HPE Community
Operating System - HP-UX
1752777 Members
6172 Online
108789 Solutions
New Discussion юеВ

securing hpux box

 
SOLVED
Go to solution
sharif naser_1
Frequent Advisor

тАО10-23-2001 05:49 AM

тАО10-23-2001 05:49 AM

securing hpux box

Hi guys ,
i have nclass servers with hpux 11 installed .
could any body of you tell me how can i secure my hpux box or is there any software which can help me in assesing my hpux box security.

Regards,
Sharif
0 Kudos
Reply
8 REPLIES 8
Thierry Poels_1
Honored Contributor

тАО10-23-2001 05:53 AM

тАО10-23-2001 05:53 AM

Solution

Re: securing hpux box

Hi,

there's a whitepaper available titled "How to build a bastion server". It's a very good basis to build a secure server.

regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
Reply
Sridhar Bhaskarla
Honored Contributor

тАО10-23-2001 05:58 AM

тАО10-23-2001 05:58 AM

Re: securing hpux box

Sharif,

There is C2-security available with HP-UX but not by default. You need to enable it. You can convert the system to trusted by running the command /usr/lbin/tsconvert. Then you can implement enhanced password restrictions, auditing etc., etc.,.

Check this URL for more details.

http://docs.hp.com/hpux/onlinedocs/B2355-90672/B2355-90672.html

All the best,

-Sri


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Rainer von Bongartz
Honored Contributor

тАО10-23-2001 06:00 AM

тАО10-23-2001 06:00 AM

Re: securing hpux box

Take a look at this document

http://www.hp.com/products1/unix/operating/hpux11i/alwayssecure.html

Regards
rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Reply
Thierry Poels_1
Honored Contributor

тАО10-23-2001 06:02 AM

тАО10-23-2001 06:02 AM

Re: securing hpux box

hi again,

got address and exact title:

http://people.hp.se/stevesk/bastion11.html
"Building a Bastion Host Using HP-UX 11" by Kevin Steves

good luck,
Thierry
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
Reply
Rita C Workman
Honored Contributor

тАО10-23-2001 06:06 AM

тАО10-23-2001 06:06 AM

Re: securing hpux box

That is a very broad subject. But even before I started reading I might:
...first protect myself from outside sources getting in. So have a firewall installed and configured (by someone who is familiar with this process if you are not).
The next thing I would do is configure my /var/adm/inetd.sec file to allow or deny only certain IP's or hosts to use certain protocols.
Make sure your root password is secure AND double check your /etc/passwd file to ensure nobody has a GUID=0 except root and who you know should.
If your concerned already you may have folks trying things then setup inetd to log info to your syslog, so you can monitor for this. And keep an eye on your /var/adm/sulog file to see who's trying to crack the password.
...Now you still have a long way to go...so start reading and set up what security measures will work best for your shop.

Just a thought,
Rit
Reply
linuxfan
Honored Contributor

тАО10-23-2001 06:08 AM

тАО10-23-2001 06:08 AM

Re: securing hpux box

Hi,

Others have already suggested quite a few good white papers.

There is another tool called armor (which is a script) which secures a hp box. Might want to check it out

http://armor.sourceforge.net/

Here's a FAQ about armor
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/~checkout~/armor/armor/FAQ?rev=HEAD&content-type=text/plain

Here's another thread where some of the folks here in the forum were planning to come up with another script.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x42b8cf38d6bdd5118ff10090279cd0f9,00.html

-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates
Reply
Roger Baptiste
Honored Contributor

тАО10-23-2001 08:27 AM

тАО10-23-2001 08:27 AM

Re: securing hpux box

Hi Nasir,

this is a wide topic.
For starters:

1) You can convert your
system to a Trusted mode.
It can be done through
SAM or command line(tsconvert). Trusted
system implements features
like auditing, shadowpassword
file in a trusted database.
Basically, it gives a
strict control over password
and auditing policies of the
system.

2) the next step is the tuning of connection services.
Go into /etc/services
and /etc/inetd.conf and
disable any service which
you feel is not required.
But, be very sure and careful
before you disable any services.

3) Then, use SSH/SFTP
instead of telnet/ftp .
telnet does not encrypt
passwords when it sends
it on the network.
SSH is a secure version
of connection to the system.

There are many more steps
to secure your system.
It depends on your requirements. Not all the
systems are secured to
a detailed extent.

HTH
raj
Take it easy.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.