GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- How to secure HP-UX 11.0 to prevent people from ge...
Operating System - HP-UX
1847587
Members
3677
Online
110265
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2003 06:33 AM
10-24-2003 06:33 AM
We need to grant outside contractors shell-level access to some of our HP-UX servers. This can be controlled by the VPN group, such that the outside contractors can connect to specific servers only.
However, once on the server, they can easily telnet off of it and communicate with other servers they are not supposed to have access to. How do I prevent this?
The contractors will be administering the Oracle instance. The Oracle binaries and data are located off of root (/), so a chroot environment will not work unless I move all the Oracle files. And Im not sure that would work anyway. As DBAs they need considerable access to the box.
I thought of locally restricting /usr/bin/telnet, /usr/bin/ftp, etc., using file level permissions. But I cannot restrict ftpd, as the contractor will need to ftp files TO the server, and it is trivial for them to ftp up their own copy of telnet.
any suggestions?
However, once on the server, they can easily telnet off of it and communicate with other servers they are not supposed to have access to. How do I prevent this?
The contractors will be administering the Oracle instance. The Oracle binaries and data are located off of root (/), so a chroot environment will not work unless I move all the Oracle files. And Im not sure that would work anyway. As DBAs they need considerable access to the box.
I thought of locally restricting /usr/bin/telnet, /usr/bin/ftp, etc., using file level permissions. But I cannot restrict ftpd, as the contractor will need to ftp files TO the server, and it is trivial for them to ftp up their own copy of telnet.
any suggestions?
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2003 06:38 AM
10-24-2003 06:38 AM
Solution
You can place limits on who can log in from what segment of your netwwork with the /var/adm/inetd.sec file
I'm attaching mine. This will require your contractors to first log into your network to connect, preventing the idle internet predator.
See attached example.
SEP
I'm attaching mine. This will require your contractors to first log into your network to connect, preventing the idle internet predator.
See attached example.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2003 06:41 AM
10-24-2003 06:41 AM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
It doesn't help you now, but we use Symark's Power Broker. It gives us the ability to control their access through a separate account but let them run oracle processes as needed. Or even in the worst case I can give them full access to oracle but record everything they do. The cool part is I can watch them live if I don't trust them. I highly recommend it if you have "outsiders" on your boxes regularly.
Hopefully someone has a quick solution to your current problem.
--Jim
Hopefully someone has a quick solution to your current problem.
--Jim
"Everyone can be taught to sculpt: Michelangelo would have had to be taught how not to. So it is with the great programmers."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2003 08:36 AM
10-24-2003 08:36 AM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
All the Oracle files should be owned by oracele:dba , not root. Also, you should put them in their own file system, as the system will hang or crash if they are simply in a directory off of / and a run-away query eats the disk. This setup is also what Oracle recommends, in case anyone gives you grief for bringing it up.
The other issue is that if any of the data is sensative, you'll not want to use ftp, as that is all tranmitted in the clear. Have you considered OpenSSH?
HTH
mark
The other issue is that if any of the data is sensative, you'll not want to use ftp, as that is all tranmitted in the clear. Have you considered OpenSSH?
HTH
mark
the future will be a lot like now, only later
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2003 09:17 AM
10-25-2003 09:17 AM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
Hi,
if I understand you correctly, then the oracle codefiles are located in your root-FS.
Well, then a "chroot(1M)" jail is even easier to build, as you can hard-link all "they" need into their jail. Omtting "telnet", "ssh" and such, of course...
FWIW,
Wodisch
if I understand you correctly, then the oracle codefiles are located in your root-FS.
Well, then a "chroot(1M)" jail is even easier to build, as you can hard-link all "they" need into their jail. Omtting "telnet", "ssh" and such, of course...
FWIW,
Wodisch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2003 05:03 AM
10-27-2003 05:03 AM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
ipfilter can be used to block outgoing connections. (normally, it is used to keep people out, but in this case it would be used to keep people in).
This assumes:
1. the contractors do not have root access to the box
2. none of the outbound protocols required by your application allow access to unauthorized internal data/systems. You shouldn't have to allow ftp/telnet, etc.
You could also spring for a hardware firewall and put this box in a DMZ/isolated network segment. It's the same basic idea, just a cost vs. risk tradeoff.
I also recommend switching to ssh/scp over telnet/ftp, but I'm not sure if it solves your current problem.
Hope that helps
-Keith
This assumes:
1. the contractors do not have root access to the box
2. none of the outbound protocols required by your application allow access to unauthorized internal data/systems. You shouldn't have to allow ftp/telnet, etc.
You could also spring for a hardware firewall and put this box in a DMZ/isolated network segment. It's the same basic idea, just a cost vs. risk tradeoff.
I also recommend switching to ssh/scp over telnet/ftp, but I'm not sure if it solves your current problem.
Hope that helps
-Keith
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2003 02:49 PM
10-29-2003 02:49 PM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
Hi,
> You mentioned:
> However, once on the server, they can easily telnet off of it and communicate with other servers they are not supposed to have access to. How do I prevent this?
Since these contractors are not authorized for access on other servers, then don't create accounts for them on these servers.
Unless you are providing them with the Oracle user account which has the same userid/password authentication credentials across all your other servers, restricting access should be as straightforward as simply NOT having any account rights provided to them. A chroot cage is an overkill and not cost-effective in my opinion.
You will need to restrict access at the database level as well if Oracle client access exists. Otherwise, they can still sqlplus to the other servers and run shell commands.
Hope this helps. Regards.
Steven Sim Kok Leong
> You mentioned:
> However, once on the server, they can easily telnet off of it and communicate with other servers they are not supposed to have access to. How do I prevent this?
Since these contractors are not authorized for access on other servers, then don't create accounts for them on these servers.
Unless you are providing them with the Oracle user account which has the same userid/password authentication credentials across all your other servers, restricting access should be as straightforward as simply NOT having any account rights provided to them. A chroot cage is an overkill and not cost-effective in my opinion.
You will need to restrict access at the database level as well if Oracle client access exists. Otherwise, they can still sqlplus to the other servers and run shell commands.
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2003 06:34 PM
10-29-2003 06:34 PM
Re: How to secure HP-UX 11.0 to prevent people from getting off of it?
Best way will be using different passwords for the accounts they need on the box they get to, so that even if they have an telnet client, they don't have passwords for accounts on other servers.
It will mean you have to remember passwords are different on that server, but at least you keep them off your other servers.
Also using auditing and monitoring the shell history on the system could help you track down malicious use of their rights, so you can take repercusions if they do things they are not allowed to do.
It will mean you have to remember passwords are different on that server, but at least you keep them off your other servers.
Also using auditing and monitoring the shell history on the system could help you track down malicious use of their rights, so you can take repercusions if they do things they are not allowed to do.
Every problem has at least one solution. Only some solutions are harder to find.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2026 Hewlett Packard Enterprise Development LP