HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Unix Services Not essential
Operating System - HP-UX
1833053
Members
2285
Online
110049
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 02:50 AM
02-03-2011 02:50 AM
Unix Services Not essential
Hi Guys,
I am trying to lock my system down. I did a port scan and i have several ports open.I am not sure which ones i can block and not stop the system from functioning properly.
I am using a minimalistic approach.
These are the ports currently open.
I only need, ssh,rlogin,rsh,ftp.
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime HP-UX daytime
19/tcp open chargen
21/tcp open ftp (Generally vsftp or WU-FTPD)
22/tcp open ssh OpenSSH 5.3p1+sftpfilecontrol-v1.3-hpn13v5 (protocol 1.99)
23/tcp open telnet HP-UX telnetd
37/tcp open time?
111/tcp open rpcbind 2-4 (rpc #100000)
135/tcp open msrpc?
512/tcp open exec HP-UX rexecd
513/tcp open login
514/tcp open tcpwrapped
543/tcp open klogin?
544/tcp open shell HP-UX Remshd (Kerberos disabled)
2121/tcp open ccproxy-ftp?
2301/tcp open http HP System Management Homepage
4045/tcp open nlockmgr 1-4 (rpc #100021)
5989/tcp open ssl/http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
49152/tcp open status 1 (rpc #100024)
Help! please
I am trying to lock my system down. I did a port scan and i have several ports open.I am not sure which ones i can block and not stop the system from functioning properly.
I am using a minimalistic approach.
These are the ports currently open.
I only need, ssh,rlogin,rsh,ftp.
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime HP-UX daytime
19/tcp open chargen
21/tcp open ftp (Generally vsftp or WU-FTPD)
22/tcp open ssh OpenSSH 5.3p1+sftpfilecontrol-v1.3-hpn13v5 (protocol 1.99)
23/tcp open telnet HP-UX telnetd
37/tcp open time?
111/tcp open rpcbind 2-4 (rpc #100000)
135/tcp open msrpc?
512/tcp open exec HP-UX rexecd
513/tcp open login
514/tcp open tcpwrapped
543/tcp open klogin?
544/tcp open shell HP-UX Remshd (Kerberos disabled)
2121/tcp open ccproxy-ftp?
2301/tcp open http HP System Management Homepage
4045/tcp open nlockmgr 1-4 (rpc #100021)
5989/tcp open ssl/http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
49152/tcp open status 1 (rpc #100024)
Help! please
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 05:57 AM
02-03-2011 05:57 AM
Re: Unix Services Not essential
Hello,
You can edit the /etc/inetd.conf file and comment out any of the services in there that you don't need and then issue an "inetd -c" to reread the configuration file. If you find out you need a service then uncomment the entry and rerun the inetd -c.
Rick
You can edit the /etc/inetd.conf file and comment out any of the services in there that you don't need and then issue an "inetd -c" to reread the configuration file. If you find out you need a service then uncomment the entry and rerun the inetd -c.
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 12:30 PM
02-04-2011 12:30 PM
Re: Unix Services Not essential
> I am using a minimalistic approach.
Then the answer is easy. You can implement airgap security (which means unplug all the LAN cables and modems). Now go to the console (using the RS-232 serial port and you'll completely secure (lock the door behind you).
Or you can edit /etc/inetd.conf and comment EVERYTHING. The run inetd -c to reread the new file. That will disable ftp, telnet, web pages, network file sharing, network printing, etc. If you don't want ssh, then disable sshd in the /etc/rc.config.d directory. Now rerun the port scan. While you're in the /etc/rc.config.d directory, disable all the SNMP files.
