Technical Help

Hp-Ux Configuration of TCP-WRAPPERS and OPENSSH

HP - UX

ChinniLax April 13, 2011

ChinniLax

Configuration of TCP-WRAPPERS and OPENSSH

____ for file in /etc/hosts.allow /etc/hosts.deny

/bin/touch $file

/bin/chown root:root &file

/bin/chmod 600 $file

done

____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow

replace net1, net2 with the IP addresses of machines that you want to grant access to

____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s "%s:connection attempt from %a" ’ > /etc/hosts.deny

replace with email address of administrator

____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
____ Modify /etc/rc.config.d/sshd_config [14]

Port 22

Protocol 2,1

ListenAddress 0.0.0.0

PidFile /opt/openssh2/etc/sshd.pid

HostKey /opt/openssh2/etc/ssh_host_key

HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key

ServerKeyBits 1024

LoginGraceTime 180

KeyRegenerationInterval 900

PermitRootLogin no

IgnoreRhosts yes

IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding yes

PrintMotd no

KeepAlive no

SyslogFacility AUTH

LogLevel INFO

RhostsAuthentication no

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords no

CheckMail nos

UseLogin no

____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
____ Generate server key files

____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key

____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key

____ create sshd startup script (See Appendix D for an example)
____ move script to /sbin/init.d/sshd
____/usr/bin/chown root:sys /sbin/init.d/sshd
____/usr/bin/chmod 744 /sbin/init.d/sshd
____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
____ /sbin/init.d/sshd start
____ /usr/sbin/vi /etc/inetd.conf*
____ modify ftp daemon to include tcp_wrappers*

ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022

____ modify telnet daemon to include tcp_wrappers*

telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue

* If this system has been configured not to run inetd then you can disregard these steps.

Hp-Ux Installation of TCP_WRAPPERS, Perl, ZLIB and OpenSSH

HP - UX

ChinniLax April 13, 2011

ChinniLax

Installation of TCP_WRAPPERS

____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
____ /usr/bin/cd tcp_wrappers_7.6
____ /usr/bin/chmod 644 Makefile
____ /usr/bin/vi Makefile
____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX

REAL_DAEMON_DIR=/etc

____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
____ Make hp-ux
____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
____ /usr/bin/mkdir –p –m 755 /usr/local/include
____ /usr/bin/mkdir –p –m 755 /usr/local/lib
____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from

cp $file /usr/local/sbin/$file

chmod 555 /usr/local/sbin/$file

chown root:daemon /usr/local/sbin/$file

done

____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a

Installation of Perl

____ Download software HP-UX software porting site
http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/
____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*

Installation of ZLIB

____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*

Installation of OPENSSL

Installation of OPENSSL needs Perl v5 installed on server.

____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*

Installation of OPENSSH

Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.

____ Download software from
http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/
____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*

Hp-Ux configure Sendmail

HP - UX

ChinniLax April 13, 2011

ChinniLax

Sendmail

Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail forhttp://www.sendmail.org.

____ replace the existing /etc/mail/sendmail.cf [14] with the following

# Minimal client sendmail.cf

### Define macros

# define the mail hub – Put hostname for local site here.

DRmailhost

# define version

# my name for error messages

DnMAILER-DAEMON

# UNIX initial From header format

DlFrom $g $d

# delimiter (operator) characters (old $o macro)

Do.:%@!^/[]+

#From of the sender’s address

Dq<$g>

# queue directory

OQ/var/spool/mqueue

### Mailer Delivery Agents

#Mailer to forward mail to the hub machine

Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h

#Sendmail requires these, but they are not used

Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null

Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null

### Rule sets

R@S+ $ #error $: Missing user

R$+ $ #hub $@$R $:$1 forward to hub

R$*<>$* $n handle <> error address

R$*<$$*>$* $2 basic RFC822 parsing

Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.

____ crontab -e
____ add the following lines

## run send mail once an hour

* 0 0 0 0 /usr/sbin/sendmail –q

Technical Help

Please find our other blogs which related to technical and devotional. We are a team grabing information from technical support forms where many issues solved by real time experianced people in the support forums. most of the issues are fixed by our best fallowers. Our team is working in top MNC companies located in all over India in different technolagies, here we share real time issues and help documents. like Troubleshooting steps, documentation, whitepapers, SOP's and many more, .

Any one can contribute here with your real time issues, though it help to others to find and fix before they fight with support folks.