02-26-2013
Here is my checklist of security-related things i do when i install a new system:
- Create administrative FSes
root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
- Install ssh
You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
- Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
- Disable/limit root-login
The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
- Set up sudo
Download from the IBM site where you got ssh.
- Set up ntp
Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
- Edit /etc/motd and /etc/security/login.cfg
Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)
I hope this helps.
bakunin
8 More Discussions You Might Find Interesting
1. Solaris
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies
2. UNIX for Advanced & Expert Users
This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution.
I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
3. Shell Programming and Scripting
Hi All,
So I found a cool way to change extensions to multiple files with:
for i in *.doc
do
mv $i ${i%.doc}.txt
done
However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work:
for i in *.txt
do
mv $i ${i%.txt}_0hr.txt
done
My questions are (1) Why... (2 Replies)
Discussion started by: ScKaSx
2 Replies
4. Shell Programming and Scripting
Tag allerseits
Ich habe ein umfangreiches Script. Darin möchte ich zu Beginn ein textfile lesen. Den ersten Satz.
Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz.
Etc.
Ich kann also das herkömmliche while read xyz / do ... done nicht benützen.
... (0 Replies)
Discussion started by: lazybaer
0 Replies
5. Cybersecurity
Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies
6. AIX
Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX? (4 Replies)
Discussion started by: michlix
4 Replies
7. AIX
HOW-TO
AIX Admin 101 Sys Admin Pocket Survival Guide - AIX
Worth checking it out and printing it. (1 Reply)
Discussion started by: filosophizer
1 Replies
8. Web Development
Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js
I cannot get the load average data in this Oracle JET test to update the... (4 Replies)
Discussion started by: Neo
4 Replies
LEARN ABOUT SUSE
ssh-keysign
SSH-KEYSIGN(8) BSD System Manager's Manual SSH-KEYSIGN(8)
NAME
ssh-keysign -- ssh helper program for host-based authentication
SYNOPSIS
ssh-keysign
DESCRIPTION
ssh-keysign is used by ssh(1) to access the local host keys and generate the digital signature required during host-based authentication with
SSH protocol version 2.
ssh-keysign is disabled by default and can only be enabled in the global client configuration file /etc/ssh/ssh_config by setting
EnableSSHKeysign to ``yes''.
ssh-keysign is not intended to be invoked by the user, but from ssh(1). See ssh(1) and sshd(8) for more information about host-based authen-
tication.
FILES
/etc/ssh/ssh_config
Controls whether ssh-keysign is enabled.
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to generate the digital signature. They should be owned by root, read-
able only by root, and not accessible to others. Since they are readable only by root, ssh-keysign must be set-uid root if host-
based authentication is used.
SEE ALSO
ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
HISTORY
ssh-keysign first appeared in OpenBSD 3.2.
AUTHORS
Markus Friedl <markus@openbsd.org>
BSD
May 31, 2007 BSD