topic Re: lockdown /etc/services in Operating System - HP-UX

lockdown /etc/services

Vernell Woods_1 — Thu, 11 Apr 2002 14:27:21 GMT

I've been asked to make the /etc/services file readable by root only; however, users still need to be able to telnet & ftp. I thought about using Symark Powerbroker to give users ftp & telnet access, but applications such as Oracle & Valencia also need to work without problems. Have anyone had to do this or have any suggestions?

Re: lockdown /etc/services

John Carr_2 — Thu, 11 Apr 2002 14:31:19 GMT

Hi

it should be read only be default , so change it.

cheers
John.

Re: lockdown /etc/services

John Carr_2 — Thu, 11 Apr 2002 14:32:37 GMT

ignore my last comment I misread the post

Re: lockdown /etc/services

pap — Thu, 11 Apr 2002 14:47:05 GMT

Hi if you want to deactivate the telnet and ftp services for certain users or machines, then you need to update the file /var/adm/inetd.sec

There you can specify the service name and to whom you wna to block the access (machine).....
Hope this helps.
Simply by making /etc/services readable will not do anything. That is an irrelavent thing here.

-pap

Re: lockdown /etc/services

Volker Borowski — Thu, 11 Apr 2002 14:50:21 GMT

Hello,

any reason for this request ?
I mean "services" is a lookup database for the systemcall "getservbyname".

So whatever is in there does not mean the service is available. Just to take read away looks to me like a try to "hide by disguise" a service.

This is pretty much like using a non-standard tcpip-port for a standard application which is opposed to common thinking no security feature. A real hacker will use a portscan-tool and find your Oracle-Listener even if it runs on Port 12345.
So the only non-benefit is you have more trouble with your administration.

If you need protection, go for a firewall and a good concept.

Just my 0.02 ???
Volker

Re: lockdown /etc/services

Vernell Woods_1 — Thu, 11 Apr 2002 14:51:53 GMT

Let me explain a little further: Our auditors said that it was an exception to have /etc/services readable by all users. We want to make it readable by root "ONLY". In doing so, users won't be able to ftp or telnet...but we want them to be able to. I need to make /etc/services readable by root only and still have users able to ftp & telnet. At the same time, I need applications that make calls to other servers to function correctly. I don't understand why /etc/services need to be locked down or how it's an exception, but I have to do it. PLEASE HELP!!!

Re: lockdown /etc/services

James R. Ferguson — Thu, 11 Apr 2002 14:59:38 GMT

Hi:

Volker's comments say it all!. Don't be badgered by the auditors. '/etc/services' should be readable by all, and need not be marked writeable, since as 'root' you can edit (write) it regardless. Having controlled that, only you (root) can add or remove services. Auditors often go on witch-hunts to show management that they earned their keep!

Regards!

...JRF...

Re: lockdown /etc/services

Jeff Schussele — Thu, 11 Apr 2002 15:05:21 GMT

WELL SAID, JRF!

Rgds,
JEFF

P.S.
inetd.sec & inetd.conf is where the REAL, internal security is & SHOULD be set! And NOTHING beats a well configured FW for external security!

Re: lockdown /etc/services

Frank Quinteros — Thu, 11 Apr 2002 15:05:47 GMT

Vee,

/etc/services much like /etc/rpc is a lookup table for Berkely and Arpa sevices for the Unix OS.

These have to be available for the OS (and users) to have basic functionality with the outside world.

As was suggested earlier, different options exist for locking down the server securely and effectively.

The auditors should provide supporting doc (reasons) for such request.

TCPwrappers (HP's IPSec900), SSL, and HP's patch PHNE_23949 which helps control ftp'users' access may help in controlling access to this server.

Finally you may want to search/browse the security forum for past postings.

Re: lockdown /etc/services

Darrell Allen — Thu, 11 Apr 2002 15:12:30 GMT

What the heck is their basis for such a demand? Do they know anything about UNIX? Of course /etc/services has to be world readable.

I hope they're not making any other similarly stupid demands. If so, you need to raise the red flag with management.

Darrell

Re: lockdown /etc/services

Vernell Woods_1 — Thu, 11 Apr 2002 15:15:11 GMT

Thanks Guys for your responses. I'll go back and ask exactly what the issue is. Maybe with a more in-depth explanation, I can come up with a better plan.

Thanks again.