Securing IRIX 6.5
There are many people in my organization who use SGI workstations on a daily basis yet do not enjoy the luxury of having a dedicated system administrator. It is my hope this document will be of some guidance to those people who require a secure IRIX system yet don't have either the time or the desire to become IRIX security wizards.
A Word to the Wise
System security is an often difficult balance between ensuring a system is completely secure (i.e. pulling the plug and burying it in a hole in the ground) and satisfying user needs. While reading this document please keep in mind that, in matters of computer security, I prefer to err on the side of caution. As such, the settings that I recommend are rather aggressive and, depending on your needs, may prove to be a little too aggressive.
This document assumes the following:
Ready? OK, let's begin!
1. Set Root Password
The "root" account, which is included on your system by default, is a special account that has access to all of the files on your computer. Since anyone logged in as "root" has complete control over virtually every aspect of your computer it is very important that this account be protected with as secure a password as possible.
Care should be taken when selecting a root password. An easy and relatively secure method of generating passwords is to create a password using the first letters of a phrase or rhyme. For example, by using the first letters of the following famous sentence:
You could generate the following password:
Once you have chosen a good password use the following command to assign your password to the root account:
Be sure not to forget your root password! Only the root user can change the root password, so if you forget the root password you have effectively locked yourself out of your system.
2. Install the Latest Maintenance Release:
Operating system updates for IRIX 6.5 are called Maintenance Releases. Besides containing the latest updates and patches for your system each release is cumulative and contains all of the updates and patches of the previous releases. As such, SGI maintenance releases are huge. In fact, the latest available release (6.5.12) clocks in at over 940mb compressed! Please make sure you have enough room on your hard drive before downloading.
First, download the latest Maintenance Release:
Then, gunzip and untar the release:
Begin the installation:
Once the inst program has started, check for conflicts:
Assuming there are no conflicts, begin the installation:
After the installation has completed exit out of inst and reboot the system.
3. Lock Local Accounts
There are many default accounts on an IRIX system that can be safely disabled. This is a highly recommended practice because every open account on your computer is yet another potential avenue of attack.
Because Im a bit paranoid I personally recommend disabling every account except for actual user accounts and, of course, the root account.
For example, to disable the default OutOfBox user you would use the following simple command:
If disabling every account besides active users and root proves to be too restrictive for your environment I suggest disabling, at a minimum, the following default users:
4. Enable Shadow Passwords
By default the file where passwords are stored, /etc/passwd, is readable by any user on the system. This is a problem because a world-readable password file can be easily copied by a malicious user who could then run a password-cracking program at their leisure.
Enabling a feature called Shadow Passwords very neatly solves this problem. Shadow Passwords moves the encrypted password field to a file called /etc/shadow that is readable only by root.
Use the following command to initialize shadow passwords:
5. Secure /etc/inetd.conf
The inetd daemon is the master daemon that controls many other daemons. By default there are many daemon that you can safely disable without compromising your systems' performance.
Disabling a service in /etc/inetd.conf involves placing a pound sign (#) at the beginning of each daemon that you wish to disable.
For example, the default entry in /etc/inetd.conf for the finger service looks like this:
Placing a pound sign at the beginning of the line disables the service from starting:
I suggest disabling the following services:
Please note that in my opinion both telnet and ftp should be turned off. Both services represent clear security risks since they transmit passwords in plain text. For this reason and many others you should be using OpenSSH instead. (Please see #8 for more details.)
The chkconfig command is a very handy way to disable services that are running by default but which are either a security risk or not required by your system (or both!). Using chkconfig is simple. For example, to get a listing of your current system configuration, simply type:
To disable a service, such as gated, you would type the following:
Likewise, to enable the service gated you would type the following:
Use the following as suggested guide for the various services configured by chkconfig. Please keep in mind that we've attempted to make this list as comprehensive as possible but your system may have one or more services installed that aren't included in our list. If this is the case we suggest not disabling any extra services unless you are certain they are not required.
7. Install Additional Applications
SGI provides a large library of freely available, pre-compiled programs that can be obtained from http://freeware.sgi.com. While this resource does provide a convenient, centralized location for obtaining many popular programs, for some reason SGI choose to make /usr/freeware/bin the default installation directory. Besides the confusion that can be caused by putting binaries in a non-standard location, the /usr/freeware/bin directory is not part of the default SGI command path. Luckily, SGI supplies a script called fixpath that, when run, will automatically append /usr/freeware/bin to your command path. Please run the following command after you install your first freeware app:
This program allows you to very precisely and selectively control which systems can access the various TCP/IP services running on your computer.
First, download and install the TCP Wrappers program from http://freeware.sgi.com
Then, copy the /usr/freeware/bin/tcpd to /usr/etc:
Create the /usr/etc/... (yes, the name of the directory is three dots!)
Move the daemons that you wish to wrap to the /usr/etc/... directory:
Add tcpd to the appropriate lines in /etc/inetd.conf. When you are done they should look something like this:
Create a file called /var/adm/tcpd.log:
The access rules for TCP Wrappers are defined in two files - /etc/hosts.allow and /etc/hosts.deny. As their names suggest, the /etc/hosts.allow file is where you define who can access the system while the /etc/hosts.deny file applies to anyone who isn't defined in /etc/hosts.allow.
At a minimum, I suggest the following for /etc/hosts.allow:
I suggest the following for /etc/hosts.deny (don't forget to substitute your hostname and email address!):
This script does several things. First, it tells your computer to deny access to anyone who isn't included in the /etc/hosts.allow file. Second, it generates a warning message that includes the attacking hostname, IP address, and date and which is appended it to the /var/adm/tcpd.log file. Third, it emails the proper person a copy of the access attempt log entry.
This is a free, secure replacement for ftp, telnet, rcp, and several other insecure programs which encrypts data transmitted between systems to help prevent information from being intercepted or modified by malicious individuals.
First, install the following packages in the following order from http://freeware.sgi.com:
Then, run the following command to ensure openssh starts when the system is booted:
If you're curious, additional technical details about OpenSSH can be found at http://www.openssh.org.
8. Change Root Email Alias
Your system has several email addresses that are installed on your system by default. Two of the most important are postmaster and root. Many important system messages are automatically sent to one or sometimes both of these addresses and it is wise to monitor these messages closely. A convenient way of doing this is modifying your system so that any messages sent to either of these two addresses are automatically sent to your personal email address instead. Doing this is simple:
Edit the /etc/aliases file and modify the following line from this:
Then, reinitialize the alias file to make sure your changes take effect:
9. Subscribe to Mailing Lists
The world of computer security is very complex and changes rapidly. New bugs and the attacks that exploit them are constantly being discovered; by subscribing and reading one or more of the following lists regularly you can help ensure that you remain as well informed as possible.
Details on subscribing to these and other lists can be found here: http://www.sgi.com/support/security/posts.html
Silicon Graphics, Inc. "SGI
Silicon Graphics, Inc. "SGI
Maintenance Release Homepage."
Silicon Graphics, Inc. "SGI Freeware
Silicon Graphics, Inc. "SGI Newsgroups
and Mailing Lists Homepage."
The OpenBSD Project. "OpenSSH
European Organization for Nuclear Research
(CERN). "CERN Security Handbook." v1.2. 12 December, 1996.
to top of page | to Unix Issues | to Reading Room Home