HPE Community
Operating System - HP-UX
1833760 Members
2681 Online
110063 Solutions
New Discussion

Securing a HPUX box....howto?

 
john c
Occasional Advisor

‎07-11-2003 12:29 AM

‎07-11-2003 12:29 AM

Securing a HPUX box....howto?

How do I....
. Disable telnet and ftp
. Disable remote root login

Thank you.
When all is said and done, more will be said than done!
0 Kudos
Reply
13 REPLIES 13
Steve Steel
Honored Contributor

‎07-11-2003 12:37 AM

‎07-11-2003 12:37 AM

Re: Securing a HPUX box....howto?

Hi

see
http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90742/B2355-90742_top.html&con=/hpux/onlinedocs/B2355-90742/00/00/64-con.html&toc=/hpux/onlinedocs/B2355-90742/00/00/64-toc.html&searchterms=telnet&queryid=20030711-023544

Basically /etc/securetty ftpusers file and
inetd.sec


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
RAC_1
Honored Contributor

‎07-11-2003 12:41 AM

‎07-11-2003 12:41 AM

Re: Securing a HPUX box....howto?

Disable telnet (Use ssh)
Disable ftp (use sftp)
Disable remsh (use scp-part of ssh)
Use inetd.sec.
There is no substitute to HARDWORK
0 Kudos
Reply
Dagmar Boelen
Frequent Advisor

‎07-11-2003 12:44 AM

‎07-11-2003 12:44 AM

Re: Securing a HPUX box....howto?

Disable the telnet and ftp-services in the inetd.conf-file. Do this placing a # a the beginning of the definition of this service.
0 Kudos
Reply
Sanjiv Sharma_1
Honored Contributor

‎07-11-2003 12:45 AM

‎07-11-2003 12:45 AM

Re: Securing a HPUX box....howto?

Hi John,

Disable telnet and ftp:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x24fee822e739d711abdc0090277a778c,00.html

Disable remote login:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x8682402f24d5d61190050090279cd0f9,00.html

hth.
Everything is possible
0 Kudos
Reply
twang
Honored Contributor

‎07-11-2003 12:48 AM

‎07-11-2003 12:48 AM

Re: Securing a HPUX box....howto?

Take a look at the following,
1. http://www.hp.com/products1/unix/operating/security/
2. http://www.deter.com/unix/papers/unix_security_checklist.txt
0 Kudos
Reply
Steve Coates
Frequent Advisor

‎07-11-2003 06:10 AM

‎07-11-2003 06:10 AM

Re: Securing a HPUX box....howto?

Take a look at Bastille, it can help you secure your system.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-11-2003 06:20 AM

‎07-11-2003 06:20 AM

Re: Securing a HPUX box....howto?

2- modify /etc/securetty

1- modify /etc/inetd.conf

comment out the ftpd and telnetd lines

Also comment out any protocol starting with an r unless your box is an Ignite Client.

Read my security speel.

----
Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Get all these products working you'll be quite secure.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA


-----

Watch for world write permissions.

Have an /var/adm/inetd.sec file.

Make your system a trusted system.

You can do this stuff in a few days.

See attached doc on secure shell

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Caesar_3
Esteemed Contributor

‎07-11-2003 01:30 PM

‎07-11-2003 01:30 PM

Re: Securing a HPUX box....howto?

Hello!

From /etc/services remove the ports of
the wanted deamons (ftp, telnet)

For the remote check the /.rhosts and
edit it only to who you allow the connections.

Caesar
0 Kudos
Reply
Michael Tully
Honored Contributor

‎07-11-2003 02:38 PM

‎07-11-2003 02:38 PM

Re: Securing a HPUX box....howto?

You wish to secure your system.
Start with this document: http://people.hp.se/stevesk/bastion11.html

Then have a look at SEP's suggestions.

If you just wish to remove telnet and ftp you will need to install openssh so that you can connect to the system.

Making changes to /etc/inetd.conf
Place a '#' without the quotes in front of each line you wish to change, then save the file.

# inetd -c (will tell inetd to re-read the config file.
Anyone for a Mutiny ?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎07-11-2003 02:49 PM

‎07-11-2003 02:49 PM

Re: Securing a HPUX box....howto?

Hi,

Disabling telnet and ftp can be done by commenting out the entries in /etc/inetd.conf. If they cause problems, you can restrict their access by using /var/adm/inetd.sec to only certain hosts.

Remote logins are disabled by commenting out by login,exec and shell services in inetd.conf.

You will need to restart inetd (inetd -c).

However, make sure you have other alternatives to access the server by installing openssh etc.,

Also try using bastille

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

It's free and it can help you quite a bit in tightening the system.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-11-2003 04:00 PM

‎07-11-2003 04:00 PM

Re: Securing a HPUX box....howto?

Mr. Tully,

Thank you for the compliment.

Do you have an alternate on that web site you posted. Its not resolving here.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-11-2003 04:19 PM

‎07-11-2003 04:19 PM

Re: Securing a HPUX box....howto?

Kevin Steves, the author of the Building a Bastion Host paper left HP some time ago and the paper was mode to a new location: http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf

Another good resource is Chris Wong's book: HP-UX 11i Security. She will have a seminar at HP World next month.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-11-2003 05:15 PM

‎07-11-2003 05:15 PM

Re: Securing a HPUX box....howto?

Hi,

The services you need to disable really depends on what you are using your HP-UX system for.

For instance, if you are using the HP-UX box only as a webserver, you can disable inetd entirely by disabling its equivalent S**inetd startup script to s**inetd in the system startup directories.

Both apache and ssh by default does not depend on inetd to startup. There are other services that do not depend on inetd to startup such as sendmail, lp etc. Do take notice of them when you are securing your system.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.