Now both of these are drastic but meet the requirement to be minimalistic (and secure too). Of course, the best procedure is comment everything you don't need. Notice I didn't say "kernel needs". The system will be quite happy without any network services. You have to decide if you are going to transfer files and/or connect over the network. Most sysadmins comment out the legacy (deprecated) services:
daytime chargen time echo discard uucp ntalk finger
and the high risk 'r' commands:
login shell exec
and the obscure services:
kshell klogin ncpm-pm ncpm-hip
and the Xwindow junk:
recserv dtspc rpc
Now you have to decide on services that you might need. No printing? drop "printer" No NFS? Drop the rpc daemons. Not using the system as an Ignite network server or other boothelper? Drop "tftp", "auth" and "bootps". Are you going to use ssh? Then drop "telnet" and "ftp".
Additionally some processes may be started from /etc/rc.config.d like TCPwrappers, SMH, and WBEM. Be careful though. Some of the newer add-ins defy the HP-UX standard and don't have a standard onfigure script. These are ppp, pppoe, cim_server, icod, net-ipv6 , and pfilboot. You'll have to comment these rogues out in the appropriate /sbin/rc directories. To make them visible (for future sysadmins), I change the name of the links like this:
/sbin/rc2.d/__S130pfilboot /sbin/rc2.d/__S522ppp /sbin/rc2.d/__S600cimserver
/sbin/rc2.d/__S340net-ipv6 /sbin/rc2.d/__S523pppoe /sbin/rc2.d/__S602icod
Now the links will not be called because they don't start with "S".
Bill Hassell, sysadmin
Then the answer is easy. You can implement airgap security (which means unplug all the LAN cables and modems). Now go to the console (using the RS-232 serial port and you'll completely secure (lock the door behind you).
Or you can edit /etc/inetd.conf and comment EVERYTHING. The run inetd -c to reread the new file. That will disable ftp, telnet, web pages, network file sharing, network printing, etc. If you don't want ssh, then disable sshd in the /etc/rc.config.d directory. Now rerun the port scan. While you're in the /etc/rc.config.d directory, disable all the SNMP files.
Now both of these are drastic but meet the requirement to be minimalistic (and secure too). Of course, the best procedure is comment everything you don't need. Notice I didn't say "kernel needs". The system will be quite happy without any network services. You have to decide if you are going to transfer files and/or connect over the network. Most sysadmins comment out the legacy (deprecated) services:
daytime chargen time echo discard uucp ntalk finger
and the high risk 'r' commands:
login shell exec
and the obscure services:
kshell klogin ncpm-pm ncpm-hip
and the Xwindow junk:
recserv dtspc rpc
Now you have to decide on services that you might need. No printing? drop "printer" No NFS? Drop the rpc daemons. Not using the system as an Ignite network server or other boothelper? Drop "tftp", "auth" and "bootps". Are you going to use ssh? Then drop "telnet" and "ftp".
Additionally some processes may be started from /etc/rc.config.d like TCPwrappers, SMH, and WBEM. Be careful though. Some of the newer add-ins defy the HP-UX standard and don't have a standard onfigure script. These are ppp, pppoe, cim_server, icod, net-ipv6 , and pfilboot. You'll have to comment these rogues out in the appropriate /sbin/rc directories. To make them visible (for future sysadmins), I change the name of the links like this:
/sbin/rc2.d/__S130pfilboot /sbin/rc2.d/__S522ppp /sbin/rc2.d/__S600cimserver
/sbin/rc2.d/__S340net-ipv6 /sbin/rc2.d/__S523pppoe /sbin/rc2.d/__S602icod
Now the links will not be called because they don't start with "S".
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 03:10 PM
02-04-2011 03:10 PM
Re: Unix Services Not essential
Hi:
A less than minimalistic approach which accomplished this and much more is to harden your server with Bastille:
http://bizsupport.austin.hp.com/bc/docs/support/Support
Manual/c02281370/c02281370.pdf
Regards!
...JRF...
A less than minimalistic approach which accomplished this and much more is to harden your server with Bastille:
http://bizsupport.austin.hp.com/bc/docs/support/Support
Manual/c02281370/c02281370.pdf
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2011 12:58 AM
02-11-2011 12:58 AM
Re: Unix Services Not essential
Thanx Guys for the help. Muchos appreciated
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP