https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998765#M739028 Shalom,<BR /><BR />Go with an ipfilter configuration that first rejects allpass through, and then accepts only 80 and 443.<BR /><BR />This will limit traffic to your machine to those two ports alone.<BR /><BR />This alone is not enough to prevent hacking but it will limit their options. Its still possible to exploit web server flaws and gain access to the box.<BR /><BR />SEP Tue, 22 Aug 2006 06:54:32 GMT Steven E. Protter 2006-08-22T06:54:32Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998762#M739025 My company using hpux v11i v2, if i've build up a apache http, and use ipf as firewall. <BR />Port 80, 443 <BR />I try to check ipf log which pass through those ports, and check apache log whether it contains executable command ....././passwd, ././chmod , etc. <BR /><BR />My question is what i am checking is enough or not? <BR /><BR />Thanks a lot Tue, 22 Aug 2006 04:37:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998762#M739025 BenCheer.com 2006-08-22T04:37:07Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998763#M739026 Hi,<BR />seems you are checking all the correct files, but what are you trying to prevent/detect. Tue, 22 Aug 2006 04:55:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998763#M739026 Peter Godron 2006-08-22T04:55:01Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998764#M739027 Hi , <BR />My supervisor want me to prevent hacking from internet.<BR /> Tue, 22 Aug 2006 05:19:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998764#M739027 BenCheer.com 2006-08-22T05:19:32Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998765#M739028 Shalom,<BR /><BR />Go with an ipfilter configuration that first rejects allpass through, and then accepts only 80 and 443.<BR /><BR />This will limit traffic to your machine to those two ports alone.<BR /><BR />This alone is not enough to prevent hacking but it will limit their options. Its still possible to exploit web server flaws and gain access to the box.<BR /><BR />SEP Tue, 22 Aug 2006 06:54:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998765#M739028 Steven E. Protter 2006-08-22T06:54:32Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998766#M739029 if i try put a firewall(such as checkpoint) in front of unix then put the web server (unix) within DMZ, is it much more better?<BR /><BR />thx Wed, 23 Aug 2006 00:36:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998766#M739029 BenCheer.com 2006-08-23T00:36:08Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998767#M739030 I'd also suggest going through your http.conf file and removing any module support you don't need, and the functionality you don't use. Also, you may consider using HP-UX Bastille to harden your system further.<BR /><BR />-R Tue, 05 Sep 2006 14:28:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998767#M739030 Robert Fritz 2006-09-05T14:28:11Z https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998768#M739031 Thanks Wed, 06 Sep 2006 18:07:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipfilter/m-p/4998768#M739031 BenCheer.com 2006-09-06T18:07:20Z