From: Stephanie Chung (stepchung@yahoo.com)
Date: Mon Mar 21 2005 - 16:38:22 EST
Here is the reply from the Master Bill:
Thanks Bill.
--- Bill Hassell <bill@billhassell.com> wrote:
> You can start with the legacy network daemons that
> virtually
> nothing uses anymore (comment out in
> /etc/inetd.conf):
>
> uucp
> daytime
> finger
> ntalk
> time
> echo
> discard
> chargen
>
> (very doubtful you are using these services)
>
> And unless your server is providing special boot
> features
> for someting like an HP JetDirect card or providing
> stored
> Ignite/UX images so other servers can reinstall over
> the
> network, turn off:
>
> bootps
> tftp
> instl_boots
>
> All the rpc services should be disabled (if needed,
> they are
> started with the mountd startup script:
>
> rcp stream
> rpc dgram (several lines)
>
> Unless you have a security specialist that setup a
> Kerberos server (a LARGE project), you aren't using:
>
> kshell
> klogin
>
> Make sure these are off:
>
> ncpm-pm
> ncpm-hip
>
> If your server is not providing Xwindow support
> (that is,
> running CDE to take over PC or X/terminal desktops,
> turn off:
>
> dtspsc
> rpc xti
> recserv
>
> If your server is not running Service Guard:
>
> hacl-probe
> hacl-cfg
>
> Turn off swat, even if you are running Apache
> webserver on
> this system. The webmasters should learn how to
> cofigure
> Apache without a fancy GUI.
>
> swat
>
> Leave these:
>
> registrar (online diagnostics)
>
> You probably need these:
>
> telnet
> ftp
>
> If you use the 'r' commands (rexec, remsh, rcp,
> rlogin) then
> you'll need these (but most sysadmins would
> discourage their
> use, pointing to SSH as the replacement):
>
> login
> shell
> exec
>
> It's unfortunate that the security report was so
> vague.
> Any worthwhile security report will identify the
> port
> number and the service that is typically associated
> with
> that port.
>
> Tere are several ports that will be open and not
> found
> in /etc/inetd.conf such as Oracle. You don't close
> ports,
> you close the applications or daemons that listen to
> them.
>
> You can also filter port activity based on IP range
> so a
> server that faces the Internet (which *must* be
> behind a
> good firewall) denys all access by external
> addresses
> (except the ones that are needed, perhaps telnet or
> ssh or
> webserver).
>
>
>
>
> --
> Bill Hassell
>
>
>
===============================================================
>
> Compiling the responses, here is what I think I need
> to do:
> Find out if the ports are open: netstat -an | grep
> LISTEN
> Close ports: Modify /etc/inetd.conf and restart
> inetd
> daemon
>
> One question is how do I know if the port which I
> want
> to close is using by some of HP-UX applications? I
> hate to close some ports then my server breaks.
>
> Stephanie
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:46 EDT