System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

TFTP servers restrict access to trusted sources only.

 
SOLVED
Go to solution
GTFSpanneer
Frequent Advisor

TFTP servers restrict access to trusted sources only.

Hi All,

please look into below issue


The remote host has a TFTP server installed that is serving one or more sensitive HP Ignite-UX files.
These files potentially include sensitive information about the hardware and software configuration of the HPUX host, so should not be exposed to unnecessary
scrutiny.

Solution :
If it is not required, disable or uninstall the TFTP server. Otherwise restrict access to trusted sources only.

Please help me how to restrict access to trusted resources only.
8 REPLIES
Bill Hassell
Honored Contributor

Re: TFTP servers restrict access to trusted sources only.

tftp is not a secure protocol and cannot be made secure except by disabling it.

http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol

Because tftp has virtually no authentication, disabling tftp in /etc/inetd.conf is your only choice. That's one of the reasons that the name is "trivial". It is simply not a secure protocol and should never be routed into non-secure networks.


Bill Hassell, sysadmin
Matti_Kurkela
Honored Contributor
Solution

Re: TFTP servers restrict access to trusted sources only.

I assume this is a standard HP-UX TFTP server daemon?

If so, it's started by the HP-UX inetd, and therefore restrictable by the optional /var/adm/inetd.sec file. If the file does not exist, you can create it.

See "man inetd.sec" for more information.

For example, if you want to restrict it to networks 192.168.66.* and 10.1.*.* only, you might write a line like this to /var/adm/inetd.sec:

tftp allow 192.168.66.* 10.1.*

MK
MK
GTFSpanneer
Frequent Advisor

Re: TFTP servers restrict access to trusted sources only.

Dera MK,

please let me know what to be restarted after adding entries in inetd.sec file.
and how to check the tftp restrict access.

Regards,
Panneer.
Michael Steele_2
Honored Contributor

Re: TFTP servers restrict access to trusted sources only.

Hi

a) inetd.sec is / has been obsolete for two decades.

b) if you continue to use it, then you must restart the inetd daemon after any changes. To restart:

# inetd -c

c) tcp_wrappers has been used as a replacement to inetd.sec

http://www.linuxfromscratch.org/blfs/view/stable/basicnet/tcpwrappers.html

d) The default Ignite Servers setup is to work in only one subnet, as it is very easy to secure an internal subnet through the routers and gateways.

e) I don't see your concern for anonymous pulling igniting from your own servers in your own datacenter on your own internal subnets.

f) To enhance igniting over two subnets additional O/S patching and router enhancements called "Boot Helper" are required, see Page 80 of below, also see router manufacter for compatibility.

http://docs.hp.com/en/B2355-90970/apcs01.html

e) There is a Ignite registration procedure from the server that may or may not be enough security for you, see page 45 of above. I've used this procedure to push ignite out to clients, however, I think you are more interested in anonymous pulling clients and I don't know if this client registration is enough. When I've used it the Ignite server will automatically detect any new client within the current subnet only. And I'm not sure if auto detection of new clients works with Boot Helper.
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: TFTP servers restrict access to trusted sources only.

"...how to check the tftp restrict access...."

telnet server 69
Connected? ( y/n )

tftp 69/tcp Trivial File Transfer
tftp 69/udp Trivial File Transfer
Support Fatherhood - Stop Family Law
rick jones
Honored Contributor

Re: TFTP servers restrict access to trusted sources only.

Using the ipfilter module in HP-UX might be a way to accomplish this - it could be setup to block tftp access to all but a specified set of source IP addresses.
there is no rest for the wicked yet the virtuous have no pillows
GTFSpanneer
Frequent Advisor

Re: TFTP servers restrict access to trusted sources only.

Thanks to all.

I have one more issue ,please look into below issue

SSL Version 2 (v2) Protocol Detection
Synopsis :

The remote service encrypts traffic using a protocol with known weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Michael Steele_2
Honored Contributor

Re: TFTP servers restrict access to trusted sources only.

It is unsecure because it is not 2048 bit encryption. It is something less than 2048 bit, which is the current standard.
Support Fatherhood - Stop Family Law