HPE Community
Operating System - HP-UX
1833526 Members
3118 Online
110061 Solutions
New Discussion

inetd question - What can I turn off?

 
SOLVED
Go to solution
Darrell Tschakert
Regular Advisor

‎05-03-2007 06:59 AM

‎05-03-2007 06:59 AM

inetd question - What can I turn off?

Hi,
We have some HP-UX 11.23 system - rx4640 and rx2620's. These computers are Oracle servers.

I am told that we should turn off any of the inetd services that we do not need. Is there any real reason why I need the following?

#daytime stream tcp6 nowait root internal
#daytime dgram udp6 nowait root internal
#time stream tcp6 nowait root internal
#time dgram udp6 nowait root internal
#echo stream tcp6 nowait root internal
#echo dgram udp6 nowait root internal
#discard stream tcp6 nowait root internal
#discard dgram udp6 nowait root internal
#chargen stream tcp6 nowait root internal
#chargen dgram udp6 nowait root internal

What about recserv and tftp?

I have had these turned off for some time on one of our servers and have seen nothing out of the ordinary.

Can anyone point me at a document that goes over these services and tells me what to turn off with security being an important factor?

Thank you,

Darrell Tschakert
I'll add a quote when I think of one.
0 Kudos
4 REPLIES 4
Moises Acevedo
New Member

‎05-03-2007 07:57 AM

‎05-03-2007 07:57 AM

Solution

Re: inetd question - What can I turn off?

My tip would be to download the CIS Benchmarking tool .pdf file for HP-UX.

It mentions each change you could make to this file and others in the HP-UX Security Hardening efforts!

http://www.cisecurity.org/bench_hpux.html

Regards,
Moises
0 Kudos
Sundar_7
Honored Contributor

‎05-03-2007 08:03 AM

‎05-03-2007 08:03 AM

Re: inetd question - What can I turn off?

I dont have a document but there can only be document describing what a service does. It will be upto you to decide if you want to turn them off or not. Because what may be unnecessary in one shop may be a necessity in others !

That said, tftp is a big NO-NO in the security world. Unless you are using this as a Ignite-UX server or as a storage for network devices bootup configuration, you should probably disable the tftp.

If security is of concern, telnet and other r-services should also be disabled and use Secure couterparts.

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎05-03-2007 08:35 AM

‎05-03-2007 08:35 AM

Re: inetd question - What can I turn off?

Hi Darrell:

Bastille comes as part of 11.23 and offers you the ability to lock-down your server to various levels. You can run the tool interactively and select what you want. Locking out the about 'inted' services are one option. A record of the actions you take is generated as well as a "revert" script. You might begin here:

http://www.docs.hp.com/en/5991-5526/ch03s05.html#babebhbi

Regards!

...JRF...
0 Kudos
Darrell Tschakert
Regular Advisor

‎05-04-2007 02:35 AM

‎05-04-2007 02:35 AM

Re: inetd question - What can I turn off?

Thanks for the advice.
Yes, I should have gone to the CIS Benchmark document. Why didn't I go there first? The Benchmark document said to turn just about everything off. It turned out that I had to turn auth back on for the Service Guard machines. I turned off tftp since I could find nothing that used it.

I left the Service Guard cluster daemon lines turned on.
I am still looking in to "instl_boots" and "registrar". I think that EMS needs "registrar" to monitor devices, etc. I still haven't read about "instl_boots", but will do so.

Thanks again.
I'll add a quote when I think of one.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.