Disable unused services

Ngoh Chean Siung · ‎12-27-2004

Hi,

1) How to ensure that the services is not use in our system even by default it already set to able/on?

regards

G. Vrijhoeven · ‎12-27-2004

Hi,

A service is active on a port and can be monitored using the netstat -a command.
( current settings, this does not include historical info).

To disable services you must disable a daemon or hash it out of the /etc/inetd.conf .

Regards,

Gideon

Biswajit Tripathy · ‎12-27-2004

Best technique for this is to use IPFilter system
firewall. Block incoming connections to all the ports
by default and allow only the ones that you want.
If you give details of which services you want to
allow, I could help you with how to setup IPFilter.

- Biswajit

:-)

Ngoh Chean Siung · ‎12-27-2004

Hi,

My 2 HP servers vesion are 11 and 11.11. Actually our server don't have internet connection.

Thru netstat, I able to see the active a list of services, how I 100% confirm that the services name that exist in inetd.conf and not exist during netstat command is NOT needed by our system and therefore can be disbled?

regards.

Jannik · ‎12-27-2004

IPfilter is er very good sollution.
If you just want to look into what is running on the system use the netstat -a or netstat -an.
If you what to look from the outsite use port scanning tools like nmap 'nmap -sT '.
To deactivate services you have different options and standard, some are activated and deactivated in the resorce configuration under /etc/rc.config.d and some in /etc/inetd.conf...

Consider disabling all network services:
---
# inetd -k
# vi /etc/rc.config.d/netdaemons
export INETD_ARGS="-k"

Consider disabling selected network services
---
vi /etc/inetd.conf
#telnet stream tcp nowait root /usr/lbin/telnetd telnetd
# inetd -c

Consider disabling selected services for selected hosts or subnets
---
vi /var/adm/inetd.sec
telnet allow hosta hostb 128.1.*.* 128.2.1-5.*
login deny hosta hostb 128.*.*.*

If you look at services we could take the CDE eksampel:
disabling CDE:
# /sbin/init.d/dtlogin.rc stop
# vi /etc/rc.config.d/desktop
DESKTOP=""

Hope it helps!

jaton

Biswajit Tripathy · ‎12-27-2004

If you don't want any of the inetd services to
be enabled, just comment all the entries in the
inetd.conf file and send a SIGHUP signal to
inetd process.

- Biswajit

:-)

G. Vrijhoeven · ‎12-27-2004

Hi,

To disable services hash out the line and issue an inetd -c.
Mind that telnet, ftp, tftp, login etc will not work anymore ( make sure you have ssh active so you can still log on to the server )

HTH,

Gideon

Todd Whitcher · ‎12-28-2004

To ensure a service is not running on a port you can use a port scanning tool like nessus or nmap.

They will scan your system and test for open ports and create a status report.

http://www.nessus.com

http://www.insecure.org/nmap/

To lock down your system you can download HP's Bastille product and IPfilter product. If you have them both installed Bastille will also create a IPfilter configuration for you.

You can get both of these at:

http://www.software.hp.com

Just search on ipfilter and bastille.

The documentation is out available

http://docs.hp.com

Hope that helps,

Todd

Ngoh Chean Siung · ‎01-03-2005

Under /etc/inetd.conf, I hash the lines as below and issued command "inetd -c"

1)ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
2)login stream tcp nowait root /usr/lbin/rlogind rlogind
3)klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

But, why I still can execute command ftp and rlogin? What is the purpose to disable the services at inetd.conf? This file is used during system start up or..?

regards.

Nguyen Anh Tien · ‎01-03-2005

Hi Ngoh
Happy new year.
/etc/inetd.conf is file that enable or disable services at startup.
as you typing in this file:
====
1)ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
2)login stream tcp nowait root /usr/lbin/rlogind rlogind
3)klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K
=====
this file allow ftp, rlogin service start at startup.
*) ftp and rlogin is command allow you to connect to ftp or rlogin server.( they are onlyclient tool)
In order to disable those service just adding (#) at begining of each line
#ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l

HP is simple

Ngoh Chean Siung · ‎01-03-2005

Hi,

I already hashed these 2 lines and then save & quit this file. After that, I issued command "inetd -c" to activate it. But, why I still can execute these commands (ftp, rlogin)?

regards.

