Thursday 9 April 2009

Network services minimization on AIX

Minimize network services on AIX Servers

Principles

Network services present a significant risk to security:

  • Only enable the strict minimum of services needed. The number system processes listed by "ps –ef" or equivalent should be less than 10.
  • Use encrypted tools (like SSH) rather than clear-text network logins (e.g. telnet, 3270, ftp, rlogin, rcmd).
  • Keeping up to date with security patches on network daemons is particularly important.
  • Daemons should run as non-root users.
  • Daemons should "chroot" to a dedicated directory.
  • Use encryption where possible to prevent snooping or replay attacks.
  • Services must use minimal umask, file permissions etc.
  • Strong authentication (with token or lists) should be considered for critical services.
  • Applications should package structure

Minimise Inetd network Services

Inetd a process which automatically starts certain daemons such as telnet, ftp, if connections are made.

Inetd services can be enabled or disabled with the command 'chsubserver' on AIX. Likewise after changes to inetd configuration, the daemon needs to be send a hang-up signal - 'refresh -s inetd'. For example:

[server1]# chsubserver -d -v daytime -p udp
[server1]# chsubserver -d -v daytime -p tcp
[server1]# grep daytime /etc/inetd.conf
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal

It is recommended that ALL services except the following be disabled:

..... TBD list ...

The can be achieved with the following commands:
chsubserver -d -v daytime -p udp
chsubserver -d -v daytime -p tcp
..... TBD list ...

securetcpip ?

Special services which may be needed (discuss what measures to take for each one)

1. ftp

2. telnet

3. other?

4. tftp - for diskless booting : /etc/tftpaccess.ctl

Minimize /etc/rc.tcpip network services

A description of what services are started in /etc/rc.tcpip and how they can be changed with chrctcp.

/usr/sbin/no -o clean_partial_conns=1
/usr/sbin/no -o bcastping=0
/usr/sbin/no -o directed_broadcast=0
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o ipsrcrouterecv=0
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ip6srcrouteforward=0
/usr/sbin/no -o icmpaddressmask=0
/usr/sbin/no -o nonlocsrcroute=0
/usr/sbin/no -o tcp_pmtu_discover=0
/usr/sbin/no -o udp_pmtu_discover=0
/usr/sbin/no -o ipforwarding=0


Minimize /etc/rc.nfs network services

A description of /etc/rc.nfs

/etc/exports

secure nfs : /usr/secretdata -secure


Minimize inittab services

A description of what services are started in /etc/inittab and how they can be changed with mkitab and rmitab.


Minimize other services

  • Restrict AIXwindows/CDE login to console
    • The xss command uses the enhanced MIT screen saver extensions.
    • xauth, xhost
  • Disable anonymous ftp
  • Disable anonymous ftp writes
  • Disable ftp to system accounts
  • Lock down root access

The default configuration allows telnet and rlogin access to the root account. This can be configured in the /etc/security/user file -- set the rlogin option to "false" for all system accounts. System managers should login to their account and then su so we have an audit trail.

  • disable SNMP readWrite communities
    The default SNMP configuration includes these "readWrite" communities:

[server1]# grep readWrite /etc/snmpd.conf
# readOnly, writeOnly, readWrite. The default permission is readOnly.
community private 127.0.0.1 255.255.255.255 readWrite
community system 127.0.0.1 255.255.255.255 readWrite 1.17.2

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 How to Enable Graphical Mode on Red Hat 7 he recommended way to enable graphical mode on RHEL  V7 is to install first following packages # ...