HP-UX Bastille Version B.3.3 User Guide
is the best way to do it. You should only block Secure Shell access if you have
an alternate, secure method to manage your machine (such as physical access
to the console or a secure terminal server) or if you do not use Secure Shell.
Otherwise, answer no to this question.
Actions Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow SecureShell incoming connections
pass in quick proto tcp from any to any port = 22 flags S keep state
keep frags
IPFilter.block_wbem
Headline BLOCK incoming WBEM https connections with IPFilter.
Default N
Description Web-Based Enterprise Management (WBEM) is a Distributed Management
Task Force (DMTF) industry standard, http(s)-based management protocol
which features encryption and authentication. It is much better than SNMP,
which has a history of security issues and is by default a clear-text,
unauthenticated protocol. Like SNMP, WBEM can be a powerful aid in
managing multiple machines and it is by default much more secure. However,
any service can be a security risk, so you should block it if you are not going
to use it.
Actions Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow wbem incoming connections
pass in quick proto tcp from any to any port = 5989 flags S keep state keep
frags
IPFilter.block_webadmin
Headline BLOCK incoming web admin connections with IPFilter.
Default Y
Description Port 1188 is used by web-based tools that are replacements for areas of SAM.
The listener on this port is the HP release of Apache with a custom
configuration file that loads only a minimum set of modules. It is also restricted
to use https for all communication and can only be used to run the system
management tools. In general, this web server is running only when in use.
It exits after a period of inactivity. Disabling this port means that some system
administration functions are only available using the command line.
Actions Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow webadmin incoming connections
pass in quick proto tcp from any to any port = 1188 flags S keep state keep
frags
# do allow webadminautostart incoming connections
pass in quick proto tcp from any to any port = 1110 flags S keep state keep
frags
IPFilter.configure_ipfilter
Headline Set up basic firewall rules with these properties.
Default N
Description Firewalls generally make up the first line of defense in any network security
architecture. IPFilter is a free, host-based firewall which is available for HP-UX.
It looks like you have IPFilter installed, but that does not mean that it has been
48 Question modules