Securing AIX

Sponsored Content

Operating Systems AIX Securing AIX - Hardening Lesson 101 Post 302772774 by bakunin on Tuesday 26th of February 2013 07:38:43 PM

02-26-2013

Registered User

Here is my checklist of security-related things i do when i install a new system:

Create administrative FSes
root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
Install ssh
You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
Disable/limit root-login
The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
Set up sudo
Download from the IBM site where you got ssh.
Set up ntp
Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
Edit /etc/motd and /etc/security/login.cfg
Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)

I hope this helps.

bakunin

bakunin

View Public Profile for bakunin

Find all posts by bakunin

8 More Discussions You Might Find Interesting

1. Solaris

Hardening Solaris

What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:)

2. UNIX for Advanced & Expert Users

Lesson Learned: Dual boot XP and Fedora 9

This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution. I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of...

3. Shell Programming and Scripting

Rename multiple files lesson

Hi All, So I found a cool way to change extensions to multiple files with: for i in *.doc do mv $i ${i%.doc}.txt done However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work: for i in *.txt do mv $i ${i%.txt}_0hr.txt done My questions are (1) Why...

4. Shell Programming and Scripting

Textfile lesson

Tag allerseits Ich habe ein umfangreiches Script. Darin m�chte ich zu Beginn ein textfile lesen. Den ersten Satz. Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz. Etc. Ich kann also das herk�mmliche while read xyz / do ... done nicht ben�tzen. ...

5. Cybersecurity

securing AIX box

Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX?

6. AIX

Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX?

7. AIX

AIX 101 : Sys Admin Pocket Survival Guide

HOW-TO AIX Admin 101 Sys Admin Pocket Survival Guide - AIX Worth checking it out and printing it.

8. Web Development

Oracle Jet - LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding

Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js I cannot get the load average data in this Oracle JET test to update the...

LEARN ABOUT NETBSD

ssh-keysign

SSH-KEYSIGN(8)						    BSD System Manager's Manual 					    SSH-KEYSIGN(8)

NAME

     ssh-keysign -- ssh helper program for host-based authentication

SYNOPSIS

     ssh-keysign

DESCRIPTION

     ssh-keysign is used by ssh(1) to access the local host keys and generate the digital signature required during host-based authentication with
     SSH protocol version 2.

     ssh-keysign is disabled by default and can only be enabled in the global client configuration file /etc/ssh/ssh_config by setting
     EnableSSHKeysign to ``yes''.

     ssh-keysign is not intended to be invoked by the user, but from ssh(1).  See ssh(1) and sshd(8) for more information about host-based authen-
     tication.

FILES

     /etc/ssh/ssh_config
	     Controls whether ssh-keysign is enabled.

     /etc/ssh/ssh_host_dsa_key
     /etc/ssh/ssh_host_ecdsa_key
     /etc/ssh/ssh_host_rsa_key
	     These files contain the private parts of the host keys used to generate the digital signature.  They should be owned by root, read-
	     able only by root, and not accessible to others.  Since they are readable only by root, ssh-keysign must be set-uid root if host-
	     based authentication is used.

     /etc/ssh/ssh_host_dsa_key-cert.pub
     /etc/ssh/ssh_host_ecdsa_key-cert.pub
     /etc/ssh/ssh_host_rsa_key-cert.pub
	     If these files exist they are assumed to contain public certificate information corresponding with the private keys above.

SEE ALSO

     ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)

HISTORY

     ssh-keysign first appeared in OpenBSD 3.2.

AUTHORS

     Markus Friedl <markus@openbsd.org>

BSD
								  August 31, 2010							       BSD