02-26-2013
Here is my checklist of security-related things i do when i install a new system:
- Create administrative FSes
root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
- Install ssh
You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
- Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
- Disable/limit root-login
The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
- Set up sudo
Download from the IBM site where you got ssh.
- Set up ntp
Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
- Edit /etc/motd and /etc/security/login.cfg
Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)
I hope this helps.
bakunin
8 More Discussions You Might Find Interesting
1. Solaris
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies
2. UNIX for Advanced & Expert Users
This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution.
I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
3. Shell Programming and Scripting
Hi All,
So I found a cool way to change extensions to multiple files with:
for i in *.doc
do
mv $i ${i%.doc}.txt
done
However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work:
for i in *.txt
do
mv $i ${i%.txt}_0hr.txt
done
My questions are (1) Why... (2 Replies)
Discussion started by: ScKaSx
2 Replies
4. Shell Programming and Scripting
Tag allerseits
Ich habe ein umfangreiches Script. Darin möchte ich zu Beginn ein textfile lesen. Den ersten Satz.
Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz.
Etc.
Ich kann also das herkömmliche while read xyz / do ... done nicht benützen.
... (0 Replies)
Discussion started by: lazybaer
0 Replies
5. Cybersecurity
Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies
6. AIX
Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX? (4 Replies)
Discussion started by: michlix
4 Replies
7. AIX
HOW-TO
AIX Admin 101 Sys Admin Pocket Survival Guide - AIX
Worth checking it out and printing it. (1 Reply)
Discussion started by: filosophizer
1 Replies
8. Web Development
Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js
I cannot get the load average data in this Oracle JET test to update the... (4 Replies)
Discussion started by: Neo
4 Replies
LEARN ABOUT DEBIAN
blaze-edit
BLAZE-EDIT(1) BlazeBlogger Documentation BLAZE-EDIT(1)
NAME
blaze-edit - edits a blog post or a page in the BlazeBlogger repository
SYNOPSIS
blaze-edit [-fpqCPV] [-b directory] [-E editor] id
blaze-edit -h|-v
DESCRIPTION
blaze-edit opens an existing blog post or a page with the specified id in an external text editor. Note that there are several special
forms and placeholders that can be used in the text, and that will be replaced with a proper data when the blog is generated.
Special Forms
<!-- break -->
A mark to delimit a blog post synopsis.
Placeholders
%root%
A relative path to the root directory of the blog.
%home%
A relative path to the index page of the blog.
%page[id]%
A relative path to a page with the supplied id.
%post[id]%
A relative path to a blog post with the supplied id.
%tag[name]%
A relative path to a tag with the supplied name.
OPTIONS
-b directory, --blogdir directory
Allows you to specify a directory in which the BlazeBlogger repository is placed. The default option is a current working directory.
-E editor, --editor editor
Allows you to specify an external text editor. When supplied, this option overrides the relevant configuration option.
-p, --page
Tells blaze-edit to edit a page or pages.
-P, --post
Tells blaze-edit to edit a blog post or blog posts. This is the default option.
-f, --force
Tells blaze-edit to create an empty source file in case it does not already exist. If the core.processor option is enabled, this file
is used as the input to be processed by the selected application.
-C, --no-processor
Disables processing a blog post or page with an external application.
-q, --quiet
Disables displaying of unnecessary messages.
-V, --verbose
Enables displaying of all messages. This is the default option.
-h, --help
Displays usage information and exits.
-v, --version
Displays version information and exits.
ENVIRONMENT
EDITOR
Unless the core.editor option is set, BlazeBlogger tries to use system-wide settings to decide which editor to use.
EXAMPLE USAGE
Edit a blog post in an external text editor:
~]$ blaze-edit 10
Edit a page in an external text editor:
~]$ blaze-edit -p 4
Edit a page in nano:
~]$ blaze-edit -p 2 -E nano
SEE ALSO
blaze-config(1), blaze-add(1), blaze-list(1)
BUGS
To report a bug or to send a patch, please, add a new issue to the bug tracker at <http://code.google.com/p/blazeblogger/issues/>, or visit
the discussion group at <http://groups.google.com/group/blazeblogger/>.
COPYRIGHT
Copyright (C) 2008-2011 Jaromir Hradilek
This program is free software; see the source for copying conditions. It is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Version 1.2.0 2012-03-05 BLAZE-EDIT(1)