HPE Community
Operating System - HP-UX
1833685 Members
4020 Online
110062 Solutions
New Discussion

Replacing old server with New one.

 
Tim Downs
Advisor

‎04-01-2003 01:07 PM

‎04-01-2003 01:07 PM

Replacing old server with New one.

We are replacing our current K570 with an rp5405. We are running hpux 11 d on the K570 and the new server has hpux 11 u. The old server is also running the enhanced security. I don't want to ignite the new server with the old server since we have the u version on the new box. What is the best way to get all the current configuration ie users/security on the new server without setting everything up again.

Thanks
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎04-01-2003 01:39 PM

‎04-01-2003 01:39 PM

Re: Replacing old server with New one.

Users are tough, but if you take and carefully edit the /etc/passwd file you might be able to make it work. Also /etc/group

The pitfalls include user id's associated with applications. To make things, work, you'll need to make sure that every numeric user id and group matches.

Then you might be able to get away with tarring up and transferring the contents of the /home fs.

/etc/profile will have to be migrated and adjusted.

This scenario isn't necessarily supported and you might have problems with the encryption of the passwords. Probably you'll need to reset the passwords and force password change at first login.



You are going to reinstall all of your security apps because I doubt HP installed them for you.

Examples.


security_patch_check: Checks your system and makes sure its up to date with security patches from HP
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA


Required Perl install

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Bastille: Security Hardening Tool

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

IDS/9000 Intrusion Detection System which can track security breaches and attempted security breaches.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA


Then you're going to want to carefully migrate such things as our /etc/inetd.conf and /var/adm/inetd.sec file

Be careful if the machines are on different subnets or networks.



We're just adding the users to our new system and resetting the password with a batch script, also forcing 7 day expiration on unused accounts and password change at first login.

As the popular itrc phrase goes, my two cents.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎04-01-2003 05:26 PM

‎04-01-2003 05:26 PM

Re: Replacing old server with New one.

Hi,

I will confine my message only to security as I believe that you might have taken care of other configurations.

It is not difficult to copy the user configuration from the old box to the new one. If yours is trusted, then do the following on the old box. If it is not trusted, you can simply copy /etc/passwd and /etc/group along with the homedirectories.

#tar cvf /tmp/accounts.tar /tcb /etc/passwd /etc/group

Backup the user home directories either to a tar bundle or through your backup system whichever is faster.

and copy the tar bundle to another system on the netwrok

On the new system Keep two telnet session open on your workstation and do not logoff until a week or so.

#cp /etc/passwd /etc/passwd.default
#cp /etc/group /etc/group.default
Convert the system to trusted
#/usr/lbin/tsconvert
Get the tar bundle from the networked system into /tmp.
#tar xvf /tmp/accounts.tar

Restore the user home directories. Let your users login and verify that there are no problems. This should take care of your user configuration.

About the other security, I would not suggest to overwrite the files. You will need to carefully merge the configuration. The files are /etc/inetd.conf, /etc/ftpd/ftpaccess,/var/adm/inetd.sec, /etc/shells, /etc/services etc.,

-Sri


You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Michael Tully
Honored Contributor

‎04-01-2003 05:37 PM

‎04-01-2003 05:37 PM

Re: Replacing old server with New one.

Also note these suggestions and comments from Bill H. Thanks again Bill, these are extremely welcome!

Cheers
Michael

/Quote
In addition to what has been suggested, you will need to fix all the problems and make the system easier to manage by:

1. set umask in /etc/profile: umask 022

2. fix /usr/local: find /usr/local -type d -exec chmod 755 {} \;

3. Move root's $HOME: mkdir /root, then edit /etc/passwd accordingly, then move all ordinary files in / to /root including . files like .profile and so on.

4. Edit /etc/profile and change the copyright message to something like:

echo "To read copyright message, use cat /etc/copyright"

5. Fix /etc/issue by putting just the name of the system and nothing else

6. Fix /etc/inetd.conf by adding:

-b /etc/issue (to telnetd)
-B /etc/issue (to rlogind)

7. Edit /etc/mail/aliases to redirect root's email to a live person's email address, then run newaliases.

8. Edit /etc/resolv.conf and /etc/nsswitch.conf to match your needs.

9. Create /etc/securetty: echo console > /etc/securetty (or simply: echo "" > /etc/securetty) which now requires root to always login as a user and then su to root.

10. Setup /etc/ntp.conf and enable in /etc/rc.config.d/netdaemons (if not using NTP, start...)

11. Scan your new system for bad permissions:

find / /opt /usr -xdev -type f -perm 666
find / /opt /usr -xdev -type f -perm 777
find / /opt /usr -xdev -type d -perm 777

The man/cat* directories are OK as well as /tmp, but the others usually need fixing.

12. Make sure all non-vg00 mountpoints are correct. They should be a minimum of 755, perhaps even more restrictive. In general ANY file or directory with 777 permissions must be assumed WRONG and action taken to correct the situation. Exceptions are /tmp and the man/cat* directories. Similarly, all databases should be owned by the database user and not readable by others.

13. Add nosuid to all fstab mountpoints except /usr and /opt. This is especially true for /tmp which should also have the sticky bit set using: chmod +t /tmp (to prevent users from deleting each other's files)

All of these fixes are important and may not have been done on other machines...go back and fix them. If a global umask has not been set for since installation, root may have accidently created a large number of security problems (which the above find commands will locate).
\unquote

Anyone for a Mutiny ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.