Thursday, April 14, 2011

Hp-Ux Network Tuning


Network Tuning
Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can usendd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.
  1. ____/usr/bin/vi /etc/rc.config.d/nddconf
  2. ____ Add following entries:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_send_redirects
NDD_VALUE[0]=0
TRANSPORT_NAME[1]=ip
NDD_NAME[1]=ip_ire_flush_interval
NDD_VALUE[1]=60000
TRANSPORT_NAME[2]=arp
NDD_NAME[2]=arp_cleanup_interval
NDD_VALUE[2]=60000
TRANSPORT_NAME[3]=ip
NDD_NAME[3]=ip_forward_directed_broadcast
NDD_VALUE[3]=0
TRANSPORT_NAME[4]=ip
NDD_NAME[4]=ip_forward_src_routed
NDD_VALUE[4]=0
TRANSPORT_NAME[5]=ip
NDD_NAME[5]=ip_forwarding
NDD_VALUE[5]=0
TRANSPORT_NAME[6]=tcp
NDD_NAME[6]=tcp_ip_abort_cinterval
NDD_VALUE[6]=60000
____ ndd –c for the changes to take effect

HP-UX Modification of the Boot Process


Modification of the Boot Process
Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.
  1. ____ Review /etc/rc.log to determine which processes are started on boot
  2. ____ Rename NFS-related links
/usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core
/usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client
/usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server
  1. ____ Rename RPC link
/usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd
  1. ____ Rename Sendmail links
/usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail
  1. ____ If this is machine not going to be a DNS server, rename DNS link
/usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named
  1. ____ Rename everything in /sbin/rc3.d
/usr/bin/cd /sbin/rc3.d
for file in S*
do
mv $file .NO$file
done
Create a script to ensure that the startup scripts run with a proper umask [14]
  1. ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
  2. ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
  3. ____ Add umask.sh to startup script directories by running the following script
/usr/bin/umask 022
for d in /sbin/rc?.d
do
/usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh
done
Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley "r" programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)
  1. ____ Disable inetd – Preferred method
/usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd
/usr/bin/rm /etc/inetd.conf
  1. ____ inetd enabled – but with all unnecessary disabled
/usr/bin/vi /etc/inetd.conf
comment out (place # at the beginning of a line) all unnecessary services
/usr/bin/kill –HUP inetd

HP-UX Patches Installation


HP-UX Patches Installation
To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:
Search Technical Knowledge Base
Security Bulletin Archive
You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:
more…
support information digests

Helping  Other  People  Excel

Updating Applications


Updating Applications 
After installing HP-UX 11.0, install other needed applications
  1. ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
  2. ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/
Helping  Other  People  Excel

HP-UX Minimal OS Installation


HP-UX Minimal OS Installation
To cold-install HP-UX 11.0, you must have the following:
A supported HP 9000 server or workstation (see Appendix A)
64 MB memory, minimum
128 MB swap space, minimum 
2GB root disk volume, minimum
You will need the following CD’s ready:
HP-UX 11.0 Install/Update/Recovery CD, March 2001 or later. 
Core OS Options CD (for technical servers and workstations).
 
Support Plus CD, March 2001 or later (for hardware/critical patch bundle, diagnostics and iCOD product), is needed.
HP-UX 11.0 Application Software CDs
  1. ____ Make sure all peripherals are turned on.
  2. ____ Turn on the server or recycle the power.
  3. ____ Load the Install and Core OS CDROM into the CD-ROM driver.
  4. ____ Interrupt the autoboot process, by pressing any key during the 10 second interval that is given. This is so the system can be booted from the Core OS CDROM.
  5. ____ Once autoboot was been interrupted you should now see the autoboot menu.
  6. ____ Boot from the device that contains the Core OS CDROM. Usually the alternative boot path is the CDROM drive. 
    But to verify that you can type
     search and view all defined boot devices. 
    bo alt
     OR bo
  7. ____ You should now be asked: Interact with IPL (Y or N) ?> Type n.
  8. ____ The install kernel will take 3-5 minutes to install.
  9. ____When that has completed a screen will appear asking for the keyboard language of the console. Respond with the correct number and press ENTER.
  10. ____ The Welcome to Ignite-UX screen will be displayed.
  11. ____ Tab to Install HP-UX field and press Enter.
  12. ____ From the User Interface and Media Options screen, verify that these choices are selected: 
    Source Location Options: Media-only installation – installing from the local CD drive.
    User Interface Options:
     Guided Installation – provides an install wizard with limited choices.
  13. ____Now proceed through each screen to configure your system: 
    Basic Configuration: Commercial Servers – this will install HP-UX 11.0 Core OS software, required ACE patches, general recommended core (XSWGR1100), latest hardware-enablement and critical (HWCR) patches, diagnostic products and COD Client Product for HP-UX 11.0 
    Software Selection: Select needed mass-storage and networking I/O driver products.
    Languages: Click the Languages button to view CDE-languages bundles to be loaded.
     Global is set by default when installing on workstations, resulting in all available CDE-language bundles being installed. Global (Non-CDE) is set when installing on servers to indicate that a generic, CDE-language bundle will be installed.
  14. ____ Review any messages that Ignite-UX encountered. Resolve any errors before continuing with the installation.
  15. ____ Select: Finish
  16. ____ The system will now configure the disk(s) and load a minimum set of commands and libraries. Software Distributor will  download all the products and patches from the CD.
  17. ____ As prompted, replace the HP-UX 11.0 Install/Update/Recovery CD with the requested CD from the media box.
  18. ____ The system will automatically reboot after all software has been loaded.
  19. ____ Set_parms will run and asked you to set
root password
date,
time,
time zone,
IP address
other network parameters.

Helping  Other  People  Excel





Tuesday, April 5, 2011

MIRRORING ROOT VOLUME in HP-UX

MIRRORING THE ROOT VOLUME 

1. First create a bootable logical volume disk. 

2. Mirror the root logical volume to new disk: 
#lvextend –m 1 /dev/vg00/lvol1 /dev/dsk/c0t1d0 

3. Mirror the Primary Swap area: 
Lvextend –m 1 /dev/vg00/prswaplv /dev/dsk/c0t1d0 

4. Verify the LVM was updated: 
#lvlnboot –v 

BREAKING A MIRROR FOR BACKUP PURPOSES 

Mirrors are created and broken from an lvol level. Remember this. If you want to break the mirror for /dev/vg00/lvol1 which may be mounted at / do the following: 

#lvsplit /dev/vg00/lvol1      
This will by default create a
new, unmounted lvol called lvol1b. You could also do the following: 

#lvsplit –s backup /dev/vg00/lvol1    
This does the same, but names it lvol1backup  
Mount the new lvol to what ever you want, and back it up. 

REMIRRORING AFTER BACKUP 

After you are finished, you must remirror and sync with existing and new data created on The active mirror.  Use this command (using the lvol1b from example above): 
#lvmerge /dev/vg00/lvolb /dev/vg00/lvol1 

REMOVING A MIRROR (SO YOU CAN PULL A DRIVE) 

1. You must first remove the association between each lvol associated with the drive. Use the following command to view the current mirrored lvol’s: 
#lvlnboot –v 

2. Break the mirror and remove the pv/lvol association for each lvol. 
This example removes PV /dev/dsk/c1t0d0 from /dev/vg00/lvol2, and lvol3. Assuming that there was only 1 other disk in the mirror set: 

#lvreduce –m 0 /dev/vg00/lvol2 /dev/dsk/c1t0d0
#lvreduce –m 0 /dev/vg00/lvol3 /dev/dsk/c1t0d0