Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

971

972

973

974

975

976

977

978

979

980

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 977

fingerd is the server for the RFC 742 Name/Finger protocol.

It provides a network interface to finger, which gives a status report of

users currently logged in on the system or a detailed report about a specific

user (see finger(1)). We recommend disabling the service as fingerd provides local

system user information to remote sources, this can be useful to someone attempting

to break into your system.

Secure Inetd Q: Should Bastille ensure inetd's uucp service does not run on this

system? [Y]

UUCP (Unix to Unix copy) copies files named by the source_files argument

to the destination identified by the destination_file argument. UUCP uses clear text

transport for authentication. It is not commonly used. Therefore we recommend disab

ling

this service and using a more secure file transfer program such as scp.

Secure Inetd Q: Should Bastille ensure inetd's ntalk service does not run on this

system? [Y]

Ntalk is a visual communication program that predates instant messaging

applications, which copies lines from your terminal to that of another user. Ntalk

is commonly considered a light security hazard but if not used on this machine it

should be disabled.

Secure Inetd Q: Should Bastille ensure inetd's ident service does not run on this

system? [Y]

The ident service implements the TCP/IP proposed standard IDENT

user identification protocol as specified in the RFC 1413 document. identd

operates by looking up specific TCP/IP connections and returning the user

name of the process owning the connection. This service could be used to

determine user information on a given machine in preparation for a

brute-force password attack like a dictionary attack. We recommend

disabling this service unless compelled by application specific needs

Secure Inetd Q: Should Bastille ensure that inetd's built-in services do not run on

this system? [Y]

The inetd's built-in services include chargen, daytime, discard,

and echo. These services are rarely used and when they are it is generally

for testing. The UDP versions of these services can be used in a Denial of

Service attack and therefore we recommend disabling these services. A brief

definition of each service is as follows:

daytime: Sends the current date and time as a human readable character string

(RFC 867)

discard: Throws away anything that is sent to it, similar to

/dev/null.(RFC 863)

chargen: Character Generator sends you a stream of some