<< Back to
Unix Security
_____________
IRIX's
out-of-the-box configuration leaves a lot to be desired:
- There
is one huge root filesystem
- There
is only 128 MB of swap space
- Much
of the software that gets installed is not necessary
- The
system is installed as a Web server, with all the associated
dangers of HTTP implementations
Here are
some things you can do to elevate the security of your IRIX
host considerably. (This covers IRIX-specific measures, assuming
that you already have done the basic things needed to secure
a Unix system, such as avoiding world-writable files, limiting
the number of SUID root files to the bare number needed, ensuring
that root owns system directories, etc.)
Dealing
with Accounts
- There
are many special (default) accounts—known targets for
attackers!
root
sys
bin
adm
uucp
nuucp
daemon
lp
diag
- Ensure
that the following default accounts are passworded:
4DGifts
OutofBox
demos
guest
- In
most cases, all default accounts but root can be disabled—this
is much, much safer!
- Check
the status of additional accounts that are installed for
software and password these accounts with difficult-to-guess
passwords or, if possible, lock them as follows:
Enter /bin/passwd -sa to see status of accounts
LK = locked
NP -= no password
PS = passworded
- Run
the following script:
#!/bin/sh
for account in /bin/passwd -sa | /usr/bin/awk \ '$2=="NP"
{print $1}'
do
/bin/echo Locked the $account account
/bin/passwd -l $account
done
- Choose
a difficult-to-guess root password
- Delete
crontab entries for deleted accounts
- Use
passwd to improve password security (see immediately below)
passwd -x will force user password changes
passwd -n will set the minimum time required since the
last password change
Dealing
with /etc/inetd.conf
- Run
only the services that are needed for bona fide business
and/or operational purposes.
- Use
a TCP wrapper (see http://www.cert.org/tools)
for the most dangerous services (e.g., ftpd, telnetd, sendmail,
identd, and so on), ensuring that hosts.allow and hosts.deny
do not contain entries that cause disruption and/or breakage
(normally you should deny everything in hosts.deny and add
allowed IP source address and port combinations as needed).
- Disable
the following services unless they are necessary:
bootp
tftp
sgi_snoopd
sgi_toolkitbus
rusersd
rquotad
ntalk
tcpmux
- Delete
http and wn-http if the server is NOT a web server
- Disable
rexd on systems that are Internet-connected
- Important—after
making changes, do a HUP telinit -q (or to be absolutely
sure that changes are
made, reboot)
Securing
xdm
- To
prevent unauthenticated access through xdm, add "xhost-"
in the following files in /var/X11/xdm:
xsession
Xsession-remote
Xsession.dt
- To
install a replacement to xhost which does not permit xhost
+ perform the following steps:
cd /usr/X11/bin
mv xhost xhost.orig
- Create
a script named xhost with owner/group root/root, mode 755:
#!/bin/sh
for i
do
[ "$i" = "+" ] && { echo
"xhost: + not permitted" 1>&2; exit
1 }
done
exec /usr/X11/bin/xhost.orig "$@"
- Modify
/usr/lib/X11/xdm/xdm-config to include:
DisplayManager*authorize: on
- To
prevent any system from obtaining a login window, replace
the initial two lines that start with a * in var/X11/xdm/Xaccess
to !*
- To
protect against having X connect to unauthorized hosts,
remove any /etc/X* files
- Ensure
that /usr/bin/X11/* is not world-writable
- Reboot
(or restart X-Windows)
Additional
Measures
systune
-I
nfs_portmon = 1
quit
- Enter
the following in /var/Cadmin/clogin.conf to show only the
name of the primary user of a system:
userid:noshow
- Restrict
systems from which portmap and rpcbind allows RPC requests
by adding the following to /etc/config/portmap.options:
-a
255.255.255.0 <hostname>.0
- Set
/etc/default/login appropriately
CONSOLE=/dev/console (permits root logins only on specified
devices—commenting out altogether disables all
remote root logons)
DISABLETIME=30 (the time in seconds it takes for login
to be disabled after LOGFAILURES or the MAXTRYS limit
is reached)
MAXTRYS=3 (the number of bad logins before a login exit)
PASSREQ=YES (requires selection/entry of password at
next login if there is none)
SYSLOG=ALL
UMASK=077
- Run
ssh
- Ensure
that the latest patches are installed. Note in particular
that there is a telnetd buffer overflow in Irix <= 6.5.9.
For those using Irix 6.5.x you should upgrade to latest
(6.5.10). Pre Irix 6.5 users should strongly consider upgrading
to Irix 6.5.10, or applying the patches from SGI. They make
this nice and easy for you with their Web interface.
|
