HPE Community
Operating System - HP-UX
1834116 Members
2633 Online
110064 Solutions
New Discussion

lockdown /etc/services

 
SOLVED
Go to solution
Vernell Woods_1
New Member

‎04-11-2002 07:27 AM

‎04-11-2002 07:27 AM

lockdown /etc/services

I've been asked to make the /etc/services file readable by root only; however, users still need to be able to telnet & ftp. I thought about using Symark Powerbroker to give users ftp & telnet access, but applications such as Oracle & Valencia also need to work without problems. Have anyone had to do this or have any suggestions?
A Windows Guy in a Unix World
0 Kudos
Reply
10 REPLIES 10
John Carr_2
Honored Contributor

‎04-11-2002 07:31 AM

‎04-11-2002 07:31 AM

Re: lockdown /etc/services

Hi

it should be read only be default , so change it.

cheers
John.
0 Kudos
Reply
John Carr_2
Honored Contributor

‎04-11-2002 07:32 AM

‎04-11-2002 07:32 AM

Re: lockdown /etc/services

ignore my last comment I misread the post
0 Kudos
Reply
pap
Respected Contributor

‎04-11-2002 07:47 AM

‎04-11-2002 07:47 AM

Re: lockdown /etc/services

Hi if you want to deactivate the telnet and ftp services for certain users or machines, then you need to update the file /var/adm/inetd.sec

There you can specify the service name and to whom you wna to block the access (machine).....
Hope this helps.
Simply by making /etc/services readable will not do anything. That is an irrelavent thing here.

-pap
"Winners don't do different things , they do things differently"
0 Kudos
Reply
Volker Borowski
Honored Contributor

‎04-11-2002 07:50 AM

‎04-11-2002 07:50 AM

Solution

Re: lockdown /etc/services

Hello,

any reason for this request ?
I mean "services" is a lookup database for the systemcall "getservbyname".

So whatever is in there does not mean the service is available. Just to take read away looks to me like a try to "hide by disguise" a service.

This is pretty much like using a non-standard tcpip-port for a standard application which is opposed to common thinking no security feature. A real hacker will use a portscan-tool and find your Oracle-Listener even if it runs on Port 12345.
So the only non-benefit is you have more trouble with your administration.

If you need protection, go for a firewall and a good concept.

Just my 0.02 ???
Volker
Reply
Vernell Woods_1
New Member

‎04-11-2002 07:51 AM

‎04-11-2002 07:51 AM

Re: lockdown /etc/services

Let me explain a little further: Our auditors said that it was an exception to have /etc/services readable by all users. We want to make it readable by root "ONLY". In doing so, users won't be able to ftp or telnet...but we want them to be able to. I need to make /etc/services readable by root only and still have users able to ftp & telnet. At the same time, I need applications that make calls to other servers to function correctly. I don't understand why /etc/services need to be locked down or how it's an exception, but I have to do it. PLEASE HELP!!!
A Windows Guy in a Unix World
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎04-11-2002 07:59 AM

‎04-11-2002 07:59 AM

Re: lockdown /etc/services

Hi:

Volker's comments say it all!. Don't be badgered by the auditors. '/etc/services' should be readable by all, and need not be marked writeable, since as 'root' you can edit (write) it regardless. Having controlled that, only you (root) can add or remove services. Auditors often go on witch-hunts to show management that they earned their keep!

Regards!

...JRF...
Reply
Jeff Schussele
Honored Contributor

‎04-11-2002 08:05 AM

‎04-11-2002 08:05 AM

Re: lockdown /etc/services

WELL SAID, JRF!

Rgds,
JEFF

P.S.
inetd.sec & inetd.conf is where the REAL, internal security is & SHOULD be set! And NOTHING beats a well configured FW for external security!
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Frank Quinteros
Advisor

‎04-11-2002 08:05 AM

‎04-11-2002 08:05 AM

Re: lockdown /etc/services

Vee,

/etc/services much like /etc/rpc is a lookup table for Berkely and Arpa sevices for the Unix OS.

These have to be available for the OS (and users) to have basic functionality with the outside world.

As was suggested earlier, different options exist for locking down the server securely and effectively.

The auditors should provide supporting doc (reasons) for such request.

TCPwrappers (HP's IPSec900), SSL, and HP's patch PHNE_23949 which helps control ftp'users' access may help in controlling access to this server.

Finally you may want to search/browse the security forum for past postings.
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎04-11-2002 08:12 AM

‎04-11-2002 08:12 AM

Re: lockdown /etc/services

What the heck is their basis for such a demand? Do they know anything about UNIX? Of course /etc/services has to be world readable.

I hope they're not making any other similarly stupid demands. If so, you need to raise the red flag with management.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Vernell Woods_1
New Member

‎04-11-2002 08:15 AM

‎04-11-2002 08:15 AM

Re: lockdown /etc/services

Thanks Guys for your responses. I'll go back and ask exactly what the issue is. Maybe with a more in-depth explanation, I can come up with a better plan.

Thanks again.
A Windows Guy in a Unix World
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.