HPE Community
Operating System - HP-UX
1833824 Members
2424 Online
110063 Solutions
New Discussion

Re: security for servers in DMZ

 
Crystal_1
Frequent Advisor

‎05-02-2002 06:17 PM

‎05-02-2002 06:17 PM

security for servers in DMZ

Hi,I am having a question and want your comments:

How to secure a ftp server in DMZ (Demilitarized Zone)? With wu-ftpd, we can have useful features to protect the server. However, as we know, a secure network depends on cryptography. How can we assure the data during the transmission without being hacked? Or even, the password can't be hacked?

Tx, Crystal
0 Kudos
Reply
8 REPLIES 8
hpuxrox
Respected Contributor

‎05-02-2002 06:41 PM

‎05-02-2002 06:41 PM

Re: security for servers in DMZ

Crystal,

Take a look at ssh for safe and secure ftp access. information can be found at www.openssh.org. The software depot can be downloaded from

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-3.1p1/

-Yates
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-02-2002 06:43 PM

‎05-02-2002 06:43 PM

Re: security for servers in DMZ

Hi,

You can use SFTP (which runs on top of SSH) to encrypt your files transfer traffic as well as authenticate client and server.

You can get a copy from:

ftp://ftp.ssh.fi/pub/ssh

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-02-2002 09:12 PM

‎05-02-2002 09:12 PM

Re: security for servers in DMZ

Hi,

Other than what has been mentioned already
about using 'openssh' (highly recommended)
you should also look at making sure that
your server is secure.

Have a look at this link for information
on creating a bastion server. Please note
that most of the patches are outdated.

http://people.hp.se/stevesk/bastion11.html

Also the next link provides some valuable
information. Please see the comments made
by Bill Hassell.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x4499e7e60861d511abcd0090277a778c,00.htm

Cheers
~Michael~



Anyone for a Mutiny ?
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-02-2002 09:28 PM

‎05-02-2002 09:28 PM

Re: security for servers in DMZ

Hi,

If you are looking at hardening your HP-UX server, the best HP-UX hardening document (i.e. HP-UX Benchmark v1.0.3) I have seen comes from the Center for Internet Security:

http://www.cisecurity.org

It is very detailed and excellent, caters for HP-UX 10.20, HP-UX 11.X as well as specifics for HP-UX 11i. A must see.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎05-03-2002 04:49 AM

‎05-03-2002 04:49 AM

Re: security for servers in DMZ

Hi Crystal,

You do well to think about the password being snooped. Using sftp (from either ssh or openssh) will encrypt the loginid, password, as well as everything else sent between the client and server.

If not sftp, you should consider using something like RSA's SecurID and ACE/Server solution. With these, a unique token must be entered for each connection being made.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-03-2002 04:56 AM

‎05-03-2002 04:56 AM

Re: security for servers in DMZ

Securing any computer directly connected to the open Internet is a long task. The safest starting point you can take is to turn off *every* service in /etc/inetd.conf (comment out the services). Then run inetd -c and you'll be safe for the moment...

Of course, you will no longer be able to communicate with the server through telnet either so you'll have to use the console until you enable telnet. You need to follow *all* the steps in the Building a Bastion Host paper mentioned in:

http://people.hp.se/stevesk/bastion11.html

and then add the ssh package. Now remember that using Secure FTP requires that anyone sending or receiving data from this server must *also* have an ssh package installed or they will have to use standard ftp--which is not encrypted. That will only protect the data being transferred.

To protect the server itself, you'll need to lock down the server by folowing the procedure listed above for a Bastion Host. The steps are lengthy but are required in order to prevent hackers from exploiting holes in the system. Read the man page about inetd.sec to further control access rights. And immediately disconnect your system if you have not applied the latest Support Plus patch bundles (2 sets). You need to sign up for the security patch notification service from HP (everyone should do this). Do this on the ITRC at itrc.hp.com, then in the first orange box, click on:

more...

You'll be taken to the patch bundle location (in case you don't have the latestSupport Plus CDROM) where you can download patch bundles. And at the bottom of that page, you'll see:

Notifications

Click on: support information digests

And sign up for HP-UX Security digest.

Finally, get the book on HP-UX Security called (oddly enough):

"HP-UX 11i Security"
by Chris Wong

The majority of the book applies to 11.0 as well as 11i but 10.20 users will also find it very useful.


Bill Hassell, sysadmin
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎05-03-2002 04:57 AM

‎05-03-2002 04:57 AM

Re: security for servers in DMZ

Hi,

as an alternative to the ssh/sftp options you could look at IPSEC/9000 which you can download for free from here:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J4256AA

Good thing about this product is that if you already have HP s/w support on your server, this gets supported too.

Obviously your remote end also has to talk IPSEC, but I think this is a no cost extra in w2k and higher anyway.

Cheers

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎05-03-2002 05:01 AM

‎05-03-2002 05:01 AM

Re: security for servers in DMZ

Like others have said, password snooping is very possible with FTP as well as a lack of data encryption. One has to simply grab and re-assemble the packets and they have your data. (not as easy as it sounds, but possible none the less.)

wu-ftpd also has several security issues, even when set up correctly. (part of being a popular/widely used program).

I myself prefer running OpenSSH and sftp. Since most of my clients can not run the same, I have only 2 other options.
1. proftpd (www.proftpd.org).
2. Apache with SSL and not use FTP.

The document on hardening is very important. So many people make simple over-sights in hardening. I.E. shuttind down NFS but leaving telnet open.

Good luck!
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.