_1 2004-10-28T10:49:02Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410063#M202436 Are you running sendmail or other mail agent? Are you using the HP JetAdmin software to admin printers? Those use well known tcp ports with well know exploits, and you'll want to consider disabling them.<BR /><BR />Also, are you all patched up to date with the OS? There are a few other tcp-based exploits you'll want to protect yourself from with the current patches.<BR /><BR />Are you using any of the web services with Oracle; e.g., java and &amp; web client? You'll need to make sure you have all the current Oracle patches too.<BR /><BR />mark Thu, 28 Oct 2004 11:03:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410063#M202436 Mark Greene_1 2004-10-28T11:03:56Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410064#M202437 I would add:<BR />Give a try to <A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA</A><BR />If you are under HPUX11i<BR /><BR />If you can filter ping...<BR />Use ssh but dont allow root to use it, this means of course be sure installed and configured sudo <BR /><BR />All the best<BR />Victor Thu, 28 Oct 2004 11:14:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410064#M202437 Victor BERRIDGE 2004-10-28T11:14:46Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410065#M202438 If the server is on a network its never totally secure. Thats a fact we must live with.<BR /><BR />Reasons for vulnerabilities:<BR />1) Defects in the daemons that you allow to run.<BR />2) Oracle defects<BR />3) OS flaws.<BR /><BR />However:<BR /><BR />You've made a good start and I recommend Bastille and Security Patch check.<BR /><BR />Here is a link:<BR /><BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA</A><BR />Required for BAstille:<BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PERL" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PERL</A><BR /><BR />For the trully paranoid:<BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5083AA" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5083AA</A><BR />Replace telent with secure shell/openssh<BR /><BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA</A><BR /><BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP</A><BR /><BR />There are some good analysis tools in here:<BR /><BR /><A href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111" target="_blank">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111</A><BR /><BR />You can always do more.<BR /><BR />SEP Thu, 28 Oct 2004 11:31:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410065#M202438 Steven E. Protter 2004-10-28T11:31:01Z https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410066#M202439 I appreciate all suggestions that help pointing to right directions.<BR /><BR />Yet I am still thinking what wouldb be the appropriate answer to the top gun's question: "can someone see the server (even when it is behind FW now)". <BR /><BR />I forget the background explaination: the server is only connected to outside world with oracle sqlnet, and all ftp and telnet services are for LAN users only. Of cource, VPN users is included.<BR /><BR />Then how to re-challenge back? NAT hides server identity, then what else?<BR /><BR />Thanks Thu, 28 Oct 2004 12:55:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-the-server-secured/m-p/3410066#M202439 Steven Chen_1 2004-10-28T12:55:10Z