Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Unix Services Not essential

kwad
Occasional Advisor

Unix Services Not essential

Hi Guys,

I am trying to lock my system down. I did a port scan and i have several ports open.I am not sure which ones i can block and not stop the system from functioning properly.
I am using a minimalistic approach.
These are the ports currently open.

I only need, ssh,rlogin,rsh,ftp.

PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime HP-UX daytime
19/tcp open chargen
21/tcp open ftp (Generally vsftp or WU-FTPD)
22/tcp open ssh OpenSSH 5.3p1+sftpfilecontrol-v1.3-hpn13v5 (protocol 1.99)
23/tcp open telnet HP-UX telnetd
37/tcp open time?
111/tcp open rpcbind 2-4 (rpc #100000)
135/tcp open msrpc?
512/tcp open exec HP-UX rexecd
513/tcp open login
514/tcp open tcpwrapped
543/tcp open klogin?
544/tcp open shell HP-UX Remshd (Kerberos disabled)
2121/tcp open ccproxy-ftp?
2301/tcp open http HP System Management Homepage
4045/tcp open nlockmgr 1-4 (rpc #100021)
5989/tcp open ssl/http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
49152/tcp open status 1 (rpc #100024)

Help! please
4 REPLIES
RickT_1
Valued Contributor

Re: Unix Services Not essential

Hello,

You can edit the /etc/inetd.conf file and comment out any of the services in there that you don't need and then issue an "inetd -c" to reread the configuration file. If you find out you need a service then uncomment the entry and rerun the inetd -c.


Rick
Bill Hassell
Honored Contributor

Re: Unix Services Not essential

> I am using a minimalistic approach.

Then the answer is easy. You can implement airgap security (which means unplug all the LAN cables and modems). Now go to the console (using the RS-232 serial port and you'll completely secure (lock the door behind you).

Or you can edit /etc/inetd.conf and comment EVERYTHING. The run inetd -c to reread the new file. That will disable ftp, telnet, web pages, network file sharing, network printing, etc. If you don't want ssh, then disable sshd in the /etc/rc.config.d directory. Now rerun the port scan. While you're in the /etc/rc.config.d directory, disable all the SNMP files.

Now both of these are drastic but meet the requirement to be minimalistic (and secure too). Of course, the best procedure is comment everything you don't need. Notice I didn't say "kernel needs". The system will be quite happy without any network services. You have to decide if you are going to transfer files and/or connect over the network. Most sysadmins comment out the legacy (deprecated) services:

daytime chargen time echo discard uucp ntalk finger

and the high risk 'r' commands:

login shell exec

and the obscure services:

kshell klogin ncpm-pm ncpm-hip

and the Xwindow junk:

recserv dtspc rpc

Now you have to decide on services that you might need. No printing? drop "printer" No NFS? Drop the rpc daemons. Not using the system as an Ignite network server or other boothelper? Drop "tftp", "auth" and "bootps". Are you going to use ssh? Then drop "telnet" and "ftp".

Additionally some processes may be started from /etc/rc.config.d like TCPwrappers, SMH, and WBEM. Be careful though. Some of the newer add-ins defy the HP-UX standard and don't have a standard onfigure script. These are ppp, pppoe, cim_server, icod, net-ipv6 , and pfilboot. You'll have to comment these rogues out in the appropriate /sbin/rc directories. To make them visible (for future sysadmins), I change the name of the links like this:

/sbin/rc2.d/__S130pfilboot /sbin/rc2.d/__S522ppp /sbin/rc2.d/__S600cimserver
/sbin/rc2.d/__S340net-ipv6 /sbin/rc2.d/__S523pppoe /sbin/rc2.d/__S602icod

Now the links will not be called because they don't start with "S".


Bill Hassell, sysadmin
James R. Ferguson
Acclaimed Contributor

Re: Unix Services Not essential

Hi:

A less than minimalistic approach which accomplished this and much more is to harden your server with Bastille:

http://bizsupport.austin.hp.com/bc/docs/support/Support
Manual/c02281370/c02281370.pdf

Regards!

...JRF...
kwad
Occasional Advisor

Re: Unix Services Not essential

Thanx Guys for the help. Muchos appreciated