HPE Community
Operating System - HP-UX
1833873 Members
1937 Online
110063 Solutions
New Discussion

Hardening Security afer getting T@gged

 
SOLVED
Go to solution
Chris Tillman
New Member

‎02-14-2005 04:57 AM

‎02-14-2005 04:57 AM

Hardening Security afer getting T@gged

After getting t@gged through an anonymous ftp login, what can I do to prevent this from happening again, in addition to removing the account and/or changing the password? Also, I would love to figure out how they got through, which logs would I want to examine and where are they?

Thanks for any help,
Chris Tillman
Newbie Admin
0 Kudos
Reply
8 REPLIES 8
Kent Ostby
Honored Contributor

‎02-14-2005 05:02 AM

‎02-14-2005 05:02 AM

Re: Hardening Security afer getting T@gged

You can get a secure FTP solution along with ssh from HP, here:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Rick Garland
Honored Contributor

‎02-14-2005 05:06 AM

‎02-14-2005 05:06 AM

Solution

Re: Hardening Security afer getting T@gged

The /var/adm/syslog/syslog.log would be the 1st place to start. Other logs include the sulog, the 'last' output (coming from the wtmp), the xfer.log file if configured, etc. If the xfer.log is not configured then the activity will be in the syslog.log file. Again, how much FTP configuration is in place will dictate how much FTP activity is recorded.

What the intruder did will provide more clues as to where to look for evidence. Hopefully you have accurate time on the system so you can get an idea of what time the event occurred.

For FTP, there is an HP write up on how to configure restrictive ftp logins using 'chroot jails'. Also details on how to setup anon ftp so as to only allow downloads and no uploads, or uploads in a specific area only.

Do a search for 'Restrict FTP'
Reply
Pete Randall
Outstanding Contributor

‎02-14-2005 06:23 AM

‎02-14-2005 06:23 AM

Re: Hardening Security afer getting T@gged

Chris,

You might want to take a look at HP's Bastille offering:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

"

HP-UX Bastille is a security hardening/lockdown tool which can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system by system basis, addressing a large number of the recommendations from a number of popular security scanning tools and checklists."


Pete

Pete
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎02-14-2005 07:28 AM

‎02-14-2005 07:28 AM

Re: Hardening Security afer getting T@gged

Incuded in Bastille - is Ipfilter:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

You can use that to block certain ip's from accessing your box at all.

For logging, you need ftpd -l in inetd.conf

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎02-14-2005 09:55 AM

‎02-14-2005 09:55 AM

Re: Hardening Security afer getting T@gged

Use Bastille/IPFilter for lockdown.
Use "log" feature of IPFilter to log connection
attempts and other activities you thing might be
suspicious. Unless otherwise stated, IPFilter will log
to syslog file.

- Biswajit
:-)
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-14-2005 02:48 PM

‎02-14-2005 02:48 PM

Re: Hardening Security afer getting T@gged

Unless you started extra logging in ftp, you won't have the details that you need. Unfortunately, HP-UX has historically been wide open out of the box (like many other Unix vendors). Unless you turn on lots of additional logging in several areas, the details will likely never be known. All existing systems and all new ones should run Bastille BEFORE going onto the network. Good security requires ruthless disabling of services and ports. You can always turn on a specific service once the risks have been identified and mitigated.

Anonymous ftp should never be allowed on any server, and ideally, no ftp service at all. Instead, use SSH (with the secure FTP capability). Yep, you'll have unhappy users that must learn something new and possibly inconvenient but a trashed server is the risk in keeping users from complaining.


Bill Hassell, sysadmin
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-15-2005 12:25 AM

‎02-15-2005 12:25 AM

Re: Hardening Security afer getting T@gged

There's a dozen things :)

first - remove write permissions from the pub/incoming directory
second - check You have *ALL* security patches regarding to inetd, ftpd installed
third - think about if You need the ftp daemon at all, if not: disable it, if yes:
do You need to allow any host access to it or does it come down to a range of hosts?
forth - try to chroot the ftp daemon.

The following steps are about safeguarding Your system against (successful) intruders.
I would recommend You to try them out on a test system for two or three times.
disable any kind of root login
enable hp-ux shadow passwords
look at the often-refered hp-ux bastion host howto
chmod 1777 all temp directories
mount all temp directories noexec,nodev,nosuid
run the hp-ux bastille scripts - they should get You a great overview about the systems state.
yesterday I stood at the edge. Today I'm one step ahead.
Reply
Chris Tillman
New Member

‎02-15-2005 01:21 AM

‎02-15-2005 01:21 AM

Re: Hardening Security afer getting T@gged

Thanks for all your advice! I will begin implementing!
Chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.