Michael Selvesteen_2 · ‎01-03-2005

Hello,

1. why I still can execute command ftp and rlogin?

ftp and rlogin are just client programs. It has no impact from /etc/inetd.conf as this file controls only the server part.

If you still need to disable this command a simple way may be to move the binaries with a different name
eg: mv /usr/bin/ftp /usr/bin/ftp_

2. What is the purpose to disable the services at inetd.conf?

inetd, called also the super server, will load a network program based upon a request from the network. The inetd.conf file tells inetd which ports to listen to and what server to start for each port. So if you feel a service is no more required for your system you can simply disable the service from /etc/inetd.conf

3. This file is used during system start up or..?

Yes..But at any time after startup an adminstrator can modify the configuration file and restart the super server by using SIGHUP signal. This allows a service which started during startup can be disabled later.

Hope this helps.

--
M

Ngoh Chean Siung · ‎01-03-2005

Hi,

What you mean is inetd only control the server site, right? If I hashed the ftp and rlogin, it means that the server itself cannot execute these commands instead of the client that connect to this server. Am I right? Any way to prove that the server unable to run these commands after hashed these 2 commands?

regards.

Michael Selvesteen_2 · ‎01-03-2005

Hello,

1. If I hashed the ftp and rlogin, it means that the server itself cannot execute these commands instead of the client that connect to this server. Am I right?

You should be clear that server and client are different programs. Server has no need to execute those commands from your system.

For example ftpd and ftp are server and client programs respectevely which are entirely different.

ftpd is a server which listens for ftp connection from netwrok or even from your own machine. when you enable this service you are allowing your system for file transfer.simply You can tune the services that is provided by system with /etc/inetd.conf. That is it.

Same way when you are in need to transfer files from network you need a ftp client. Which contacts your remote server and fetches file for you

So when you disable a server, it is not meant that the respective client also disallowed. That is not nescessary to do so. Your clients are required to contact other remote servers for various purposes.

If you feel you no longer need any clients you can remove it. There are number of methods to remove (eg: swremove etc)

2. Any way to prove that the server unable to run these commands after hashed these 2 commands?

if you hashed ftp,

Try ftp from other machine to this machine. If it fails it means you have no ftp service in your machine.

Hope this helps.

--
M

Ngoh Chean Siung · ‎01-03-2005

Hi,

1) When the client use command "ftp", it will invoke command "ftpd'. Am I right? What I know about the command with "d" behind is stands for daemon. Is it correct?

2) The testing that I hv to do is try to login at the console (instead of telnet as a client) and try to do the ftp after disable this ftp service. Am I right?

regards.

Michael Selvesteen_2 · ‎01-03-2005

Hello,

1. When the client use command "ftp", it will invoke command "ftpd'. Am I right?

No, Client will not use or invoke any command . Consider the following example,

command: ftp

Here ftp is a local client program, which is desinged to establish a ftp session with ftpd of remotehost. Interenally ftpd in remote machine listens on port 21. Any ftp client by default connects to port 21 of remote machine where ftpd runs.

For more info following link may usefull

http://www.webdevelopersnotes.com/basics/client_server_architecture.php3

http://www.faqs.org/faqs/client-server-faq/preamble.html

2. The testing that I hv to do is try to login at the console (instead of telnet as a client) and try to do the ftp after disable this ftp service. Am I right?

simply try

command: ftp localhost

if the connection succeeds it is clear that ftpd is running or else it is disabled.

Hope this helps.

--
M

Ngoh Chean Siung · ‎01-04-2005

Hi,

I not able to ftp at console after I hashed the ftp line but how about command "rlogin"? I already hashed out below 2 lines but thru console, I still can run "rlogin ".

1)login stream tcp nowait root /usr/lbin/rlogind rlogind
2)klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

regards.

Michael Selvesteen_2 · ‎01-04-2005

Hello,

1. Did rlogin localhost works?

2. In remote server comment the following line

login stream tcp nowait root /usr/lbin/rlogind rlogind
klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

And the restart inetd and now issue from your system

rlogin . Did it works?

--
M

Nguyen Anh Tien · ‎01-04-2005

I already hashed these 2 lines and then save & quit this file. After that, I issued command "inetd -c" to activate it. But, why I still can execute these commands (ftp, rlogin)?

