HPE Community
Operating System - HP-UX
1753805 Members
7816 Online
108805 Solutions
New Discussion юеВ

Which services do I need, which don't I?

 
L Gehl
Occasional Advisor

тАО11-02-2000 10:34 AM

тАО11-02-2000 10:34 AM

Which services do I need, which don't I?

I'm beefing up heavily the security of some 10.20 and 11.00 boxes, and would like to remove any unnecessary service from running. Of everything that's in /sbin/init.d, which can I do without? Which do I absolutely need?

(I don't need nfs, sw running etc, mostly just basic networking. If I need something I can start it and stop it as needed.)

ie, what are these and do I need 'em? (before you tell me, I know what cron and inetd and the usual unix ones are :). Just the oddball HP-only ones I don't know about. )

OspfMib Rpcd SnmpHpunix SnmpMaster SnmpMib2 SnmpTrpDst acct apache_httpd audio auditing clean_adm clean_ex clean_tmps clean_uucp cmcluster cmsnmpagt comsec crashconf cron dce
ddfa dtlogin.rc ems emsa envd gated hostname hparamgr hparray hpbase100 hpbaset hpeisabt hpether hpfc hpfcms hpgsc100 hpnpd hppci100 hpvgal iforls inetd inetsvcs killall kmbuild kminit localmount lp maclan_init mrouted named net net.init nettl nfs.client nfs.core nfs.server nis.client nis.server nisplus.client nisplus.server ns-httpd pd ppp prm ptydaemon pwgr rarpd rbootd rdpd rwhod samba savecrash sendmail set_date set_prvgrp slsd spa supprtinfoswagentd swap_start swconfig syncer syslogd template tps.rc vtxfs xntpd

Thanks
L
0 Kudos
Reply
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

тАО11-02-2000 11:08 AM

тАО11-02-2000 11:08 AM

Re: Which services do I need, which don't I?

Hi:

You do *NOT* want to start disabling and/or capriciously modifying the scripts in /sbin/rc.d/ (/sbin/init.d/). You could end up with a system that is "toast" after a reboot.

If you want to harden your security, by disabling services you don't need, then start with:

1. Eliminate TCP/IP services not needed from inetd. (see man 1M inetd).

2. Increase logging of FTP activity and tighten usage (see man 4 ftpusers).

3. Follow this: http://secinf.net/info/unix/secureHP-UX.html

...JRF...
0 Kudos
Reply
L Gehl
Occasional Advisor

тАО11-02-2000 11:19 AM

тАО11-02-2000 11:19 AM

Re: Which services do I need, which don't I?

While I wouldn't *like* to haphazardly remove anything I don't need, it may be my only recourse in an effort lock down the service side of things. (ie, nis & nfs I can do, but the rest??) A sort of trial-and-error experiment.

Thanks
L
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО11-02-2000 11:35 AM

тАО11-02-2000 11:35 AM

Re: Which services do I need, which don't I?

Hi:

OK. By design, please remember that you can control the action of the various /sbin/init.d/ scripts by toggling variables as defined in the corresponding /etc/rc.config.d/ files.

...JRF...
0 Kudos
Reply
David Totsch
Valued Contributor

тАО11-03-2000 05:42 PM

тАО11-03-2000 05:42 PM

Re: Which services do I need, which don't I?

Keep in mind that some of the vestigal services are the most useful in a "denial of service attack". Consider removing "echo", "chargen" and "daytime". Daytime isn't so bad, but several chargen attachments can significantly impair the performance of a system.

-dlt-
0 Kudos
Reply
RikTytgat
Honored Contributor

тАО11-04-2000 04:26 AM

тАО11-04-2000 04:26 AM

Re: Which services do I need, which don't I?

Hi,

Before really making any changes to your system, you could run inetd in logging mode (inetd -l) and check the syslog file for (legitimate) connections.

After a reasonable time (1 week for example) you can easily find the services that are not used, and you can disable them without too much of a problem.

Hope this helps,
Rik.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.