Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
981982983984985986987988989990
Configuring HP-UX Bastille: Interview
Bastille Configuration Questions and Explanations for HP-UX
Appendix B990
you can add custom rules which better fit the specific needs of your
environment. If you modify the custom file, you should rerun the Bastille
backend (bastille -b) to apply the new rule-set.
WARNING: Changing this file has the ability to either increase or decrease
the security of your system. After applying this custom configuration,
be sure to double-check the active rule-set and your ipf.conf file to make
sure that the result is what you intended.
(c) Block anything else, including all incoming traffic which you are not
asked about explicitly.
If this is the first time you are using Bastille to configure your firewall,
you will be asked about several service specific options if the applicable software
appears to be installed. If you have already configured a firewall using Bastille,
you will only be asked about protocols which are currently allowed by the Bastille
configuration.
(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION, see TODO list for
details)
IPFilter Q: Do you want to BLOCK incoming Secure Shell connections with
IPFilter? [N]
Secure Shell is the best replacement for telnet, remote shell,
and ftp. It is authenticated and encrypted. If you want remote access
to your machine, this is the best way to do it. You should only block
Secure Shell access if you have an alternate, secure method to manage
your machine (such as physical access to the console or a secure terminal
server) or if you do not use Secure Shell.
OTHERWISE, ANSWER NO TO THIS QUESTION.
IPFilter Q: Do you want to BLOCK incoming WBEM connections with IPFilter?
[N]
WBEM is a multi-system management protocol which can be used instead
which features encryption and authentication. It is much better than SNMP, which
has a history of security issues and is by default a clear-text, unauthenticated
protocol. Like SNMP, WBEM can be a powerful aid in managing multiple machines and
it is by default much more secure. However, any service can be a security risk,
so you should block it if you are not going to use it.
Note that WBEM is required for many HP management applications, such as
ServiceControl Manager, ParMgr, and others.
WARNING: WBEM uses a configurable port. IPFilter will only be able to find
this port if you have an appropriate entry for wbem-https in /etc/services.
IPFilter Q: Do you want to BLOCK incoming HIDS agent connections with
IPFilter? [N]