08/25/97 Seminar - HPUX Security Issues

Security is an important issue for all workstations. In this seminar I covered mostly general issues, and a few issues specific to HPUX machines.

Encap

Encap really doesn't have anything to do with security, but it is a nice package management tool. I brought it up because many of the security tools that I recommend I have also built into Encap archives. The best place to read about the Encap method of software installation is the Encap Web page. A quick over-view is this: all third party software ends up in /usr/local/encap/[package name]. For example, "ssh" version 1.2.20, would be in /usr/local/encap/ssh-1.2.20/bin/ssh. Encap then makes links from all the package directories into the /usr/local/* directories. For example, everything in /usr/local/encap/ssh-1.2.20/bin/* would end up linked to from /usr/local/bin/*. I highly recommend it. The complete list of other HPUX precompiled programs (there are MANY) can be found at the U of I's HPUX Encap Archive.

Preventive Measures

TCP wrappers:
One method of break-in prevention is the use of TCP wrappers. These will let you see where everyone is connecting to your machine from. TCP wrapper source can be found at this location. A precompiled Encap archive is here. After compiling them, you want actually have your machine run them. To do this, you need to modify your /etc/inetd.conf. If it read:
```
	telnet  stream  tcp     nowait  root    telnetd telnetd 
	
```
it should now read:
```
	telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  telnetd
	
```
Once these have been installed, you can see the connections being made to your machine in your sysadmin logs in /var/adm/syslog.
Secure Shell (ssh):
Telnet is insecure. On an unswitched network people can watch your connection. This includes seeing your password, or reading your email along with you. SSH is a fully end-to-end encrypted TCP connection. It operates like rsh. More can be read about it on the SSH FAQ web page. The encap archive can be found here. Once you have unpacked the archive, there is a script encap-install that will make all the files in /etc/sshd, and /sbin/rc4.d that SSH needs to run.
rlogin and .rhosts:
The .rhosts file is on of the most frequently used security holes. If someone put "+ +" in your .rhosts, any machine ("+") as any user ("+") is allowed to log into your account. The best thing to do would be to turn rlogin and rsh off all together. This can be done by editing your /etc/inetd.conf, and adding a hash ("#") in front of the rsh and rlogin lines. Don't forget to run "inetd -c" when you're done editing. The next to best thing to do is to make an empty .rhosts file in every user's home directory, mode 400. "touch .rhosts; chmod 400 .rhosts" is all that's needed. This will stop all the security exploits that need to create the .rhosts file to work. If it's already there, bad people can't attack the system.
Passwords:
User login passwords should not be guessable. Make sure people use a word that isn't found in any dictionary, and that it has a mix of upper and lower case, and maybe a few non-alphanumeric characters. It is also important to change your passwords regularly so if someone DOES know your password, they won't know it for long.
HP Specific Information:
There are a few HPUX-specific security flaws. Most are fixed by the "March Patch Bundle", and the "recommended patches". Those things that are not fixed by this are listed here.
Read More:
A great source of general security information can be found at Joe Gross' Security Workshop. I condensed a lot of this information for my seminar, but more detail can be found there. It's well worth it to read.

Back to Seminar List

Last modified: Friday, October 17 1997