HPE Community
Operating System - HP-UX
1822504 Members
2365 Online
109642 Solutions
New Discussion

Disable the EXPN and VRFY commands.

 
SOLVED
Go to solution
Mehul5
Frequent Advisor

‎03-18-2014 11:55 PM - last edited on ‎03-19-2014 07:38 PM by

‎03-18-2014 11:55 PM - last edited on ‎03-19-2014 07:38 PM by

Disable the EXPN and VRFY commands.

Hi,

 

 

Can anyone tell what are rhe steps to implement the changes which are mentioned in the attachment.

 

 

This is for auditing purpose at client side.

 

 

Please find the attached file.

 

 

Regards,

Mehul

 

 

P.S. This thread has been moved from HP-UX>General to HP-UX > security. -HP Forum Moderator

0 Kudos
Reply
11 REPLIES 11
Bill Hassell
Honored Contributor

‎03-19-2014 06:14 PM

‎03-19-2014 06:14 PM

Re: Disable the EXPN and VRFY commands.

This is a typical but extensive list of vulnerabilities, and there are no easy answers. You can mitigate telnet and ftp services by disabling them but unless you if they are being used, the server will now appear to offline. So mitigation would involve changing access from telnet to ssh and ftp to scp or sftp -- which involve educating and setting up shh utilities for all users. So the questions cannot be addressed by just an HP-UX sysadmin, as is the case for many of the issues listed. You may need a security professional to  coordinate effort and help to ask all the questions and get the answers.



Bill Hassell, sysadmin
Reply
Mehul5
Frequent Advisor

‎03-21-2014 05:26 AM

‎03-21-2014 05:26 AM

Re: Disable the EXPN and VRFY commands.

Hi Bill,

 

Thanks for the info you have given. Can you please tell me the complete procedureto disable it.

 

Also there are many points which need to be implented in our systems.

 

I am attaching a file in which a list of parameters  have to be implemented.

 

Please find the attachment and suggest which are the parameters that can be implemented and which cannot.

 

Also tell me which points are based on OS i.e which one of them are related to OS that can be done by HP team.

 

Regards,

Mehul.

0 Kudos
Reply
Mehul5
Frequent Advisor

‎03-22-2014 01:50 AM

‎03-22-2014 01:50 AM

Re: Disable the EXPN and VRFY commands.

Hi all,


Thanks Bill for the info and I know that all the parameter changes cannot be solely done by an HP-UX sys admin but for this customer everything has to be done by him (i.e. me) and we acnnot co-ordinate with the security personnel directly.

 


Also the security professional's team does not in any way associate with us to co-ordinate on this topic.

 

 

So I request all to give your valuable suggestions on this issue.

 

(Please refer the attached document in my previous posts for details)

 

Regards,

Mehul.

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-24-2014 06:13 PM

‎03-24-2014 06:13 PM

Re: Disable the EXPN and VRFY commands.

>> Can you please tell me the complete procedure to disable it.

 

If you are referring to the complete list, that would be a consulting engagement requiring several hours of interviews, testing and reporting. As I mentioned, a simple answer is that you can comment telent out of inetd.conf, which may completely disable your server. Each finding requires research to determine if the item is actually used, and if used, what would be a workaround that will not disable the server's purpose.



Bill Hassell, sysadmin
Reply
Mehul5
Frequent Advisor

‎03-25-2014 03:24 AM

‎03-25-2014 03:24 AM

Re: Disable the EXPN and VRFY commands.

hi Bill,

 

Can you please provoide the solutions for other questions.

 

Regards,

Mehul

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-25-2014 08:40 AM - edited ‎03-25-2014 09:59 AM

‎03-25-2014 08:40 AM - edited ‎03-25-2014 09:59 AM

Solution

Re: Disable the EXPN and VRFY commands.

OK, all I am going to do is to tell you the simplest answer. Be warned that taking these actions will disable services. Figuring out what to do next will be your responsibility.

 

1. NFS: disable NFS in /etc/rc.config.d/nfsconf

2. Disable sendmail, mailx and mail by removing the execute bit.

3. Disable ftpd, rlogind, remshd, rexecd in /etc/inetd.conf

4. Disable all httpd web services

5. Disable all SNMP services in /etc.rc.config.d

6. (Same as 4) Disable httpd from running so no web services are available.

