Please login or register. December 15, 2018, 08:52:03 PM

Author Topic: Secure AIX  (Read 19824 times)

0 Members and 1 Guest are viewing this topic.

madunix

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
Secure AIX
« on: October 31, 2008, 06:44:20 AM »
can you please point out ways to protect AIX system from intruders and move it to a secure enviroment i.e. (password, disable services, blockpackets,...etc)

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: Secure AIX
« Reply #1 on: October 31, 2008, 10:30:20 AM »
Depends on your level of AIX.

For AIX 5.2 (and less with some modifications) a good start is this redbook: AIX 5L Version 5.2 Security Supplement. In particular, for your question I reccomend reading the Appendix A.

This book is a supplement for the AIX Security "whitebook" that can be found for each version of AIX via the Information Center links (use the rootvg weblink on the right for your version of AIX).

If you have AIX 5.3 or AIX 6.1, one relatively easy way to harden AIX is to use AIX Security Expert (command line: aixpert).

If you have more (specific) questions - just ask.

madunix

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
Re: Secure AIX
« Reply #2 on: October 31, 2008, 03:19:40 PM »
am using AIX 5.3

root@node1/#uname -a
AIX node1 3 5 00073759D600

John R Peck

  • Administrator
  • Senior Member
  • *****
  • Posts: 134
  • Karma: +0/-0
Re: Secure AIX
« Reply #3 on: November 01, 2008, 12:47:34 AM »
For details of what to do with passwords, see the headers in the files /etc/security/user & /etc/security/login.cfg.

For services, as in network services,
the file /etc/inetd.conf controls the "transient" ones - comment out anything you don't want to start,
for other permanently running daemons see the files /etc/rc.tcpip or /etc/rc.nfs, and so on.

There is no supplied way to block (network) packets with AIX.  There was once a firewall product that could
be installed on AIX or Windows, but that fell by the wayside in the face of competition from other types of firewall
often specialised integrated devices.  You still have unrelated things like tunnels and encryption.

This server uses our own "blockip" tool to block specific offending IP addresses - details here:
www.rootvg.net/blockip.html


madunix

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
Re: Secure AIX
« Reply #4 on: November 03, 2008, 07:11:15 PM »
how could you deny access to your server or  limit an access, i want to  deny ssh for all and then allow it just certain hosts. 

accept ssh for 10.5.0.0, 192.168.0.0, 10.4.1.1
and deny ssh for other ALL

John R Peck

  • Administrator
  • Senior Member
  • *****
  • Posts: 134
  • Karma: +0/-0
Re: Secure AIX
« Reply #5 on: November 04, 2008, 03:02:24 AM »
For TCP services that are handled by /etc/inted.conf, e.g. telnet and FTP,
you can install the freeware TCP_wrapper program downloadable from the BULL site,
and put that in front of the required services, then you have /etc/hosts.allow and .deny to control
access to the services.

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
telnetd: 10.5.0.0
telnetd: 192.168.0.0
telnetd: 10.4.1.1

/etc/inetd.conf:
telnet  stream  tcp    nowait  root    /usr/local/bin/tcpd  telnetd -a 
## telnet  stream  tcp    nowait  root    /usr/sbin/telnetd      telnetd -a   

However, that's no good for SSH.  Depending on which version of it you have,
SSHD is permanently set running from inittab using essentially the "start" section
of /etc/rc.openssh for example, which calls on the daemon configuration file
sshd_config:
                print "Starting OpenSSH daemon on port 22"
                cmd /usr/local/sbin/sshd \               
                        -f /etc/openssh/sshd_config \     
                        -h /etc/openssh/ssh_host_key;     
In the config file I have there are no options relating to the control/blocking of
particular IPs for the service.

madunix

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
Re: Secure AIX
« Reply #6 on: November 04, 2008, 07:40:19 AM »
many thanks for your help, but I cant find the TCP_wrapper on Bull for AIX 5.3
where can i download it and how to install it please.....
one thing  the 2x Server are clustered through GPFS  my etc/hosts

127.0.0.1       loopback localhost

######  Public Network   ########
10.5.1.1        node1
10.5.1.2        node2   
######  Virtual IP Address #######
10.5.1.10       node1_vip
10.5.1.20       node2_vip
#######  Interconnect RAC  ####
192.166.1.1     node1_prv
192.166.1.2     node2_prv
######   Interconnect GPFS  ######
20.20.20.10     node1_gpfs
20.20.20.20     node2_gpfs
######### SiteB Nodes ##########
10.4.1.11       node_b1
10.4.1.12       node_b2
10.4.1.11       node_b1_gpfs
10.4.1.12       node_b2_gpfs

I have disabled telnet on the servers through inetd and enabled only ssh
how this will this effect my configuration on the hosts.allow having the above /etc/hosts

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: Secure AIX
« Reply #7 on: November 04, 2008, 12:01:40 PM »
tcp_wrapper is suppled on the AIX 5.3 extensions CD.

root@aix530:[/export/lpp/expansion]installp -L -d . | grep -i wrap
netsec.options:netsec.options.tcpwrapper.base:1.1.0.0::I:T:::::N:TCP-wrapper::::0::
netsec.options:netsec.options.tcpwrapper.license:1.1.0.0::I:T:::::N:TCP-wrapper License::::0::
netsec.options:netsec.options.tcpwrapper.man.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Doc (en_US)::::0::
netsec.options:netsec.options.tcpwrapper.msg.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Msg (en_US)::::0::

« Last Edit: November 04, 2008, 12:11:03 PM by Michael »

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: Secure AIX
« Reply #8 on: November 04, 2008, 12:19:20 PM »
Another approach is to use the bos.net.ipsec filesets.

e.g., a selection of the rules I use on my login server:


6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0
7|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0


or a bit more verbose:
Quote
root@x121:[/home/root]lsfilt -v 4 -n 6,7
Rule 6:
Rule action         : permit
Source Address      : 192.168.129.121
Source Mask         : 255.255.255.0
Destination Address : 192.168.129.121
Destination Mask    : 255.255.255.0
Source Routing      : no
Protocol            : tcp
Source Port         : eq  22
Destination Port    : any 0
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : en0
Auto-Generated      : no

Rule 7:
Rule action         : permit
Source Address      : 192.168.129.121
Source Mask         : 255.255.255.0
Destination Address : 192.168.129.121
Destination Mask    : 255.255.255.0
Source Routing      : no
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  22
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : en0
Auto-Generated      : no


Basically, these two rules permit incoming and outgoing traffic on tcp port 22 for the network 192.168.129.0/24.
If I would add two deny rules for everything (else), i.e. from 0.0.0.0 and to 0.0.0.0 after these rules, ssh (port 22) would only be permitted on this single network.