HPE Community
Operating System - HP-UX
1827593 Members
3011 Online
109965 Solutions
New Discussion

What should be looked into

 
Faizer
Advisor

‎02-22-2004 03:33 AM

‎02-22-2004 03:33 AM

What should be looked into

My Security administrator has informed me that he wants to have my server in the DMZ. He has requetsed me to provide him with the OS ports that need to opened to access the servers.
Please provide me a guideline and the ports that need to be blocked.
Thanks
Faizer
0 Kudos
Reply
6 REPLIES 6
Sridhar Bhaskarla
Honored Contributor

‎02-22-2004 03:49 AM

‎02-22-2004 03:49 AM

Re: What should be looked into

Hi Faizer,

A good idea is to block all the ports and open only the ones that are needed. There are ports that are needed for the system to function and the ports that are required for your application to operate. Most of the ports can be found in /etc/services. Many of them listed in /etc/inetd.conf can be turned off. Standard telnet/ftp/rlogin/rcp/rexec/remsh commands can be replaced with more secure ssh/scp/sftp that you can download from software.hp.com site.

You can find all the open *TCP* ports on the system using 'netstat -an |grep LISTEN'. WIthout -n in netstat will display the port name instead of number but it may take quite a while.

Quite a few services like r-commands, tftp,CDE/X related services can be turned off with inetd.conf.

You can get a good idea with HP's bastille tool. You can download it from the following site.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-22-2004 08:59 AM

‎02-22-2004 08:59 AM

Re: What should be looked into

Placing a production server into a DMZ is a pretty significant risk. The first step is to harden your system BEFORE placing it into a DMZ. While the DMZ border routers can block selected ports, each open port to your server is a potential security risk. So start by switching your system to Trusted level security (use SAM), then run Bastille to shutdown unnecessary features and set stringent security policies.

As ar as specific ports related to applications that you run on your server, these should be documented with the applications. Additionally, download a copy of lsof to document active ports (http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.70/).


Bill Hassell, sysadmin
0 Kudos
Reply
Michael Tully
Honored Contributor

‎02-22-2004 09:09 AM

‎02-22-2004 09:09 AM

Re: What should be looked into

We have a few systems in a DMZ. It is not that difficult as long as you have a plan that revolves around setting up your system as a bastion server, bastille, trusted system and blocking off ports. Access to the system is done via openssh. This means that you block off telnet (port 23) and ftp (port21) Openssh can be used for both. There are plenty of posts about this subject. Use the search engine for further suggestions and pointers.

bastion document
http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf

bastille:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA
Anyone for a Mutiny ?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-22-2004 09:19 AM

‎02-22-2004 09:19 AM

Re: What should be looked into

Bastille
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

BIND latest version if you use it
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND9.2

Secure Shell(doc attached)
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

Host Intrustion Detection System
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5083AA

IPSEc
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4256AA

TCP Wrapper
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP

Internet Express(includes perl)

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111


Perl by itself

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Thats just the software.

I have tracked over 5,000 failed intrustion attempts on an HP-9000 server that I use as a firewall and experimental server.

This is a big job you have been assigned.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-22-2004 09:20 AM

‎02-22-2004 09:20 AM

Re: What should be looked into

Missed on:

IPFilter firewall.
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Oh how I wish someone would port iptables to HP-UX

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Faizer
Advisor

‎02-27-2004 09:01 PM

‎02-27-2004 09:01 PM

Re: What should be looked into

Thankyou every one...
I would be getting back to you'll once again when the time comes.
Hope I would be helped again on the same topic...
best regards
Faizer
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.