topic Re: need information in Operating System - HP-UX

need information

Azaru — Fri, 28 Aug 2009 15:54:21 GMT

How to bloack the incoming and outgoing ftp access in hpux server? We are running HPUX 11i series operating system in our HP servers.

Thanks
azaru

Re: need information

Patrick Wallek — Fri, 28 Aug 2009 15:57:42 GMT

At what level do you want to block FTP access?

For incoming, do you want to block all connections? If so, comment out, or remove, the FTP entries in /etc/inetd.conf and then run 'inetd -c' to force a re-read of the inetd.conf file.

For outgoing, you would need to remove permission on the FTP executable or just rename FTP to FTP.ORIG.

Re: need information

Hein van den Heuvel — Fri, 28 Aug 2009 16:08:19 GMT

>> How to bloack the incoming and outgoing ftp access in hpux server? We are running HPUX 11i series operating system in our HP servers.

Patrick already answered the basics.

An alternative is to cut the network cables.

If that is a little too coarse (nothing the question suggests it would be :-), then maybe you can finesse this by telling the network switch to block traffic on certain ports (21).

Patrick wrote>> "For outgoing, you would need to remove permission on the FTP executable or just rename FTP to FTP.ORIG."

While that will work for simpleton users, that is a bit naive a solution isn't it?
FTP is not us much an executable as it is a network protocol. Any program can just 'talk FTP' on a network port.
One example would be perl module Net::FTP which is a class implementing a simple FTP client in Perl as described in RFC959. Renaming FTP will not stop that.

http://perldoc.perl.org/Net/FTP.html

fwiw,
Hein.

Re: need information

Azaru — Fri, 28 Aug 2009 16:10:47 GMT

Hi patric

Thanks for the information. You are right. I have done the first step that u said and things happened reversly. I can able to ftp from other server to the blocked one and not able to do outgoing.

azar

Re: need information

Azaru — Fri, 28 Aug 2009 17:42:43 GMT

Hi all,

We have done the vulnerability test in our servers. And as a result we have got these following high risky things are happening in the report. I dont know what it means. Can any one please explain it. Its about the ftp i understand.

WU-FTPDSockPrintf()
Remote Stack-based Buffer
Overrun

WU-FTPD S/Key Remote
Buffer Overrun

WU-FTPD File Conversion
Command Execution

WU-FTPD fb_realpath()
Off-By-One Buffer Overflow

Re: need information

Hein van den Heuvel — Fri, 28 Aug 2009 19:07:03 GMT

Those message refer to known vulnerabilties to the wu-ftpd.
( http://en.wikipedia.org/wiki/WU-FTPD )

You may want to check out the following topics:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1319049

"From my research it appears that the current release and patching for HPUX ftpd is based uopon WU-FTPD 2.6.1. "

and

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1331080

Some of those vulnerabilites listed seem pretty old. 2003? See for example:

http://unix.derkeiler.com/Newsgroups/comp.sys.hp.hpux/2003-09/0054.html

Exactly what version of HPUX + patch level do you have?

hth,
Hein.

Re: need information

Azaru — Fri, 28 Aug 2009 20:01:51 GMT

Dear Hein

We have HPUX B.11.11 & HPUX B.11.23 versions
and the following path level
swlist | grep -i patch
BUNDLE11i B.11.23.0409.3 Required Patch Bundle for HP-UX 11i v2 (B.11.23), September 2004
FEATURE11i B.11.23.0706.063 Feature Enablement Patches for HP-UX 11i v2, June 2007
HWEnable11i B.11.23.0706.064 Hardware Enablement Patches for HP-UX 11i v2, June 2007.

One more thing i couldn't find any wu-ftpd fileset in there using this command given in the last link.
#swlist -l fileset | grep -i wu-ftp-26.inetsvcs-ftp

Re: need information

Hein van den Heuvel — Sun, 30 Aug 2009 03:22:21 GMT

This website appears to have a couple of really good overview for FTP setups...

http://newfdawg.com/SHP-Articles.htm

Hein.