I just say ftp and rlogin are client tools.
When you type ftp or rlogin command required option are servername or server's IP. It mean that you ftp or rlogin to that server.

If you want to block rlogin ,ftp use
/var/adm/inetd.sec
login allow|deny IP or hostname
ftp allow|deny IP or hostname

HP is simple

Sunil Sharma_1 · ‎01-04-2005

Hi,

Servers are providing services and clients are using services. any host can be server and client at the same time.

When you hashed line in /etc/inetd.conf file you stoped your server to provide these services to other client but your hoast can act as a client for other servers.

when you run rlogin command to connect to other server it didn't check .etc.inetd.conf file because it don't require any daemon to be run.

There is no configuration file where you can stop these client services.If you don't want any of your user to run this command you can change permission of rlogin and ftp to 000 .

Sunil

*** Dream as if you'll live forever. Live as if you'll die today ***

Biswajit Tripathy · ‎01-04-2005

Commenting out services in inetd.conf will only
stop outside clients from using the service on
your system; it will not stop users from your system
to use the service provided by other servers. When
you run "rlogin " from your system,
you are using the setvice on which is
not disabled.

To have more control over what type of
connections are allowed in and out of your system,
IPFilter system firewall is a better tool as it is
designed for that. If you are on HP-UX 11.23, it's
already installed on your system. If you are on
HP-UX 11.11 /11.00, you could pick up the free
IPFilter bits from software.hp.com

- Biswajit

:-)

Ngoh Chean Siung · ‎01-04-2005

Hi,

It works after I hashed the 2 lines at remote server as well.

Q1)
What is the different between these 2 lines? I try to man 'rlogind" but there is no parameter for "-K".

1) login stream tcp nowait root /usr/lbin/rlogind rlogind
2) klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

Q2)
What is different between talk(/usr/bin/talk) and ntalk (/usr/lbin/ntalkd) in term of usage? In which situation that we will use these commands?

Q3) When we will use the command "/usr/sbin/rpldaemon"? Thru man, rlpdaemon is stands for remote spooling line printer daemon, meesage write daemon.

regards.

Michael Selvesteen_2 · ‎01-04-2005

Hello,

1.What is the different between these 2 lines? I try to man 'rlogind" but there is no parameter for "-K".

1) login stream tcp nowait root /usr/lbin/rlogind rlogind

To start rlogind from the inetd daemon in a non-secure environment

2) klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

To start rlogind from the inetd daemon in a secure environment and -K implies Authorization based on Kerberos V5 must succeed or access will be rejected

2. What is different between talk(/usr/bin/talk) and ntalk (/usr/lbin/ntalkd) in term of usage? In which situation that we will use these commands?

ntalk means "new talk". An update of the Unix "talk" program, old versions of "talk" being referred to as "old talk". New talk and old talk are generally incompatible, and attempts to get them to communicate result in entirely unhelpful error messages.

3.When we will use the command "/usr/sbin/rpldaemon"? Thru man, rlpdaemon is stands for remote spooling line printer daemon, meesage write daemon.

The Line Printer Daemon is used to allow heterogeneous Unix
environments to share printers over a network.

Hope this helps.

--
M

Ngoh Chean Siung · ‎01-04-2005

Hi,

1) To start rlogind from the inetd daemon in a non-secure environment.
What is mean by non-secure environment? Any examples?

2) To start rlogind from the inetd daemon in a secure environment and -K implies Authorization based on Kerberos V5 must succeed or access will be rejected.
What is Kerberos V5? Thru man sis, I able to get some info but still no clear about it. Is it a software or patch that we need to install in order to get this? Btw, how kerberos V5 works?

regards.

Muthukumar_5 · ‎01-04-2005

You can know what are all the services are started during startup with /etc/rc.log or execute /sbin/rc.

If you want to disable a service permanently then comment (#) that service and port on /etc/services file. Also comment out service startup informations in /etc/inetd.conf. After making changes to inetd.conf reconfigurae inetd as inetd -c

AND, stop all service startup in init scripts so that system startup will be less before.

HTH.

Easy to suggest when don't know about the problem!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Disable unused services

Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services

Re: Disable unused services