Thursday, April 14, 2011

Hp-Ux Configuration of TCP-WRAPPERS and OPENSSH


Configuration of TCP-WRAPPERS and OPENSSH
  1. ____ for file in /etc/hosts.allow /etc/hosts.deny
do
/bin/touch $file
/bin/chown root:root &file
/bin/chmod 600 $file
done
  1. ____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow
replace net1, net2 with the IP addresses of machines that you want to grant access to
  1. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s "%s:connection attempt from %a" ’ > /etc/hosts.deny
replace with email address of administrator
  1. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
  2. ____ Modify /etc/rc.config.d/sshd_config [14]
Port 22
Protocol 2,1
ListenAddress 0.0.0.0
PidFile /opt/openssh2/etc/sshd.pid
HostKey /opt/openssh2/etc/ssh_host_key
HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 180
KeyRegenerationInterval 900
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
PrintMotd no
KeepAlive no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail nos
UseLogin no
  1. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
  2. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
  3. ____ Generate server key files
____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key
____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key
  1. ____ create sshd startup script (See Appendix D for an example)
  2. ____ move script to /sbin/init.d/sshd
  3. ____/usr/bin/chown root:sys /sbin/init.d/sshd
  4. ____/usr/bin/chmod 744 /sbin/init.d/sshd
  5. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
  6. ____ /sbin/init.d/sshd start
  7. ____ /usr/sbin/vi /etc/inetd.conf*
  8. ____ modify ftp daemon to include tcp_wrappers*
ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022
  1. ____ modify telnet daemon to include tcp_wrappers*
telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue
* If this system has been configured not to run inetd then you can disregard these steps.

Hp-Ux Installation of TCP_WRAPPERS, Perl, ZLIB and OpenSSH


Installation of TCP_WRAPPERS
  1. ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
  2. ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
  3. ____ /usr/bin/cd tcp_wrappers_7.6
  4. ____ /usr/bin/chmod 644 Makefile
  5. ____ /usr/bin/vi Makefile
  6. ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX
REAL_DAEMON_DIR=/etc
  1. ____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
  2. ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
  3. ____ Make hp-ux
  4. ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
  5. ____ /usr/bin/mkdir –p –m 755 /usr/local/include
  6. ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
  7. ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from
do
cp $file /usr/local/sbin/$file
chmod 555 /usr/local/sbin/$file
chown root:daemon /usr/local/sbin/$file
done
  1. ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
  2. ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
  3. ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
  4. ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
  5. ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
  6. ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a
Installation of Perl
  1. ____ Download software HP-UX software porting site 
    http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/
  2. ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*
Installation of ZLIB
  1. ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
  2. ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*
Installation of OPENSSL
Installation of OPENSSL needs Perl v5 installed on server.
  1. ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
  2. ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*
Installation of OPENSSH
Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.
  1. ____ Download software from 
    http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/
  2. ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*

Hp-Ux configure Sendmail


Sendmail
Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail forhttp://www.sendmail.org.
  1. ____ replace the existing /etc/mail/sendmail.cf [14] with the following
# Minimal client sendmail.cf
### Define macros
# define the mail hub – Put hostname for local site here.
DRmailhost
# define version
V8
# my name for error messages
DnMAILER-DAEMON
# UNIX initial From header format
DlFrom $g $d
# delimiter (operator) characters (old $o macro)
Do.:%@!^/[]+
#From of the sender’s address
Dq<$g>
# queue directory
OQ/var/spool/mqueue
### Mailer Delivery Agents
#Mailer to forward mail to the hub machine
Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
#Sendmail requires these, but they are not used
Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null
Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null
### Rule sets
S0
R@S+ $ #error $: Missing user
R$+ $ #hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$$*>$* $2 basic RFC822 parsing
Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.
  1. ____ crontab -e
  2. ____ add the following lines
## run send mail once an hour
* 0 0 0 0 /usr/sbin/sendmail –q

Hp-UX User Access Control


User Access Control
Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.
Restrict root login to just the console. User must use su to login as root.
  1. ____ /usr/bin/touch /etc/securetty
  2. ____ /usr/bin/echo console > /etc/securetty
  3. ____ /usr/bin/chmod 400 /etc/securetty
Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords
  1. ____ /usr/bin/touch /etc/default/security
  2. ____ /usr/bin/echo "PASSWORD_HISTORY_DEPTH=10" > /etc/default/security
  3. ____ /usr/bin/chown bin:bin /etc/default/security
  4. ____ /usr/bin/chmod 444 /etc/default/security
Lock all "pseudo-accounts", including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.
  1. ____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
  2. ____ Lock accounts using /usr/bin/passwd –l
  3. ____ Remove any files in /var/spool/cron/crontabs except for root
  4. ____ Remove any files in /var/spool/cron/atjobs except for root
Ensure that root is the only login that has access to run crontab and at commands
  1. ____ /usr/bin/echo root > /var/admin/cron/cron.allow
  2. ____ /usr/bin/echo root > /var/adm/cron/at.allow
  3. ____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
  4. ____ /usr/bin/chmod 400 /var/adm/cron/at.allow
  5. ____ /usr/bin/rm /var/adm/cron/cron.deny
  6. ____ /usr/bin/rm /var/adm/cron/at.deny
Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.
  1. ____ /usr/bin/touch /etc/ftpd/ftpusers
  2. ____ /usr/bin/chown root:root /etc/ftpd/ftpusers
  3. ____ /usr/binchmod 600 /etc/ftpd/ftpusers
  4. ____ Add administrative logins to /etc/ftpd/ftpusers
for names in root, daemon, bin, sys and adm
do
echo $names >> /etc/ftpd/ftpusers
done
Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.
  1. ____ /usr/bin/find / \( -name .rhosts –o –name .netrc –o -name hosts.equiv \) -exec ls -ldb {} \; -exec more {} \;
If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.
  1. ____/usr/bin/vi /etc/inetd.conf
  2. ____ Add –l and –umask –22 to ftpd
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022
Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.
  1. ____ /usr/bin/vi /etc/profile
  2. ____ insert umask 022
  3. ____ insert TMOUT=1800 (TMOUT is in seconds)
Statutory Warnings
Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.
This system is the property of the Company ABC. All activities on this system are subject to monitoring for illegal or unauthorized activity.
Anyone using this system expressly consents to such monitoring and is advised that if monitoring reveals possible improper or criminal activity, system personnel may provide the evidence of such monitoring to authorities.
  1. ____ /usr/bin/touch /etc/issue
  2. ____ /usr/bin/touch /etc/motd.
  3. ____ /usr/bin/chown root:root /etc/issue
  4. ____ /usr/bin/chown root:sys /etc/motd
  5. ____ /usr/bin/chmod 644 /etc/issue
  6. ____ /usr/bin/chmod 644 /etc/motd
  7. ____ copy warning message to /etc/issue and /etc/motd
  8. ____ /usr/bin/vi /etc/inetd.conf *
  9. ____ add –b /etc/issue to the end of the telnetd
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue
* This is assuming you’re running inetd. If not, disregard this step.