03-18-2014 11:55 PM - last edited on 03-19-2014 07:38 PM by Lisa198503
Can anyone tell what are rhe steps to implement the changes which are mentioned in the attachment.
This is for auditing purpose at client side.
Please find the attached file.
P.S. This thread has been moved from HP-UX>General to HP-UX > security. -HP Forum Moderator
Solved! Go to Solution.
03-19-2014 06:14 PM
This is a typical but extensive list of vulnerabilities, and there are no easy answers. You can mitigate telnet and ftp services by disabling them but unless you if they are being used, the server will now appear to offline. So mitigation would involve changing access from telnet to ssh and ftp to scp or sftp -- which involve educating and setting up shh utilities for all users. So the questions cannot be addressed by just an HP-UX sysadmin, as is the case for many of the issues listed. You may need a security professional to coordinate effort and help to ask all the questions and get the answers.
03-21-2014 05:26 AM
Thanks for the info you have given. Can you please tell me the complete procedureto disable it.
Also there are many points which need to be implented in our systems.
I am attaching a file in which a list of parameters have to be implemented.
Please find the attachment and suggest which are the parameters that can be implemented and which cannot.
Also tell me which points are based on OS i.e which one of them are related to OS that can be done by HP team.
03-22-2014 01:50 AM
Thanks Bill for the info and I know that all the parameter changes cannot be solely done by an HP-UX sys admin but for this customer everything has to be done by him (i.e. me) and we acnnot co-ordinate with the security personnel directly.
Also the security professional's team does not in any way associate with us to co-ordinate on this topic.
So I request all to give your valuable suggestions on this issue.
(Please refer the attached document in my previous posts for details)
03-24-2014 06:13 PM
>> Can you please tell me the complete procedure to disable it.
If you are referring to the complete list, that would be a consulting engagement requiring several hours of interviews, testing and reporting. As I mentioned, a simple answer is that you can comment telent out of inetd.conf, which may completely disable your server. Each finding requires research to determine if the item is actually used, and if used, what would be a workaround that will not disable the server's purpose.
03-25-2014 08:40 AM - edited 03-25-2014 09:59 AM
OK, all I am going to do is to tell you the simplest answer. Be warned that taking these actions will disable services. Figuring out what to do next will be your responsibility.
1. NFS: disable NFS in /etc/rc.config.d/nfsconf
2. Disable sendmail, mailx and mail by removing the execute bit.
3. Disable ftpd, rlogind, remshd, rexecd in /etc/inetd.conf
4. Disable all httpd web services
5. Disable all SNMP services in /etc.rc.config.d
6. (Same as 4) Disable httpd from running so no web services are available.
7. (Same as 4)
8. (Same as 4)
9. (Same as 4)
10. Put your console on an isolated subnet
11. (Same as 2)
12. Edit the sshd.config file and disable Version 1.
13. (same as 4)
14. Edit inetd.conf and disable dtlogin
15. Edit inetd.conf and disable finger
16. -- this finding is meaningless as there are no specifics --
17. (same as 4)
18 . (same as 4)
20. Disable all the rpc services in inetd.conf, number 1 disables rpc too
21. same as 3 except ssh: disable login banner in sshd.conf
22. same as 4
23 same as 4
24. same as 4
25. same as 4
I purposely left the specific details on which line in the config files to edit...this requires a knowledgeable sysadmin to perform these actions. And again, disabling all these features may render your server unuseable. You cannot blindly follow the recommendartions without help.
03-25-2014 12:20 PM
>2. Disable sendmail, mailx and mail by removing the execute bit.
I would think this would only be the first, mailx/mail are only mail clients?
Of course these clients don't provide authentication, so they wouldn't be useful after hardening, unless a internal corporate server that doesn't check.
03-29-2014 01:25 AM
Hi Bill & Dennis,
Thanks for providing the solution and also your time.
I would like to tell you that I have already disabled the telnet and I cannot disable nfs as we use nfs in our environment.
Still I would require help from you. Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail and etc.
03-29-2014 12:55 PM
>Can you please tell me HOW to disable those parameters, viz. how to disable EXPN and VRFY in sendmail
I'm not sure you can disable just those commands. So you need to stop the sendmail demon from listening.
03-30-2014 12:16 PM
If you follow Bill's instructions, sendmail will be completely disabled, so EXPN and VRFY will no longer work.
But maybe you don't want to disable Sendmail completely.
When I Googled with keywords "sendmail disable expn vrfy", this was the second result:
Look at the step 2).
Note: depending on your HP-UX and Sendmail versions, you may have to make a similar change to /etc/mail/submit.cf too.
The above is just a quick "cookbook-style" instruction. To really understand Sendmail on HP-UX, you will need two books:
First, the HP-UX Mailing Services Administrator's Guide:
Second, the "sendmail" book from O'Reilly:
This is not downloadable for free, but it is very important if you're using Sendmail in a serious way. Usually you'll want the latest edition of the book, although earlier editions may be useful with old HP-UX versions (and people who have updated to the latest edition might be selling old editions of the book on eBay or similar).
The "sendmail" book will completely describe the operation and configuration of a standard version of Sendmail. As a printed book, it is a 1300-page monster, but don't worry. The largest part of the book is a list of every configuration setting in Sendmail: you don't need to read all of that, just read the introductory chapters at the beginning of the book, then pick & choose what you need, or use it as a reference.
But HP has made some modifications to the configuration: the HP-UX Mailing Services Administrator's Guide describes the differences and also gives direct advice for some common configurations. If you need an "advanced configuration" of Sendmail on HP-UX, you really need both. Without having read the "sendmail" book, you won't understand all the concepts and references in the Mailing Services Administrator's Guide.
If you need a sendmail configuration option that is not immediately available in the standard HP-UX sendmail.cf file, you'll need the complete Sendmail configuration macro system that is available at /usr/newconfig/etc/mail/cf/cf/. HP has created a gen_cf script that makes it easier to use, but you'll really need the Mailing Services Administrator's Guide to successfully use it.
03-30-2014 12:38 PM
OK, to simply disable these security issues, you can change the PrivacyOptions and SmtpGreetingMessage.
As with all sendmail settings, these may or may not all apply to your particular version of sendmail.
Search for the line that has:
To disable expn and vrfy (and authwarnings), change the line to:
And anticipating further security issues, change the default greeting from something like this:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
O SmtpGreetingMessage=$j $b