This section provides brief descriptions of the
authentication or authorization mechanism used by various Internet
Services, and the security risks.
HP-UX Internet Services is documented in the HP-UX Internet Services Administrator's Guide and Using HP-UX Internet Services at: http://www.docs.hp.com/en/netcom.html#Internet%20Services
Also see the HP-UX Remote Access Services
Administrator's Guide at:
http://www.docs.hp.com/en/netcom.html#Internet%20Services
The HP-UX Internet Services provides authentication,
either through password verification or authorization that is set
up in a configuration file. See Table 5-1 for a list of Internet Services components and
their access verification or authorization mechanism.
Table 5-1 Internet Services Components and Access Verification, Authorization,
and Authentication
| Internet Services Component | Access Verification, Authorization, or Authentication
Mechanism |
|---|
| ftp (file transfer) | Password verification. Also can use Kerberos authentication
mechanism defined in /etc/inetsvcs.conf. See ftp(1). |
| rcp (remote
copy) | Entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos
authentication mechanism defined in /etc/inetsvcs.conf. See rcp(1). |
| rdist (remote
file distribution) | Entry in $HOME/.rhosts or /etc/hosts.equiv file. See rdist(1). |
| remsh, rexec (execute from remote shell) | Entry in $HOME/.rhosts or/etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See remsh(1). |
| rlogin (remote
login) | Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See rlogin(1). |
| telnet (remote
login using TELNET protocol) | Password verification.
If the TAC User ID option is enabled by the telnetd daemon, telnet uses $HOME/.rhosts or /etc/hosts.equiv file. See telnet(1) and telnetd(1M). |
 |
| |
|
 | NOTE: Information (including passwords) is passed between
two systems in clear text and is not encrypted. Use Internet Services
only between hosts that are well-known and defined to each other and
within a private internal network behind a firewall. When communicating
over an untrusted network, secure the communications using IPSec or
Kerberos |
|
| |
|
Remote Access Services connect remote systems in
a network. By default, the remote access services function in a nonsecure
environment. To function in a secure environment, enable the Kerberos
V5 network authentication. In a nonsecure environment, you must have
a login name and password to access a remote system, and the login
name is not checked for authentication and authorization. In a secure
environment, you need not have a login name and password. When you
attempt to connect to a remote system, the Kerberos protocol checks
if the user is allowed to access the remote system.
Securing ftp |
|
An unauthorized user might try to gain access to
a system by using the ftp command. Following are
some suggestions to prevent this problem:
Enable ftp logging in /etc/inetd.conf by using the ftpd -l command.
Review the ftp logs in /var/adm/syslog/syslog.log and /var/adm/syslog/xferlog for unusual remote access attempts.
See syslogd(1M) and xferlog(5).
Deny ftp access to guest, root,
and other accounts by listing them in /etc/ftpd/ftpusers.
See ftpusers(4).
Regularly search and remove
users' ~/.netrc files. The .netrc file contains login, password, and account information used by the ftp autologin process, by the rexec() library routine, and by the rexec command.
See netrc(4).
Securing Anonymous ftp |
|
If a $HOME/.rhosts file is
put into /home/ftp, then an unauthorized user
could use rlogin to log in as the user, ftp. The .rhosts file specifies hosts
and users that are allowed access to a local account using rcp, remsh, or rlogin without a password. For more information, see hosts.equiv(4).
Following are some suggestions to making anonymous ftp more secure:
Make sure that neither /home/ftp nor any of its children is writable:
Make sure that the ftp entry in /etc/passwd is correctly
configured:
ftp:*:500:100:Anonymous FTP user:/var/ftp:/usr/bin/false |
Make sure that all passwords
in ~ftp/etc/passwd are asterisks (*):
$more ~ftp/etc/passwd
root:*:0:3::/:/usr/bin/false daemon:*:1:5::/:/usr/bin/false |
If you must have a writable pub directory, use 1733 permissions:
$chmod 1733 /home/ftp/pub |
Use disk quotas or a cron job to control the size of /home/ftp/pub:
0 1 * * * find /home/ftp/pub/* -atime +1 exec rm -rf {} \; |
Check anonymous ftp activity in /var/adm/syslog/syslog.log:
$tail /var/adm/syslog/syslog.log |
Denying Access Using /etc/ftpd/ftpusers |
|
The inetd daemon
runs the file transfer protocol server, ftpd,
when a service request is received at the port indicated in /etc/services. The ftpd server rejects
remote logins to local user accounts which are listed in /etc/ftpd/ftpusers. These user accounts are known as restricted
accounts. See ftpd(1M), privatepw(1),
and services(4).
In the /etc/ftpd/ftpusers file,
each restricted account name must appear by itself on a line. Also
add user accounts with restricted login shells that are defined in /etc/passwd, because ftpd accesses
local accounts without using their login shells.
If /etc/ftpd/ftpusers does
not exist, ftpd does not perform a security check.
For more information, see ftpusers(4).
On HP-UX 11i, the ftpd daemon
is based on WU-FTPD. WU-FTPD is the HP implementation of the ftpd daemon developed at Washington University. WU-FTPD
includes increased access control, enhanced logging capabilities,
virtual hosts support, and RFC1413 (Identification Protocol) support.
For more information, see the HP-UX Remote Access Services
Administrator's Guide at:
http://www.docs.hp.com/en/netcom.html#Internet%20Services
Other Security Solutions for Spoofing |
|
Spoofing is a method of pretending to be a valid
user or host to gain unauthorized access to a system. Because IP addresses
and hostnames can be spoofed, using the /var/adm/inetd.sec security file for inetd (the internet daemon)
is not a guaranteed security solution. See Section for information about inetd.
The following security features or products are
alternative security solutions:
IPFilter is a TCP/IP packet filter suitable for use
as a system firewall to protect application servers. For more information,
see the HP-UX IPFilter Administrator's Guide at:
http://www.docs.hp.com/en/internet.html#IPFilter
TCP Wrappers provides a TCP wrapper daemon, tcpd, that is invoked by inetd to provide
additional security. See Section and the HP-UX Internet Services Administrator's
Guide at:
http://www.docs.hp.com/en/netcom.html#Internet%20Services
Secure Internet Services allows use of Kerberos authentication
and authorization for ftp, rcp, remsh, rlogin, and telnet. Instead of user passwords, encrypted
Kerberos authentication records transmit over the network. See Section , Installing and
Administering Internet Services at: http://www.docs.hp.com/en/netcom.html#Internet%20Services, and Configuration Guide for Kerberos Client Products
on HP-UX at:
http://www.docs.hp.com/en/internet.html#Kerberos
IPSec, an IP security protocol suite, provides security
for IP networks such as data integrity, authentication, data privacy,
application-transparent security, and encryption.
See
the HP-UX IPSec Administrator's Guide at:
http://www.docs.hp.com/en/internet.html#IPSec
Printable version
