Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Protecting Against System Access by Remote Devices
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

To protect against system penetration by remote access, observe the following precautions:

  • Require the use of a hardware dial-back system for all interactive modems.

  • Require an additional password from modem users by adding an entry for the modem device in /etc/dialups and, optionally, /etc/d_passwd. See Section .

  • Have users renew their dial-in accounts frequently.

  • Cancel system access promptly when a user is no longer an employee.

  • Establish a regular audit schedule to review remote usage.

  • Connect the modems and dial-back equipment to a single HP-UX system, and allow network services to reach the destination system from that point.

  • Make exceptions to dial-back for UUCP access. Additional restrictions are possible through proper UUCP configuration. See uucp(1) for more information.

    Another potential exception is file transfer via kermit. See kermit(1) for more information.

  • If a security breach with unknown factors occurs, shut down both network and telephone access and inform the network administrator.

  • To maximize security when configuring a dial-back modem system, dedicate the dial-out mechanism to the dial-out function only. Do not configure it to accept dial-in. Use another modem on another telephone line for your dial-in service.

  • Keep telephone numbers for modems unlisted and on a different system from other business phones. Do not publicize the dial-in phone numbers.

  • Physically secure the modems.

  • Use caller ID to identify all incoming calls to the modems.

  • Do not allow call forwarding or other extra phone services on the modem lines. Do not use cell phone modems.

  • For remote and local access, consider installing an HP-UX AAA server product. Using the industry-standard Remote Authentication Dial-In User Service (RADIUS) protocol, the HP-UX AAA Server provides authentication, authorization, and accounting of user network access at the entry point to a network. See the HP-UX AAA Server Administrator's Guide for more information.

  • For mobile connections using Mobile IPv6, use HP-UX IPSec to encrypt and authenticate Mobile IPv6 protocol messages between the Mobile IPv6 client and Home Agent. See the HP-UX IPSec Administrator's Guide for more information.

Controlling Access Using /etc/dialups and /etc/d_passwd

For additional security in identifying remote users, add entries into the /etc/dialups and /etc/d_passwd files. These files are used to control the dialup security feature of login. See dialups(4) and login(1) for more information.

If the /etc/dialups file exists, the login process compares the terminal to those listed in /etc/dialups. If the terminal exists in /etc/dialups, a password is requested by login. That password is compared to those in /etc/d_passwd.

In addition, the /etc/passwd file is used to verify the password.

Following is an example of configuring the /etc/dialups file:

# vi /etc/dialups (list the terminals that are allowed)

/dev/ttyd0p1

/dev/ttyd0p2

# vi /etc/d_passwd

/usr/bin/sh:xxxencrypted-passwordxxxxxxxxx:comments

/usr/bin/ksh:xxxencrypted-passwordxxxxxxxx:comments

/sbin/sh:xxxencrypted-passwordxxxxxxxxx:comments

The user sees:

Login: Password:

Dialup password:

To change passwords in /etc/d_passwd, use the passwd command as follows:

# passwd -F /etc/d_passwd shell_path

The shell_path is the shell path listed in /etc/d_passwd.



Protecting Unattended Terminals and Workstations
  		 


Securing Login Banners  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.