HPE Community
Operating System - HP-UX
1834752 Members
2993 Online
110070 Solutions
New Discussion

Security holes?

 
SOLVED
Go to solution
Tim Medford
Valued Contributor

‎03-12-2003 03:50 PM

‎03-12-2003 03:50 PM

Security holes?

We were recently audited and one of the things they did was run a series of scripts on the network to expose weaknesses in our Unix security.

All of our Unix servers are behind a firewall and accessed by internal customers only, so I haven't been overly concerned about locking things down.

They identified the following ports as being vulnerable. I don't even know what half of this stuff is or if I need it?? The Unix servers are used to run Oracle databases only. There are no other applications on them.

Pardon my networking ignormance, but is there a way to determine which of these are really in use and need to stay?

Thanks, Tim

echo (7/tcp) (Security warnings found)
discard (9/tcp)
daytime (13/tcp) (Security warnings found)
chargen (19/tcp) (Security warnings found)
ftp (21/tcp) (Security hole found)
telnet (23/tcp) (Security warnings found)
smtp (25/tcp) (Security hole found)
time (37/tcp) (Security notes found)
sunrpc (111/tcp) (Security notes found)
auth (113/tcp) (Security warnings found)
epmap (135/tcp) (Security warnings found)
hp-managed-node (382/tcp)
exec (512/tcp) (Security warnings found)
login (513/tcp)
shell (514/tcp) (Security warnings found)
printer (515/tcp) (Security notes found)
klogin (543/tcp)
kshell (544/tcp)
unknown (901/tcp) (Security notes found)
telnets (992/tcp) (Security notes found)
general/tcp (Security notes found)
unknown (49157/tcp) (Security hole found)
unknown (49153/udp) (Security hole found)
nfs (2049/tcp) (Security hole found)
sunrpc (111/udp) (Security notes found)
unknown (49152/tcp) (Security notes found)
unknown (49153/tcp) (Security notes found)
unknown (49156/udp) (Security notes found)
unknown (49154/tcp) (Security notes found)
unknown (49157/udp) (Security notes found)
unknown (49155/tcp) (Security notes found)
unknown (49158/udp) (Security warnings found)
lockd (4045/udp) (Security warnings found)
lockd (4045/tcp) (Security notes found)
unknown (49156/tcp) (Security notes found)
unknown (49167/udp) (Security hole found)
unknown (49729/udp) (Security notes found)
unknown (49272/tcp) (Security notes found)
nfsd (2049/udp) (Security hole found)
dtspc (6112/tcp) (Security hole found)
snmp (161/udp) (Security hole found)
xdmcp (177/udp) (Security warnings found)
unknown (32789/udp) (Security hole found)
epmap (135/udp) (Security notes found)
unknown (49190/udp) (Security notes found)
unknown (49159/tcp) (Security notes found)
unknown (49790/udp) (Security notes found)
unknown (49317/tcp) (Security notes found)
unknown (49793/udp) (Security notes found)
unknown (49319/tcp) (Security notes found)
echo (7/udp) (Security warnings found)
daytime (13/udp) (Security warnings found)
0 Kudos
Reply
3 REPLIES 3
Michael Tully
Honored Contributor

‎03-12-2003 04:34 PM

‎03-12-2003 04:34 PM

Solution

Re: Security holes?

Hi Tim,

For starters, some of these vunerabilities can be removed by simply dening the service from inetd.

vi /etc/inetd.conf
Place a comment in from of these services:
#bootps dgram udp wait root /usr/lbin/bootpd bootpd
#finger stream tcp nowait bin /usr/lbin/fingerd fingerd

#uucp stream tcp nowait root /usr/sbin/uucpd uucpd
#ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd

#daytime stream tcp nowait root internal
#daytime dgram udp nowait root internal
#time stream tcp nowait root internal
#time dgram udp nowait root internal
#echo stream tcp nowait root internal
#echo dgram udp nowait root internal
#discard stream tcp nowait root internal
#discard dgram udp nowait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp nowait root internal

You could also comment out things like shell (remote remsh) and exec (rexecd) if they are not used.
Once the inetd file has been changed, you need to resubmit it.
# inetd -c

Cheers
Michael
Anyone for a Mutiny ?
Reply
Michael Tully
Honored Contributor

‎03-12-2003 04:40 PM

‎03-12-2003 04:40 PM

Re: Security holes?

Tim,

Here is a good discussion on a similar item.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb7aae7613948d5118fef0090279cd0f9,00.html

Cheers
Michael
Anyone for a Mutiny ?
Reply
John Poff
Honored Contributor

‎03-12-2003 04:43 PM

‎03-12-2003 04:43 PM

Re: Security holes?

Hi,

If you aren't sure what process is using some of those higher numbered ports [49152..], you can use lsof to see which processes have them open. You can get a copy of lsof from here:

ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

As for the rest of them, you have to balance your security needs against your functionality. For example, it might be a problem to have the port open for telnet, but if you need telnet you have to use it. Michael gave a good list of some ports that really aren't used and can be disabled.

JP
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.