Re: Disable the EXPN and VRFY commands. (748 Views)
Reply
Frequent Advisor
Mehul5
Posts: 31
Registered: ‎01-18-2014
Message 1 of 12 (782 Views)
Accepted Solution

Disable the EXPN and VRFY commands.

[ Edited ]

Hi,

 

 

Can anyone tell what are rhe steps to implement the changes which are mentioned in the attachment.

 

 

This is for auditing purpose at client side.

 

 

Please find the attached file.

 

 

Regards,

Mehul

 

 

P.S. This thread has been moved from HP-UX>General to HP-UX > security. -HP Forum Moderator

Honored Contributor
Bill Hassell
Posts: 14,225
Registered: ‎05-29-2000
Message 2 of 12 (748 Views)

Re: Disable the EXPN and VRFY commands.

This is a typical but extensive list of vulnerabilities, and there are no easy answers. You can mitigate telnet and ftp services by disabling them but unless you if they are being used, the server will now appear to offline. So mitigation would involve changing access from telnet to ssh and ftp to scp or sftp -- which involve educating and setting up shh utilities for all users. So the questions cannot be addressed by just an HP-UX sysadmin, as is the case for many of the issues listed. You may need a security professional to  coordinate effort and help to ask all the questions and get the answers.

Frequent Advisor
Mehul5
Posts: 31
Registered: ‎01-18-2014
Message 3 of 12 (729 Views)

Re: Disable the EXPN and VRFY commands.

Hi Bill,

 

Thanks for the info you have given. Can you please tell me the complete procedureto disable it.

 

Also there are many points which need to be implented in our systems.

 

I am attaching a file in which a list of parameters  have to be implemented.

 

Please find the attachment and suggest which are the parameters that can be implemented and which cannot.

 

Also tell me which points are based on OS i.e which one of them are related to OS that can be done by HP team.

 

Regards,

Mehul.

Frequent Advisor
Mehul5
Posts: 31
Registered: ‎01-18-2014
Message 4 of 12 (675 Views)

Re: Disable the EXPN and VRFY commands.

Hi all,


Thanks Bill for the info and I know that all the parameter changes cannot be solely done by an HP-UX sys admin but for this customer everything has to be done by him (i.e. me) and we acnnot co-ordinate with the security personnel directly.

 


Also the security professional's team does not in any way associate with us to co-ordinate on this topic.

 

 

So I request all to give your valuable suggestions on this issue.

 

(Please refer the attached document in my previous posts for details)

 

Regards,

Mehul.

Honored Contributor
Bill Hassell
Posts: 14,225
Registered: ‎05-29-2000
Message 5 of 12 (661 Views)

Re: Disable the EXPN and VRFY commands.

>> Can you please tell me the complete procedure to disable it.

 

If you are referring to the complete list, that would be a consulting engagement requiring several hours of interviews, testing and reporting. As I mentioned, a simple answer is that you can comment telent out of inetd.conf, which may completely disable your server. Each finding requires research to determine if the item is actually used, and if used, what would be a workaround that will not disable the server's purpose.

Frequent Advisor
Mehul5
Posts: 31
Registered: ‎01-18-2014
Message 6 of 12 (649 Views)

Re: Disable the EXPN and VRFY commands.

hi Bill,

 

Can you please provoide the solutions for other questions.

 

Regards,

Mehul

Honored Contributor
Bill Hassell
Posts: 14,225
Registered: ‎05-29-2000
Message 7 of 12 (645 Views)

Re: Disable the EXPN and VRFY commands.

[ Edited ]

OK, all I am going to do is to tell you the simplest answer. Be warned that taking these actions will disable services. Figuring out what to do next will be your responsibility.

 

1. NFS: disable NFS in /etc/rc.config.d/nfsconf

2. Disable sendmail, mailx and mail by removing the execute bit.

3. Disable ftpd, rlogind, remshd, rexecd in /etc/inetd.conf

4. Disable all httpd web services

5. Disable all SNMP services in /etc.rc.config.d

6. (Same as 4) Disable httpd from running so no web services are available.

7. (Same as 4)

8. (Same as 4)

9. (Same as 4)

10. Put your console on an isolated subnet

11. (Same as 2)

12. Edit the sshd.config file and disable Version 1.

13. (same as 4)

14. Edit inetd.conf and disable dtlogin

15. Edit inetd.conf and disable finger

16. -- this finding is meaningless as there are no specifics --

17. (same as 4)

18 . (same as 4)

20. Disable all the rpc services in inetd.conf, number 1 disables rpc too

21. same as 3 except ssh: disable login banner in sshd.conf

22. same as 4

23 same as 4

24. same as 4

25. same as 4

 

I purposely left the specific details on which line in the config files to edit...this requires a knowledgeable sysadmin to perform these actions. And again, disabling all these features may render your server unuseable. You cannot blindly follow the recommendartions without help.

