Security

Disable the EXPN and VRFY commands.

 
SOLVED
Go to solution
Mehul5
Frequent Advisor

Disable the EXPN and VRFY commands.

Hi,

 

 

Can anyone tell what are rhe steps to implement the changes which are mentioned in the attachment.

 

 

This is for auditing purpose at client side.

 

 

Please find the attached file.

 

 

Regards,

Mehul

 

 

P.S. This thread has been moved from HP-UX>General to HP-UX > security. -HP Forum Moderator

11 REPLIES 11
Bill Hassell
Honored Contributor

Re: Disable the EXPN and VRFY commands.

This is a typical but extensive list of vulnerabilities, and there are no easy answers. You can mitigate telnet and ftp services by disabling them but unless you if they are being used, the server will now appear to offline. So mitigation would involve changing access from telnet to ssh and ftp to scp or sftp -- which involve educating and setting up shh utilities for all users. So the questions cannot be addressed by just an HP-UX sysadmin, as is the case for many of the issues listed. You may need a security professional to  coordinate effort and help to ask all the questions and get the answers.



Bill Hassell, sysadmin
Mehul5
Frequent Advisor

Re: Disable the EXPN and VRFY commands.

Hi Bill,

 

Thanks for the info you have given. Can you please tell me the complete procedureto disable it.

 

Also there are many points which need to be implented in our systems.

 

I am attaching a file in which a list of parameters  have to be implemented.

 

Please find the attachment and suggest which are the parameters that can be implemented and which cannot.

 

Also tell me which points are based on OS i.e which one of them are related to OS that can be done by HP team.

 

Regards,

Mehul.

Mehul5
Frequent Advisor

Re: Disable the EXPN and VRFY commands.

Hi all,


Thanks Bill for the info and I know that all the parameter changes cannot be solely done by an HP-UX sys admin but for this customer everything has to be done by him (i.e. me) and we acnnot co-ordinate with the security personnel directly.

 


Also the security professional's team does not in any way associate with us to co-ordinate on this topic.

 

 

So I request all to give your valuable suggestions on this issue.

 

(Please refer the attached document in my previous posts for details)

 

Regards,

Mehul.

Bill Hassell
Honored Contributor

Re: Disable the EXPN and VRFY commands.

>> Can you please tell me the complete procedure to disable it.

 

If you are referring to the complete list, that would be a consulting engagement requiring several hours of interviews, testing and reporting. As I mentioned, a simple answer is that you can comment telent out of inetd.conf, which may completely disable your server. Each finding requires research to determine if the item is actually used, and if used, what would be a workaround that will not disable the server's purpose.



Bill Hassell, sysadmin
Mehul5
Frequent Advisor

Re: Disable the EXPN and VRFY commands.

hi Bill,

 

Can you please provoide the solutions for other questions.

 

Regards,

Mehul

Bill Hassell
Honored Contributor
Solution

Re: Disable the EXPN and VRFY commands.

OK, all I am going to do is to tell you the simplest answer. Be warned that taking these actions will disable services. Figuring out what to do next will be your responsibility.

 

1. NFS: disable NFS in /etc/rc.config.d/nfsconf

2. Disable sendmail, mailx and mail by removing the execute bit.

3. Disable ftpd, rlogind, remshd, rexecd in /etc/inetd.conf

4. Disable all httpd web services

5. Disable all SNMP services in /etc.rc.config.d

6. (Same as 4) Disable httpd from running so no web services are available.

7. (Same as 4)

8. (Same as 4)

9. (Same as 4)

10. Put your console on an isolated subnet

11. (Same as 2)

12. Edit the sshd.config file and disable Version 1.

13. (same as 4)

14. Edit inetd.conf and disable dtlogin

15. Edit inetd.conf and disable finger

16. -- this finding is meaningless as there are no specifics --

17. (same as 4)

18 . (same as 4)

20. Disable all the rpc services in inetd.conf, number 1 disables rpc too

21. same as 3 except ssh: disable login banner in sshd.conf

22. same as 4

23 same as 4

24. same as 4

25. same as 4

 

I purposely left the specific details on which line in the config files to edit...this requires a knowledgeable sysadmin to perform these actions. And again, disabling all these features may render your server unuseable. You cannot blindly follow the recommendartions without help.



Bill Hassell, sysadmin
Dennis Handly
Acclaimed Contributor

Re: Disable the EXPN and VRFY commands.

>2. Disable sendmail, mailx and mail by removing the execute bit.

 

I would think this would only be the first, mailx/mail are only mail clients?

Of course these clients don't provide authentication, so they wouldn't be useful after hardening, unless a internal corporate server that doesn't check.

Mehul5
Frequent Advisor

Re: Disable the EXPN and VRFY commands.

Hi Bill & Dennis,

 

 

 

Thanks for providing the solution and also your time.

 

 

 

I would like to tell you that I have already disabled the telnet and I cannot disable nfs as we use nfs in our environment.

 

 

 

Still I would require help from you. Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail and etc.

 

 

 

Regards,

Mehul

Dennis Handly
Acclaimed Contributor

Re: Disable the EXPN and VRFY commands.

>Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail

 

I'm not sure you can disable just those commands.  So you need to stop the sendmail demon from listening.