Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

261

262

263

264

265

266

267

268

269

270

Troubleshooting

Appendix G

256

IPFilter rules for HP-UX HIDS

This is a sample set of IPFilter rules needed to enable HP-UX HIDS. If you use a ﬁrewall

other than IPFilter, the explanation presented here should give you enough pointers to

set up your own ﬁrewall rules.

1. HP-UX HIDS agent listens on port hpidsagent (2985) for incoming connections

initiated by HP-UX HIDS System Manager on a remote host.

So if the host running IPFilter is also running an HP-UX HIDS agent, then allow

incoming connections initiated by HP-UX HIDS System Manager.

pass in quick proto tcp from any to any port = hpidsagent keep state

2. HP-UX HIDS System Manager listens on port hpidsadmin (2984) for incoming

connections initiated by HP-UX HIDS agents.

If the host running IPFilter is also running an HP-UX HIDS System Manager, then

allow incoming connections initiated by HP-UX HIDS agents.

pass in quick proto tcp from any to any port = hpidsadmin keep state

3. HP-UX HIDS System Manager uses ephemeral ports to send requests to agent host’s

port hpidsagent. Also, HP-UX HIDS agents use ephemeral ports to send responses

to the System Manager host’s port hpidsadmin.

To allow communications back to these ephemeral ports, use the “keep state” rule

in IPFilter.

pass out quick proto tcp all keep state

4. Allow queries to DNS servers by HP-UX HIDS agents and HP-UX HIDS System

Manager

pass out quick proto udp all keep state

5. Since the HP-UX HIDS System Manager requires X11 connections, which can and

should be forwarded over the secure channel with SecureShell, allow SecureShell

incoming connections.

pass in quick proto tcp from any to any port = 22 flags S keep state keep

frags

6. Block any incoming connections which were not explicitly allowed.

block in log quick all

How to allow the SecureShell daemon to forward X11 trafﬁc

First, change the SecureShell /etc/opt/ssh/sshd_config conﬁguration ﬁle:

• Set X11Forwarding to yes,

• Set X11UseLocalhost to no.

Earlier versions of ssh don’t recognize the second entry. If it’s not there, you don’t need to

add it.

Then send a HUP signal to the sshd so that it will reread the sshd_config ﬁle.

How to display System Manager after SecureShell login as root and su to ids

Problem: You use ssh to log in to a host as root, then switch to user ids and get a

display error when opening an X window or starting idsgui. Here is the terminal

output: