Hp-Ux APPENDIX – Network Parameters

APPENDIX B – Network Parameters

ip_send_redirects – causes the machine not to emit any ICMP redirect Packets. Under normal operation this probably won’t have significant security implications.

ip_ire_flush_interval and arp_cleanup_interval – control how long information will live in the system’s ARP cache. The ARP cache maintains a mapping between Ethernet addresses and IP address. The default values are 10 minutes (?????). Lowering these values can help prevent some ARP spoofing attacks but at the cost of more ARP traffic on your local LAN and possibly reduced performance. Think carefully before you change these variables.

ip_forward_directed_broadcast – caused the machine to not transmit packets which are destined for a broadcast network address. If the machine is being used as a gateway between several networks this can help you from being used as an intermediary network in a "smurf" type network attach. The machine will still respond to broadcast packets directed at any LAN it may be connected to.

ip_forward_src_routed – prevents the machine from forwading any packets that have the source routing option turned on.

ip_forwarding – turning off ip_forwarding prevents the machine from accepting and forwarding on packets that are not destined for one of it’s local interface addresses. Such a feature can be used by attackers to bypass other network security measures.

tcp_ip_abort_cinterval – this is how long the kernel will wait for a TCP connection to be completed (in milliseconds). Tuning this value down can also help your system resist SYN flooding attacks.

You can use the following commands to view various information concerning Network parameter.

ndd –h sup – display all the parameters that are supported by HP.

ndd –h unsup – display all the parameter that are not supported by HP. Becareful modifying these!

ndd –c - set tunable parameters

APPENDIX C – Example secure /etc/fstab

/dev/vg00/lvol3 / hfs defaults 0 1

/dev/vg00/lvol1 /stand hfs nosuid 0 1

/dev/vg00/lvol4 /tmp hfs defaults 0 2

/dev/vg00/lvol5 /home hfs nosuid 0 2

/dev/vg00/lvol6 /opt hfs ro 0 2

/dev/vg00/lvol7 /usr hfs ro 0 2

/dev/vg00/lvol8 /var hfs nosuid 0 2

APPENDIX D – Sample SSHD Startup Script

#!/sbin/sh

#

# start up secure shell deaemon - sshd

#

PATH=/usr/sbin:/usr/bin:/sbin

export PATH

rval=0

case $1 in

'start_msg')

echo "Starting the sshd"

;;

'stop_msg')

echo "Stopping the sshd"

;;

'start')

if [ -f /etc/rc.config.d/sshd_config ]

then

/opt/openssh2/sbin/sshd -f /etc/rc.config.d/sshd_config

else

echo "ERROR: /etc/rc.config.d defaults file MISSING"

fi

;;

'stop')

kill `cat /opt/openssh2/etc/sshd.pid`

;;

*)

echo "usage: $0 {start|stop|start_msg|stop_msg}"

rval=1

;;

esac

exit $rval

Helping  Other  People  Excel

APPENDIX A – HP-UX 11.0 Supported Systems

APPENDIX A – HP-UX 11.0 Supported Systems

Model	32-bit	64-bit
Workstations:
Series 700: 712, 715/64/80/100/100XC, 725/100	X
B132L, B132L+, B160L, B180L	X
B1000, B2000		X
C100, C110, C160L	X
C160, C180, C180XP, C200, C240, C360	X	X
C3000, C3600		X
J200, J210, J210XC	X
J280, J282, J2240	X	X
J5000, J5600, J6000, J7000		X
Servers:
A180, A180C	X
A400, A5xx		X
Dx10, Dx20, Dx30, Dx50, Dx60	X
Dx70, Dx80, Dx90	X	X
E, F, G, H, I (all)	X
Kx00, Kx10, Kx20	X
Kx50, Kx60, Kx70, Kx80	X	X
L1000, L2000, L3000		X
N4000/360, N4000/440, N4000/550		X
R380, R390	X	X
T500, T520	X
T6xx	X	X
V22xx, V2500, V2600		X
Enterprise Parallel Servers: EPS22, EPS23, EPS40	X	X

Hp-Ux Backups

Backups

Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.

Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found atwww.software.hp.com/products/IUX/install_instructions.html.

Installing Ignite-UX

1. ____ Downloaded software from www.software.hp.com/products/IUX/download.html
2. ____ Copy ignite11_11.00.tar to /tmp
3. ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
4. ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar \*

Create a golden image

5. ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m

Physical Security

It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.

1. ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
2. ____ If possible the data center should have cameras installed to monitor all activity.
3. ____ The keyboard should be situated away from any cameras, windows or prying eyes.
4. ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has been interrupted.
5. ____ Backup tapes should be kept in a secure environment.

Hp-Ux LSOF software

LSOF

This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.

1. ____ Download 32 bit version of the software from HP-UX Software porting site,http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
2. ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
3. ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*

1. ____ The 64 bit version binaries can be found atftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
2. ____ /usr/contrib/bin/gunzip lsof_4.55.gz
3. ____ /usr/bin/mv lsof_455 to /opt/lsof/bin

Hp-Ux Configuration of TCP-WRAPPERS and OPENSSH

Configuration of TCP-WRAPPERS and OPENSSH

1. ____ for file in /etc/hosts.allow /etc/hosts.deny

do

/bin/touch $file

/bin/chown root:root &file

/bin/chmod 600 $file

done

2. ____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow

replace net1, net2 with the IP addresses of machines that you want to grant access to

3. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s "%s:connection attempt from %a" ’ > /etc/hosts.deny

replace with email address of administrator

4. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
5. ____ Modify /etc/rc.config.d/sshd_config [14]

Port 22

Protocol 2,1

ListenAddress 0.0.0.0

PidFile /opt/openssh2/etc/sshd.pid

HostKey /opt/openssh2/etc/ssh_host_key

HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key

ServerKeyBits 1024

LoginGraceTime 180

KeyRegenerationInterval 900

PermitRootLogin no

IgnoreRhosts yes

IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding yes

PrintMotd no

KeepAlive no

SyslogFacility AUTH

LogLevel INFO

RhostsAuthentication no

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords no

CheckMail nos

UseLogin no

6. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
7. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
8. ____ Generate server key files

____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key

____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key

9. ____ create sshd startup script (See Appendix D for an example)
10. ____ move script to /sbin/init.d/sshd
11. ____/usr/bin/chown root:sys /sbin/init.d/sshd
12. ____/usr/bin/chmod 744 /sbin/init.d/sshd
13. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
14. ____ /sbin/init.d/sshd start
15. ____ /usr/sbin/vi /etc/inetd.conf*
16. ____ modify ftp daemon to include tcp_wrappers*

ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022

17. ____ modify telnet daemon to include tcp_wrappers*

telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue

* If this system has been configured not to run inetd then you can disregard these steps.