Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
971972973974975976977978979980
Configuring HP-UX Bastille: Interview
Bastille Configuration Questions and Explanations for HP-UX
Appendix B 975
parameter does not apply to a super-user account, and is
applicable only when the "-" option is not used along
with su command.
Account Security Q: Should Bastille disallow root logins from network tty's? [N] [N]
Bastille can restrict root from logging into a tty over the network.
This will force administrators to log in first as a non-root user, then
su to become root. Root logins will still be permitted on the console and
through services that do not use tty's ( e.g. HP-UX Secure Shell ).
This can stop an attacker who has only been able to steal the root password
from logging in directly to a tty. The attacker has to steal a second account's
password to make use of the root password via the network, or gain access to a
non-tty login mechanism.
MAKE SURE that you can login using a non-root account before you do this,
or you will obviously need access to the console or a non-tty remote login
mechanism, e.g. Secure Shell, to login.
Secure Inetd Q: Should Bastille ensure the telnet service does not run on this
system? [y] [Y]
Telnet is not secure.
Telnet is shipped on most operating systems for backward compatibility,
and it should not be used in an untrusted network.
Telnet is a clear-text protocol, meaning that any data transferred,
including passwords, can be monitored by anyone else on your network (even if you
use a switching router, as switches were designed for performance, not
security and can be made to broadcast). Other networks can monitor this information
too if the
telnet session crosses multiple LANs.
There are also other more active attacks. For example, anyone who can
eavesdrop can usually take over your telnet session, using a tool like
Hunt or Ettercap.
The standard practice among security-conscious sites is to migrate as rapidly
as practical from telnet to Secure Shell (command: ssh). We'd advise you to make thi
s
move as soon as possible. Secure shell implementations are available from
openssh.org and ssh.com. Most Operating System vendors also distribute a
version of secure shell,
so check with your vendor first to see if there is a version that has been
tested with your OS.
NOTE: Deactivating the telnetd service will not affect your telnet client.
Secure Inetd Q: Should Bastille ensure inetd's FTP service does not run on this
system? [y] [Y]