APPENDIX A – HP-UX 11.0 Supported Systems

APPENDIX A – HP-UX 11.0 Supported Systems

Model	32-bit	64-bit
Workstations:
Series 700: 712, 715/64/80/100/100XC, 725/100	X
B132L, B132L+, B160L, B180L	X
B1000, B2000		X
C100, C110, C160L	X
C160, C180, C180XP, C200, C240, C360	X	X
C3000, C3600		X
J200, J210, J210XC	X
J280, J282, J2240	X	X
J5000, J5600, J6000, J7000		X
Servers:
A180, A180C	X
A400, A5xx		X
Dx10, Dx20, Dx30, Dx50, Dx60	X
Dx70, Dx80, Dx90	X	X
E, F, G, H, I (all)	X
Kx00, Kx10, Kx20	X
Kx50, Kx60, Kx70, Kx80	X	X
L1000, L2000, L3000		X
N4000/360, N4000/440, N4000/550		X
R380, R390	X	X
T500, T520	X
T6xx	X	X
V22xx, V2500, V2600		X
Enterprise Parallel Servers: EPS22, EPS23, EPS40	X	X

Hp-Ux Backups

Backups

Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.

Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found atwww.software.hp.com/products/IUX/install_instructions.html.

Installing Ignite-UX

1. ____ Downloaded software from www.software.hp.com/products/IUX/download.html
2. ____ Copy ignite11_11.00.tar to /tmp
3. ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
4. ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar \*

Create a golden image

5. ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m

Physical Security

It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.

1. ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
2. ____ If possible the data center should have cameras installed to monitor all activity.
3. ____ The keyboard should be situated away from any cameras, windows or prying eyes.
4. ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has been interrupted.
5. ____ Backup tapes should be kept in a secure environment.

Hp-Ux LSOF software

LSOF

This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.

1. ____ Download 32 bit version of the software from HP-UX Software porting site,http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
2. ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*

1. ____ The 64 bit version binaries can be found atftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
2. ____ /usr/contrib/bin/gunzip lsof_4.55.gz
3. ____ /usr/bin/mv lsof_455 to /opt/lsof/bin

Hp-Ux Configuration of TCP-WRAPPERS and OPENSSH

Configuration of TCP-WRAPPERS and OPENSSH

1. ____ for file in /etc/hosts.allow /etc/hosts.deny

do

/bin/touch $file

/bin/chown root:root &file

/bin/chmod 600 $file

done

2. ____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow

replace net1, net2 with the IP addresses of machines that you want to grant access to

3. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s "%s:connection attempt from %a" ’ > /etc/hosts.deny

replace with email address of administrator

4. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
5. ____ Modify /etc/rc.config.d/sshd_config [14]

Port 22

Protocol 2,1

ListenAddress 0.0.0.0

PidFile /opt/openssh2/etc/sshd.pid

HostKey /opt/openssh2/etc/ssh_host_key

HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key

ServerKeyBits 1024

LoginGraceTime 180

KeyRegenerationInterval 900

PermitRootLogin no

IgnoreRhosts yes

IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding yes

PrintMotd no

KeepAlive no

SyslogFacility AUTH

LogLevel INFO

RhostsAuthentication no

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords no

CheckMail nos

UseLogin no

6. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
7. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
8. ____ Generate server key files

____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key

____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key

9. ____ create sshd startup script (See Appendix D for an example)
10. ____ move script to /sbin/init.d/sshd
11. ____/usr/bin/chown root:sys /sbin/init.d/sshd
12. ____/usr/bin/chmod 744 /sbin/init.d/sshd
13. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
14. ____ /sbin/init.d/sshd start
15. ____ /usr/sbin/vi /etc/inetd.conf*
16. ____ modify ftp daemon to include tcp_wrappers*

ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022

17. ____ modify telnet daemon to include tcp_wrappers*

telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue

* If this system has been configured not to run inetd then you can disregard these steps.

Hp-Ux Installation of TCP_WRAPPERS, Perl, ZLIB and OpenSSH

Installation of TCP_WRAPPERS

1. ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
2. ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
3. ____ /usr/bin/cd tcp_wrappers_7.6
4. ____ /usr/bin/chmod 644 Makefile
5. ____ /usr/bin/vi Makefile
6. ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX

REAL_DAEMON_DIR=/etc

7. ____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
8. ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
9. ____ Make hp-ux
10. ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
11. ____ /usr/bin/mkdir –p –m 755 /usr/local/include
12. ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
13. ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from

do

cp $file /usr/local/sbin/$file

chmod 555 /usr/local/sbin/$file

chown root:daemon /usr/local/sbin/$file

done

14. ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
15. ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
16. ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
17. ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
18. ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
19. ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a

Installation of Perl

1. ____ Download software HP-UX software porting site 
   http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/
2. ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*

Installation of ZLIB

1. ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
2. ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*

Installation of OPENSSL

Installation of OPENSSL needs Perl v5 installed on server.

1. ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
2. ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*

Installation of OPENSSH

Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.

1. ____ Download software from 
   http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/
2. ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*

Hp-Ux configure Sendmail

Sendmail

Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail forhttp://www.sendmail.org.

1. ____ replace the existing /etc/mail/sendmail.cf [14] with the following

# Minimal client sendmail.cf

### Define macros

# define the mail hub – Put hostname for local site here.

DRmailhost

# define version

V8

# my name for error messages

DnMAILER-DAEMON

# UNIX initial From header format

DlFrom $g $d

# delimiter (operator) characters (old $o macro)

Do.:%@!^/[]+

#From of the sender’s address

Dq<$g>

# queue directory

OQ/var/spool/mqueue

### Mailer Delivery Agents

#Mailer to forward mail to the hub machine

Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h

#Sendmail requires these, but they are not used

Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null

Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null

### Rule sets

S0

R@S+ $ #error $: Missing user

R$+ $ #hub $@$R $:$1 forward to hub

S3

R$*<>$* $n handle <> error address

R$*<$$*>$* $2 basic RFC822 parsing

Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.

1. ____ crontab -e
2. ____ add the following lines

## run send mail once an hour

* 0 0 0 0 /usr/sbin/sendmail –q