HPE Community
Operating System - HP-UX
1833433 Members
2816 Online
110052 Solutions
New Discussion

Tracing connections from an HP system ....

 
Pyers Symon
Advisor

‎12-17-2007 07:12 AM

‎12-17-2007 07:12 AM

Tracing connections from an HP system ....

We are deeply concerned that our systems are being used as jumping off points by outside contractors in order to try and reach other machines within my company. The problem we are facing is trying to identify the use of commands such as ssh, telnet and ftp etc to leave our system. Auditing doesn't give this information - the SELF-AUDITING events deal with _incoming_ only and I cannot see how to record outgoing connections. I suppose I could put a cron onto netstat and watch that but it doesn't provide the information we need which is to link a user with an event. Any advice?
0 Kudos
Reply
5 REPLIES 5
RobinKing
Valued Contributor

‎12-17-2007 08:11 AM

‎12-17-2007 08:11 AM

Re: Tracing connections from an HP system ....

Pyers

Have you tried IPFilter? http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

As an aside, I looked at something similar recently, however I was trying to prevent this leapfrogging as opposed to logging it, and unfortunately it's not as easy to impliment as on Solaris. By amending the ACL to /dev/tcp and /dev/udp on Solaris you can stop users using many utilities such as telnet, SSH etc. Unfortunately HP-UX doesn't perform in the same way, and when I contacted HP for advise they claimed it "just didn't work like that"

Robin
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎12-17-2007 07:32 PM

‎12-17-2007 07:32 PM

Re: Tracing connections from an HP system ....

> [...] identify the use of commands such as
> ssh, telnet and ftp etc [...]

It's hardly a hermetic seal, but can you
audit the execution of the (obvious) client
executables for ssh, Telnet, ftp et c.? (Or
ACL them?)

An occasional scan of "netstat -a" output
might also be interesting.
0 Kudos
Reply
Pyers Symon
Advisor

‎12-18-2007 06:24 AM

‎12-18-2007 06:24 AM

Re: Tracing connections from an HP system ....

problem is that auditing doesn't show you what program is being started up. It merely shows you that a fork and an exec has occured. (I know that thePID is shown but for transient events this is useless)
0 Kudos
Reply
Shahul
Esteemed Contributor

‎12-18-2007 06:46 AM

‎12-18-2007 06:46 AM

Re: Tracing connections from an HP system ....

Hi,

If you know what program or port and the IP address, then you can block it by using ipfilter. It's a freeware. If you don't know exactly the ddetails, you can use netfmt to track down the connection coming and going. For more details "man netfmt".

Good luck
Shahul
0 Kudos
Reply
Pyers Symon
Advisor

‎12-18-2007 09:43 AM

‎12-18-2007 09:43 AM

Re: Tracing connections from an HP system ....

We don't want to block - there are legitimate users who we trust who would use our systems to access other machines - but we do want to identify who is doing what. Auditing doesn't give the detail required - it will tell you whether a fork/exec has happened but doesn't say what the application was that was started.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.