Secure AIX
 
Home Help Login Register
*
Welcome, Guest. Please login or register. December 02, 2008, 02:35:47 AM


Login with username, password and session length


Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Secure AIX  (Read 895 times)
0 Members and 1 Guest are viewing this topic.
Michael
Administrator
Hero Member
*****
Posts: 530
« Reply #8 on: November 04, 2008, 12:19:20 PM »
Another approach is to use the bos.net.ipsec filesets.

e.g., a selection of the rules I use on my login server:


6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0
7|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0


or a bit more verbose:
Quote
root@x121:[/home/root]lsfilt -v 4 -n 6,7
Rule 6:
Rule action         : permit
Source Address      : 192.168.129.121
Source Mask         : 255.255.255.0
Destination Address : 192.168.129.121
Destination Mask    : 255.255.255.0
Source Routing      : no
Protocol            : tcp
Source Port         : eq  22
Destination Port    : any 0
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : en0
Auto-Generated      : no

Rule 7:
Rule action         : permit
Source Address      : 192.168.129.121
Source Mask         : 255.255.255.0
Destination Address : 192.168.129.121
Destination Mask    : 255.255.255.0
Source Routing      : no
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  22
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : en0
Auto-Generated      : no


Basically, these two rules permit incoming and outgoing traffic on tcp port 22 for the network 192.168.129.0/24.
If I would add two deny rules for everything (else), i.e. from 0.0.0.0 and to 0.0.0.0 after these rules, ssh (port 22) would only be permitted on this single network.
Logged
Michael
Administrator
Hero Member
*****
Posts: 530
« Reply #7 on: November 04, 2008, 12:01:40 PM »
tcp_wrapper is suppled on the AIX 5.3 extensions CD.

root@aix530:[/export/lpp/expansion]installp -L -d . | grep -i wrap
netsec.options:netsec.options.tcpwrapper.base:1.1.0.0::I:T:::::N:TCP-wrapper::::0::
netsec.options:netsec.options.tcpwrapper.license:1.1.0.0::I:T:::::N:TCP-wrapper License::::0::
netsec.options:netsec.options.tcpwrapper.man.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Doc (en_US)::::0::
netsec.options:netsec.options.tcpwrapper.msg.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Msg (en_US)::::0::
« Last Edit: November 04, 2008, 12:11:03 PM by Michael » Logged
madunix
New Member
*
Posts: 4
« Reply #6 on: November 04, 2008, 07:40:19 AM »
many thanks for your help, but I cant find the TCP_wrapper on Bull for AIX 5.3
where can i download it and how to install it please.....
one thing  the 2x Server are clustered through GPFS  my etc/hosts

127.0.0.1       loopback localhost

######  Public Network   ########
10.5.1.1        node1
10.5.1.2        node2   
######  Virtual IP Address #######
10.5.1.10       node1_vip
10.5.1.20       node2_vip
#######  Interconnect RAC  ####
192.166.1.1     node1_prv
192.166.1.2     node2_prv
######   Interconnect GPFS  ######
20.20.20.10     node1_gpfs
20.20.20.20     node2_gpfs
######### SiteB Nodes ##########
10.4.1.11       node_b1
10.4.1.12       node_b2
10.4.1.11       node_b1_gpfs
10.4.1.12       node_b2_gpfs

I have disabled telnet on the servers through inetd and enabled only ssh
how this will this effect my configuration on the hosts.allow having the above /etc/hosts
Logged
John R Peck
Administrator
Senior Member
*****
Posts: 53
« Reply #5 on: November 04, 2008, 03:02:24 AM »
For TCP services that are handled by /etc/inted.conf, e.g. telnet and FTP,
you can install the freeware TCP_wrapper program downloadable from the BULL site,
and put that in front of the required services, then you have /etc/hosts.allow and .deny to control
access to the services.

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
telnetd: 10.5.0.0
telnetd: 192.168.0.0
telnetd: 10.4.1.1

/etc/inetd.conf:
telnet  stream  tcp    nowait  root    /usr/local/bin/tcpd  telnetd -a 
## telnet  stream  tcp    nowait  root    /usr/sbin/telnetd      telnetd -a   

However, that's no good for SSH.  Depending on which version of it you have,
SSHD is permanently set running from inittab using essentially the "start" section
of /etc/rc.openssh for example, which calls on the daemon configuration file
sshd_config:
                print "Starting OpenSSH daemon on port 22"
                cmd /usr/local/sbin/sshd \               
                        -f /etc/openssh/sshd_config \     
                        -h /etc/openssh/ssh_host_key;     
In the config file I have there are no options relating to the control/blocking of
particular IPs for the service.
Logged
madunix
New Member
*
Posts: 4
« Reply #4 on: November 03, 2008, 07:11:15 PM »
how could you deny access to your server or  limit an access, i want to  deny ssh for all and then allow it just certain hosts. 

accept ssh for 10.5.0.0, 192.168.0.0, 10.4.1.1
and deny ssh for other ALL
Logged
John R Peck
Administrator
Senior Member
*****
Posts: 53
« Reply #3 on: November 01, 2008, 12:47:34 AM »
For details of what to do with passwords, see the headers in the files /etc/security/user & /etc/security/login.cfg.

For services, as in network services,
the file /etc/inetd.conf controls the "transient" ones - comment out anything you don't want to start,
for other permanently running daemons see the files /etc/rc.tcpip or /etc/rc.nfs, and so on.

There is no supplied way to block (network) packets with AIX.  There was once a firewall product that could
be installed on AIX or Windows, but that fell by the wayside in the face of competition from other types of firewall
often specialised integrated devices.  You still have unrelated things like tunnels and encryption.

This server uses our own "blockip" tool to block specific offending IP addresses - details here:
www.rootvg.net/blockip.html (http://www.rootvg.net/blockip.html)
Logged
madunix
New Member
*
Posts: 4
« Reply #2 on: October 31, 2008, 03:19:40 PM »
am using AIX 5.3

root@node1#uname -a
AIX node1 3 5 00073759D600
Logged
Michael
Administrator
Hero Member
*****
Posts: 530
« Reply #1 on: October 31, 2008, 10:30:20 AM »
Depends on your level of AIX.

For AIX 5.2 (and less with some modifications) a good start is this redbook: AIX 5L Version 5.2 Security Supplement (http://www.redbooks.ibm.com/abstracts/sg246066.html). In particular, for your question I reccomend reading the Appendix A.

This book is a supplement for the AIX Security "whitebook" that can be found for each version of AIX via the Information Center links (use the rootvg weblink on the right for your version of AIX).

If you have AIX 5.3 or AIX 6.1, one relatively easy way to harden AIX is to use AIX Security Expert (command line: aixpert).

If you have more (specific) questions - just ask.
Logged
madunix
New Member
*
Posts: 4
« on: October 31, 2008, 06:44:20 AM »
can you please point out ways to protect AIX system from intruders and move it to a secure enviroment i.e. (password, disable services, blockpackets,...etc)
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 0.563 seconds with 20 queries.

FastPath

HowTo
New in AIX6
RBAC
Security
WPAR
Service Bulletins

InfoCenters

AIX 6.1
AIX 5.3
AIX 5.2
AIX 5.1
- - - - - - -
Fix Central
HMC Downloads
IBM Firmware/LIC
VIOS Support
- - - - - - -
Hardware Documents
PowerHA (HACMP)
Tivoli Manuals
- - - - - - -
IBM Training



eXTReMe Tracker
Terms of Use and Privacy and Security Policies
Copyright 2001-2008 Michael Felt and ROOTVG.NET