HPE Community
Operating System - HP-UX
1831408 Members
3185 Online
110025 Solutions
New Discussion

Security issue

 
Joeriz Agtay_3
Occasional Contributor

‎09-04-2003 01:44 AM

‎09-04-2003 01:44 AM

Security issue

a. how can i remove the inital info (below) when i try to access my host?

"HP-UX timk370 B.11.11 U 9000/898 (ta)"

b. how can i denied login of "root", the 1st time, from any connection except console?

Many thanks.
Nothing is impossible
0 Kudos
Reply
5 REPLIES 5
Michael Tully
Honored Contributor

‎09-04-2003 01:49 AM

‎09-04-2003 01:49 AM

Re: Security issue

First change the /etc/issue file and place whatever you like. I just use the server name. Make sure that you update /etc/inetd.conf file at the end telnetd line '-b /etc/issue' and '-B /etc/issue for the 'rlogind' line.
restart inetd 'inetd -c'

If you want to disallow root as a direct login create a file called /etc/securetty and insert the word console and save it.
Make sure the permissions and ownership of the file is root:root and 400
Anyone for a Mutiny ?
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎09-04-2003 01:54 AM

‎09-04-2003 01:54 AM

Re: Security issue

a./etc/issue

b.
# touch /etc/securetty
#chown root:bin /etc/securetty
# chmod 600 /etc/securetty
0 Kudos
Reply
E. Wong
Frequent Advisor

‎09-04-2003 01:44 PM

‎09-04-2003 01:44 PM

Re: Security issue

It is always good to create /etc/securetty file with only one line that says "console"

this will force any user trying to gain root access to run # su which will then be logged in /var/adm/sulog.

As for removing the initial info, you may want to edit the /etc/issue file with a warning note something like: you are accessing a private network for authorized users only, etc.

compute, therefore you are
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-04-2003 06:53 PM

‎09-04-2003 06:53 PM

Re: Security issue

NOTE: If you spell the word console incorrectly, or use /dev/console in the /etc/securetty file, then root cannot login from *ANY* location (the same effect would occur if securetty is empty). But you can always use su - root to gain root access.

As far as the message in /etc/issue, be careful what you put there. That file is presented *prior* to login and authentication. It is a good idea NOT to identify the operating system and version or even the type of machine. A sugestion is to have just the simple hostname and perhaps (if your lawyers require it) a warning about access.


Bill Hassell, sysadmin
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-04-2003 07:11 PM

‎09-04-2003 07:11 PM

Re: Security issue

Hi,

The reason why security insists on removing the default banner is because it shows the system type as well the OS.

The suggestions were already made to get you what you need.

However, there are other ways one can get the OS version and the system type. You will need to take care of them too.

1. ftp: Use ftpaccess file. Look at ftpaccess man page. Use "suppressversion" and and "suppress hostname" with "banner" pointing to your customized warning message.

2. Sendmail: If you are running sendmail, you can turn of this by editing /etc/mail/sendmail.cf file. Search for "GreetingMessage" and put two quotes after = sign.

3. Turn of snmpd if you don't use. If you send traps or use snmp to monitor anything, configure your snmpd.conf file with a non-default community name.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.