Acclaimed Contributor
Dennis Handly
Posts: 25,291
Registered: ‎03-06-2006
Message 8 of 12 (639 Views)

Re: Disable the EXPN and VRFY commands.

>2. Disable sendmail, mailx and mail by removing the execute bit.

 

I would think this would only be the first, mailx/mail are only mail clients?

Of course these clients don't provide authentication, so they wouldn't be useful after hardening, unless a internal corporate server that doesn't check.

Frequent Advisor
Mehul5
Posts: 31
Registered: ‎01-18-2014
Message 9 of 12 (625 Views)

Re: Disable the EXPN and VRFY commands.

Hi Bill & Dennis,

 

 

 

Thanks for providing the solution and also your time.

 

 

 

I would like to tell you that I have already disabled the telnet and I cannot disable nfs as we use nfs in our environment.

 

 

 

Still I would require help from you. Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail and etc.

 

 

 

Regards,

Mehul

Acclaimed Contributor
Dennis Handly
Posts: 25,291
Registered: ‎03-06-2006
Message 10 of 12 (612 Views)

Re: Disable the EXPN and VRFY commands.

>Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail

 

I'm not sure you can disable just those commands.  So you need to stop the sendmail demon from listening.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 11 of 12 (601 Views)

Re: Disable the EXPN and VRFY commands.

If you follow Bill's instructions, sendmail will be completely disabled, so EXPN and VRFY will no longer work.

But maybe you don't want to disable Sendmail completely.

 

When I Googled with keywords "sendmail disable expn vrfy", this was the second result:

 

http://jibbysununix.blogspot.fi/2010/03/sendmail-disabling-help-and-version.html

 

Look at the step 2).

 

Note: depending on your HP-UX and Sendmail versions, you may have to make a similar change to /etc/mail/submit.cf too.

 

The above is just a quick "cookbook-style" instruction. To really understand Sendmail on HP-UX, you will need two books:

First, the HP-UX Mailing Services Administrator's Guide:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02037761/c02037761.pdf

 

Second, the "sendmail" book from O'Reilly:

http://shop.oreilly.com/product/9780596510299.do

This is not downloadable for free, but it is very important if you're using Sendmail in a serious way. Usually you'll want the latest edition of the book, although earlier editions may be useful with old HP-UX versions (and people who have updated to the latest edition might be selling old editions of the book on eBay or similar).

 

The "sendmail" book will completely describe the operation and configuration of a standard version of Sendmail. As a printed book, it is a 1300-page monster, but don't worry. The largest part of the book is a list of every configuration setting in Sendmail: you don't need to read all of that, just read the introductory chapters at the beginning of the book, then pick & choose what you need, or use it as a reference.

 

But HP has made some modifications to the configuration: the HP-UX Mailing Services Administrator's Guide describes the differences and also gives direct advice for some common configurations. If you need an "advanced configuration" of Sendmail on HP-UX, you really need both. Without having read the "sendmail" book, you won't understand all the concepts and references in the Mailing Services Administrator's Guide.

 

If you need a sendmail configuration option that is not immediately available in the standard HP-UX sendmail.cf file, you'll need the complete Sendmail configuration macro system that is available at /usr/newconfig/etc/mail/cf/cf/. HP has  created a gen_cf script that makes it easier to use, but you'll really need the Mailing Services Administrator's Guide to successfully use it.

MK
Honored Contributor
Bill Hassell
Posts: 14,225
Registered: ‎05-29-2000
Message 12 of 12 (599 Views)

Re: Disable the EXPN and VRFY commands.

OK, to simply disable these security issues, you can change the PrivacyOptions and SmtpGreetingMessage.

As with all sendmail settings, these may or may not all apply to your particular version of sendmail.

vi /etc/mail/sendmail.cf

Search for the line that has:

O PrivacyOptions=

To disable expn and vrfy (and authwarnings), change the line to:

O PrivacyOptions=authwarnings,noexpn,novrfy

And anticipating further security issues, change the default greeting from something like this:

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

 

to this:

O SmtpGreetingMessage=$j $b

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.