AIX Security Expert and Denial-of-Service attacks (SOX, Sockets and socks)
AnthonyEnglish 270000RKFN Visits (8139)
Over the weekend, a client implemented security hardening on their production LPARs. They used AIX 6.1 Security Expert. Apart from some users who had been locked out due to weak passwords, testing went well ... until about 9am Monday, when some users reported they couldn't log in.
Here were the symptoms:
only the sharpest mathematical minds would pick up:
A mathematical experiment
Gather together 11.8 friends - and yourself - and all take off gloves and shoes and socks to confirm the abovementioned amazing mathematical fact. You may need to find another 12.8 friends - if you have them - to do the comparison.
Well, one console session was accounted for, and the rest came down to a limit on the number of network connections allowed. Enter the protagonist of this drama, the AIX 6.1 tcptr command. That is the command which allows you to regulate the number of connections allowed for a range of ports.
The telnet port 23 and ssh port 22 were in the same range for tcptr. AND their limit was set to 256, as shown by the tcptr -show command. On top of that, ftp was permitted because it was on port 21 - a different range, with only one connection in use.
The tcptr command had been called by aixpert.
Fixing the problem was easy, once I understood the syntax of the tcptr command:
Once I increased the maximum connections for the port range StartPort=22 to EndPort=25, users were able to log in immediately. Which was just as well, because the Help Desk was then able to log new calls, including an environmental issue to do with a socks audit and bare feet in the office.
Once you've put your gloves on again, have a read of the man page for the tcptr command, and a developerWorks article on IBM AIX TCP Traffic Regulation.
Check the wiki on aixpert to find out more about SOX-COBIT compliance.