HPE Community
Operating System - HP-UX
1826614 Members
2795 Online
109695 Solutions
New Discussion

Re: TFTP security and Ignite/Make Recovery configuration

 
SOLVED
Go to solution
Tor-Arne Nostdal
Trusted Contributor

‎11-05-2001 06:59 AM

‎11-05-2001 06:59 AM

TFTP security and Ignite/Make Recovery configuration

Normally TFTP is considered a security threath.

When using make_recovery / Ignite - I need to have an entry in /etc/inetd.conf
tftp dgram udp wait root /usr/lbin/tftpd tftpd /opt/ignite /var/opt/ignite

Couldn't this be a real security hole?
Should I disable the tftp and only enable it manually while recovering interactively from an Ignite tape...?
I'm trying to become President of the state I'm in...
0 Kudos
Reply
7 REPLIES 7
Craig Rants
Honored Contributor

‎11-05-2001 07:03 AM

‎11-05-2001 07:03 AM

Re: TFTP security and Ignite/Make Recovery configuration

You could lock down access to tftp through your /var/adm/inetd.sec file. This will allow you to advertise tftp for ignite purposes but maintain some security controls.

Good Luck.
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎11-05-2001 07:06 AM

‎11-05-2001 07:06 AM

Re: TFTP security and Ignite/Make Recovery configuration

It depends. Is your machine on the INTERNET? Is your local LAN suspect *do you have employees that want to destroy your machines?)?? If the anwser is no, then don't worry about it. If the answer is yes, then disconnect the server from the internet or your local untrusted lan.


live free or die
harry
Live Free or Die
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎11-05-2001 07:10 AM

‎11-05-2001 07:10 AM

Re: TFTP security and Ignite/Make Recovery configuration

From this site:

http://people.hp.se/stevesk/

http://people.hp.se/stevesk/bastion11.html
http://people.hp.se/stevesk/bastion10.html

choose either 11 or 10 docs on how to secure a server. ANYTIME you have a server connected to the Internet or to an UNTRUSTED network, then you should disconnect it while you are building or upgrading a server.

live free or die
harry

Live Free or Die
Reply
Patrick Wallek
Honored Contributor

‎11-05-2001 07:16 AM

‎11-05-2001 07:16 AM

Solution

Re: TFTP security and Ignite/Make Recovery configuration

As far as I know tftp is just used when you are doing a make_net_recovery and / or recovering a system over the network from a make_net_recovery image.

If you are just using make_recovery / make_tape_recovery locally on a machine you should be able to turn off tftp and have no problems with your make_tape_recovery's running.
Reply
Tor-Arne Nostdal
Trusted Contributor

‎11-05-2001 07:21 AM

‎11-05-2001 07:21 AM

Re: TFTP security and Ignite/Make Recovery configuration

The system is behind a firewall - so in general I would only protect it from Internal people...
Craig: Thanks for the inetd.sec tip - It seems as a good place to begin (though I have read about it).
Harry: Thanks for the links - I will use it for investigating further. Sometimes it seems that the internal policy requires a "Bastion" setup even though it's behind a firewall.
I'm trying to become President of the state I'm in...
0 Kudos
Reply
Tor-Arne Nostdal
Trusted Contributor

‎11-05-2001 07:28 AM

‎11-05-2001 07:28 AM

Re: TFTP security and Ignite/Make Recovery configuration

I'll use Patrick's solution.
This removes the potential danger completely - though I by this removes a neat feature...
It isn't that often I need the Ignite tape ;-)
I'm trying to become President of the state I'm in...
0 Kudos
Reply
Ralf Hildebrandt
Valued Contributor

‎11-05-2001 11:27 AM

‎11-05-2001 11:27 AM

Re: TFTP security and Ignite/Make Recovery configuration

YOu can wrap the tfpd using tcp_wrappers and have that perform checks that exceed the crap inetd.sec can do by far.

www.porcupine.org
is the place to go.
Postfix/BIND/Security/IDS/Scanner, you name it...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.