topic Network Services in Operating System - HP-UX

Network Services

Pando — Mon, 29 Jan 2007 00:39:47 GMT

Dear Gurus,

I would like to ask how to disable the following services:

Any form of dynamic routing (routed,gated)
NFS and related services (nfsd, biod, mountd, statd, lockd, automount, etc)
NIS (both client and server)
HTTP
Bootps
Booting services (tftpd, bootd, bootpd, dhcpd)
Dhcpd
rwhod
Fingerd
Uucp
Ntalk
Rexd
Rstatd
Ruserd
Rwalld
Sprayd
BSD “r” commands

Also, how can enable inetd and ftp logging?
What about forwarding all syslog messages to centralized logging host?

Re: Network Services

Fabian Briseño — Mon, 29 Jan 2007 00:50:12 GMT

hello pando.
Some of this services can be disabled by comenting them out in

/etc/inetd.conf
also check /etc/services

Re: Network Services

Biswajit Tripathy — Mon, 29 Jan 2007 03:48:22 GMT

You need to turn on the system firewall
HP-UX IPFilter and open only those services
that you need. This will effectively close all other
services including the ones you listed above.

- Biswajit

Re: Network Services

Yarek — Mon, 29 Jan 2007 04:46:56 GMT

Hi,

you can comment out proper lines in /etc/inetd.conf file

after that type

#inetd -c to re-read configuration

rgds

Re: Network Services

Ralph Grothe — Mon, 29 Jan 2007 05:26:13 GMT

Those services started by inetd are disabled by commenting their entries in /etc/inetd.conf and subsequentially sending a SIGHUP to inetd's PID, or executing "/usr/sbin/inetd -c",
as already has been posted by the others.
However, those services that run stand-alone
need to be brought down and disabled in their respective config files separately.
For instance if you don't require the NFS server you can "/sbin/init.d/nfs.server stop" and edit /etc/rc.config.d/nfsconf so that it won't be restarted on next runlevel change.
The procedure for the NFS client is similar.
With httpd it depends what kind of webserver you have currently running.
If it is the HP port of apache it usually is shut down by "/sbin/init.d/hpws_apache stop",
and prevented from restart by editing /etc/rc.cnfig.d/hpws_apacheconf.
But the names of init script as well es separate rc conf file, if present at all,
very much depend on the version.
Generally, I would consider disabling any service that your users don't need more apropiate than setting up a packet filter rule set.
Besides, you save resources and avoid any trouble with bugs, exploits, security updates etc. these services may be susceptible to.

Re: Network Services

Matti_Kurkela — Mon, 29 Jan 2007 06:46:55 GMT

Generally, the places to check for enabling/disabling a service are the /etc/inetd.conf file and the /etc/rc.config.d directory.

/etc/rc.config.d/namesvrs:
- first check /etc/nsswitch.conf and ensure the server does not require NIS for anything
- set all NIS_*SERVER and NIS_*CLIENT variables to 0 to disable NIS functions.

/etc/rc.config.d/nfsconf:
- set NFS_CLIENT, NFS_SERVER, AUTOMOUNT, START_MOUNTD and AUTOFS to 0 as appropriate to disable NFS-related services

/etc/rc.config.d/netconf:
- set GATED to 0 to disable dynamic routing daemon
- set RARP to 0 to disable rarpd daemon (booting services)
- set RDPD to 0 to disable rdpd

/etc/rc.config.d/netdaemons:
- set INETD_ARGS to "-l" to enable inetd logging
- set START_RBOOTD to 0 to disable rbootd
- set MROUTED to 0 to disable multicast routing
- set RWHOD to 0 to disable rwhod

To disable ftpd, telnetd, tftpd, bootps, finger, r* commands, ntalk, uucp, rexd, rstatd, rusersd, rwalld and sprayd, comment them out of /etc/inetd.conf.

To disable HTTP, you need to find out what HTTP server software you're using. If it's HP-packaged Apache, see /etc/rc.config.d/hpws_apacheconf. For any other kind of HTTP server, see the documentation of that server and/or the notes of the person who installed the server.

Bootp and DHCP are so closely related that usually one server program handles both of them. The network port that bootp/DHCP server uses is called "bootps"; in HP-UX, the bootp/DHCP server binary is called "bootpd".

To enable ftpd logging, add "-l" to ftpd command line in /etc/inetd.conf file.

To forward all syslog messages to centralized logging host, see "man syslogd".

After making these changes, you'll need to send a HUP signal to inetd and/or stop any running service daemons to make the changes effective immediately. A reboot might be recommended to ensure the new configuration is bootable, although it isn't strictly required.

Re: Network Services

Robert Fritz — Tue, 30 Jan 2007 12:11:22 GMT

One additional plug: You can use HP-UX Bastille to both stop inetd and other services, and set up your IPFilter firewall.

Re: Network Services

Keith Buck — Tue, 30 Jan 2007 15:09:02 GMT

I recommend starting with HP-UX Bastille, available for free from HP's Software Depot (https://www.hp.com/go/softwaredepot) It walks you through the process of disabling unnecessary services (including the inetd services and others mentioned above), explaining the tradeoffs for each item.

It will also help you setup a basic ipfilter firewall if desired, and has options to turn on logging. I think it covers everything you mentioned except centralized logging.

Hope that helps.

-Keith

Re: Network Services

Pando — Mon, 05 Feb 2007 22:39:13 GMT

Hello Robert and Keith,

I have downloaded HP-UX Bastille and when i about to install it using swinstall, i got an error.
The error was:

The software item "B6849AA,r=B.02.01.03,a=HP-UX_B.11.00_32/64,v=HP"
is a bundle (or a product, subproduct or fileset contained within a
bundle). This item was successfully marked, but difficulties were
encountered while marking some items that it depends on. The messages
below show which software items encountered difficulties and exactly
what these difficulties were:
The software
"Bastille.BASTILLE,r=B.02.01.03,a=HP-UX_B.11.00_32/64,v=HP" was
successfully marked, but it depends on the following software items
which could not be found in the source. However, these items may
already be in the target. This will be checked during the Analysis
Phase: Perl5.PERL-RUN,r>=B.5.6.1.E | Perl5-32.PERL-RUN,r>=B.5.6.1.E
Perl5-64.PERL-RUN,r>=B.5.6.1.E

I have installed perl 5.8.8 in my HP-UX machine. Any idea on how to proceed?
Thanks!

Re: Network Services

Keith Buck — Tue, 06 Feb 2007 11:10:41 GMT

Where did you get perl 5.8? You need the official packaged one from software.hp.com to fulfull the corequisites. (this version includes Tk for the Bastille GUI, and has been tested by HP)

-Keith

Re: Network Services

Pando — Thu, 08 Feb 2007 02:18:09 GMT

Hi Keith,

I have downloaded Perl 5.8.8 from HP-UX Porting Center. Here's the website : http://hpux.connect.org.uk/hppd/auto/

Re: Network Services

Keith Buck — Thu, 08 Feb 2007 12:05:42 GMT

You'll need to get perl from HP's download site:

https://www.hp.com/go/softwaredepot

I don't know what modules are included in the porting archive's version, and it certainly won't satisfy the official corequisites of the HP-packaged Bastille.