The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Securing AIX Network Services

Sandor W. Sklar (ssklar@stanford.edu), Systems Administrator, Freelance Developer

Sandor W. Sklar is a Unix systems administrator at Stanford University, in beautiful Northern California. When not poking through his systems for real or imagined security holes, he enjoys spending time with his wife and two children.

Summary: Better understand the network services in AIX and the impact each one has on system security. Administrators responsible for RS/6000s connected in some way to a public network can use the information in this tutorial to achieve the necessary balance between functionality and security.

Date: 24 Dec 2001
Level: Intermediate
PDF: A4 and Letter (514 KB | 24 pages)Get Adobe® Reader®

Activity: 13325 views
Comments:

Summary

Reviewing the hardened system

Reviewing the hardened system

On the example system used for this tutorial, these changes have been made:

In /etc/inittab:
- The following entries were disabled: rcnetw, writesrv, httpdlite, imnss, imqss, dt, and lines l2 through l9 which referenced the System V script directories.
- The /etc/rc.nfs script was modified to prevent the startup of the rpc.statd and rpc.lockd daemons.
- An entry was added to execute the /etc/rc.no script, setting network options.
In /etc/rc.tcpip:
- The lines of the script responsible for starting the snmpd, dpid2, and x_st_mgrd daemons were disabled.
In /etc/inetd.conf:
- The following services were disabled: shell, kshell, login, klogin, exec, bootps, tftp, rstatd, rusersd, rwalld, sprayd, pcnfsd, echo, discard, chargen, daytime, time, ttdbserver, ssalld, instsrv, dtspc, and cmsd.
- The entry for ftp was modified to invoke the ftp daemon with the arguments -l -u077.
Sendmail configuration was modified to prevent the open relaying of third-party mail.

As a result of those changes, the number of open ports on the system was reduced significantly:

Port Number	Protocol	Well-Known Name	Daemon/Application	Started from
`21`	`tcp`	`ftp`	`/usr/sbin/ftpd`	`/etc/inetd.conf`
`23`	`tcp`	`telnet`	`/usr/sbin/telnetd`	`/etc/inetd.conf`
`25`	`tcp`	`smtp`	`/usr/sbin/sendmail`	`/etc/rc.tcpip`
`111`	`tcp`	`sunrpc`	`/usr/sbin/portmap`	`/etc/rc.tcpip`
`111`	`udp`	`sunrpc`	`/usr/sbin/portmap`	`/etc/rc.tcpip`
`514`	`udp`	`syslog`	`/usr/sbin/syslogd`	`/etc/rc.tcpip`

Am I secure now?

Unfortunately, the answer to that question is "no". It is not enough to simply turn off some services and hope that what remains is secure. Constant monitoring of system logs and network services is required to guard against attempts at compromise and to check for signs of successful intrusion.

The steps outlined in this tutorial cover only what is possible with the tools provided by the operating system. No advantage was taken of the many open source and other free tools available. These software applications include OpenSSH, which provides secure replacements for so many of the insecure default services, and other tools like nmap, useful in determining the network footprint of a system and detecting unauthorized services that may be active.

Network security cannot be achieved by just keeping outsiders at bay. A truly safe system must have safeguards against illegitimate user activity, improper file access control, and a host of other issues. The steps outlined in this tutorial provide a necessary start to the never-ending process of developing a safe, secure, and productive computing environment.

A footnote on network security

Within the six days that the example system used in this tutorial was up and running, there were four distinct attempts at unauthorized access. System administrators who don't believe an attack is possible are not monitoring their logs close enough.

Comments