7. (Same as 4)

8. (Same as 4)

9. (Same as 4)

10. Put your console on an isolated subnet

11. (Same as 2)

12. Edit the sshd.config file and disable Version 1.

13. (same as 4)

14. Edit inetd.conf and disable dtlogin

15. Edit inetd.conf and disable finger

16. -- this finding is meaningless as there are no specifics --

17. (same as 4)

18 . (same as 4)

20. Disable all the rpc services in inetd.conf, number 1 disables rpc too

21. same as 3 except ssh: disable login banner in sshd.conf

22. same as 4

23 same as 4

24. same as 4

25. same as 4

 

I purposely left the specific details on which line in the config files to edit...this requires a knowledgeable sysadmin to perform these actions. And again, disabling all these features may render your server unuseable. You cannot blindly follow the recommendartions without help.



Bill Hassell, sysadmin
Reply
Dennis Handly
Acclaimed Contributor

‎03-25-2014 12:20 PM

‎03-25-2014 12:20 PM

Re: Disable the EXPN and VRFY commands.

>2. Disable sendmail, mailx and mail by removing the execute bit.

 

I would think this would only be the first, mailx/mail are only mail clients?

Of course these clients don't provide authentication, so they wouldn't be useful after hardening, unless a internal corporate server that doesn't check.

Reply
Mehul5
Frequent Advisor

‎03-29-2014 01:25 AM

‎03-29-2014 01:25 AM

Re: Disable the EXPN and VRFY commands.

Hi Bill & Dennis,

 

 

 

Thanks for providing the solution and also your time.

 

 

 

I would like to tell you that I have already disabled the telnet and I cannot disable nfs as we use nfs in our environment.

 

 

 

Still I would require help from you. Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail and etc.

 

 

 

Regards,

Mehul

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎03-29-2014 12:55 PM

‎03-29-2014 12:55 PM

Re: Disable the EXPN and VRFY commands.

>Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail

 

I'm not sure you can disable just those commands.  So you need to stop the sendmail demon from listening.

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎03-30-2014 12:16 PM

‎03-30-2014 12:16 PM

Re: Disable the EXPN and VRFY commands.

If you follow Bill's instructions, sendmail will be completely disabled, so EXPN and VRFY will no longer work.

But maybe you don't want to disable Sendmail completely.

 

When I Googled with keywords "sendmail disable expn vrfy", this was the second result:

 

http://jibbysununix.blogspot.fi/2010/03/sendmail-disabling-help-and-version.html

 

Look at the step 2).

 

Note: depending on your HP-UX and Sendmail versions, you may have to make a similar change to /etc/mail/submit.cf too.

 

The above is just a quick "cookbook-style" instruction. To really understand Sendmail on HP-UX, you will need two books:

First, the HP-UX Mailing Services Administrator's Guide:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02037761/c02037761.pdf

 

Second, the "sendmail" book from O'Reilly:

http://shop.oreilly.com/product/9780596510299.do

This is not downloadable for free, but it is very important if you're using Sendmail in a serious way. Usually you'll want the latest edition of the book, although earlier editions may be useful with old HP-UX versions (and people who have updated to the latest edition might be selling old editions of the book on eBay or similar).

 

The "sendmail" book will completely describe the operation and configuration of a standard version of Sendmail. As a printed book, it is a 1300-page monster, but don't worry. The largest part of the book is a list of every configuration setting in Sendmail: you don't need to read all of that, just read the introductory chapters at the beginning of the book, then pick & choose what you need, or use it as a reference.

 

But HP has made some modifications to the configuration: the HP-UX Mailing Services Administrator's Guide describes the differences and also gives direct advice for some common configurations. If you need an "advanced configuration" of Sendmail on HP-UX, you really need both. Without having read the "sendmail" book, you won't understand all the concepts and references in the Mailing Services Administrator's Guide.

 

If you need a sendmail configuration option that is not immediately available in the standard HP-UX sendmail.cf file, you'll need the complete Sendmail configuration macro system that is available at /usr/newconfig/etc/mail/cf/cf/. HP has  created a gen_cf script that makes it easier to use, but you'll really need the Mailing Services Administrator's Guide to successfully use it.

MK
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-30-2014 12:38 PM

‎03-30-2014 12:38 PM

Re: Disable the EXPN and VRFY commands.

OK, to simply disable these security issues, you can change the PrivacyOptions and SmtpGreetingMessage.

As with all sendmail settings, these may or may not all apply to your particular version of sendmail.

vi /etc/mail/sendmail.cf

Search for the line that has:

O PrivacyOptions=

To disable expn and vrfy (and authwarnings), change the line to:

O PrivacyOptions=authwarnings,noexpn,novrfy

And anticipating further security issues, change the default greeting from something like this:

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

 

to this:

O SmtpGreetingMessage=$j $b

 



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.