HP-UX Bastille Version B.3.3 User Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Bastille Software

Block anything you are not asked about explicitly, including all incoming

traffic. If this is the first time you are using HP-UX Bastille to configure your

firewall, you will be asked about several service specific options if the

applicable software appears to be installed. If you have already configured a

firewall using HP-UX Bastille, you will only be asked about protocols which

are currently allowed by the HP-UX Bastille configuration.

IMPORTANT: Manual action required to complete this configuration. See

the TODO.txt file for details.

Actions Setup a basic default-deny firewall configuration.

IPFilter.install_ipfilter

Headline Provide information on how to get a copy of IPFilter.

Default Y

Description Firewalls generally make up the first line of defense in any network security

architecture. IPFilter is a free host-based firewall which is available for HP-UX.

It looks like you have IPFilter installed, but that does not mean that it is

configured. HP-UX Bastille cannot detect whether the rule-set is appropriate

for your needs.

Actions

Provide information on how to get a copy of IPFilter in TODO.txt.

MiscellaneousDaemons.configure_ssh

Headline Configure the HP-UX Secure Shell daemon to use generally-accepted defaults.

Default N

Description Secure Shell is one of the most important tools in the administrator security

toolkit. It enables remote secure login and command execution, and can wrap

otherwise-unauthenticated and non-protected X11 traffic in a secure SSL

tunnel. This item configures SSH to conform with some generally-accepted

best practices. This item configures:

• Use only protocol 2, a protocol generally considered more secure

• Ignore rhosts, to avoid trusting remote hosts to assert user id without

user-based authentication

• Forward X11 traffic, if any, in a secure SSL tunnel

• Block use of accounts with empty passwords

• Use the contents of /etc/issue (also set in HP-UX Bastille) as the login

banner

Actions

Set the following parameters in /etc/opt/ssh/sshd_config:

• Protocol–2

• X11Forwarding–yes

• IgnoreRhosts–yes

• RhostsAuthentication–no

• RhostsRSAAuthentication–no

• PermitRootLogin–no

• PermitEmptyPasswords–no

• Banner– /etc/issue

MiscellaneousDaemons.diagnostics_localonly

Headline Restrict the diagnostic daemon to local connections.

Default N

50 Question modules