Page 1 of 3

Recommendations

Posted: Fri Oct 30, 2015 10:00 am
by Ravege
Hey guys, contemplating dusting the dust off my SGI boxes. Looking for some ideas on securing, or improving security, or generally hardening the machines. I haven't worked with any UNIX for awhile, so even general/not IRIX specific stuff would be great. Thanks!

Re: Recommendations

Posted: Fri Oct 30, 2015 11:21 am
by robespierre
remove sendmail, replace with patched qmail
remove inetd, replace with UCSPI
enable strict IPFilter rules
or the easier alternative, use behind a firewall

Re: Recommendations

Posted: Fri Oct 30, 2015 12:37 pm
by robespierre
But you need to take care of application security as well, I would be especially cautious of netscape and acrobat.

Re: Recommendations

Posted: Tue Nov 03, 2015 4:57 pm
by vishnu
robespierre wrote:or the easier alternative, use behind a firewall


Concur. I've got a really solid firewall between my home LAN and the Internet and I've never had any security problems with my IRIX boxes at all. Although, disclaimer wise I don't use my IRIX boxes to surf the Internet. But many members here do and no one's yet reported that their IRIX boxes were attacked as a result...

Re: Recommendations

Posted: Tue Nov 03, 2015 10:21 pm
by ClassicHasClass
Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.

Re: Recommendations

Posted: Wed Nov 04, 2015 7:53 am
by robespierre
That's by far the best approach.

Re: Recommendations

Posted: Sun Nov 08, 2015 11:57 am
by Krokodil
ClassicHasClass wrote:Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.


All my vintage systems are on a network that has no physical connections to the main network. The only way to get files in and out of the network is by attaching a crossover cable to a FreeBSD box where the files are staged. I just don't feel that my IRIX boxes should be on the internet.

Re: Recommendations

Posted: Mon Nov 09, 2015 9:33 am
by necron2600
If you wanted to get more exotic with security protection on IRIX with one of the best products for locking down a system (my opinion).. eTrust Access Control (owned by CA) works with lots of Unix type platforms including IRIX. Last I worked with that product was with eTrust Access Control for UNIX version 8. Its like a tripwire tool but with enforcement and central auditing and control sortof like SELinux and sudo (although it can work standalone on a single system). Intruders cannot circumvent its protections or exploit vulns in apps that easily.

Looking through the CDs for version 5.1.. it seems that it works on the following platforms: DECUNIX4, DYNIXPTX, IRIX64, IRIX, LINUX390, LINUX, NCR, SINIX, SOLARIS x86, UNIXWARE, RSV, Solaris, STOP, AIX43, AIX4, HPUX1020, HPUX10, HPUX11, couple mainframes and NT-i386.

I never did try it on IRIX before.. another weekend project ;)
Its downfall may be it is not simple to setup, poor marketing by CA. Plus, not sure on how much it costs.

-Kevin

Re: Recommendations

Posted: Mon Nov 09, 2015 9:40 am
by foetz
just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.
then you can surf and whatever else you wanna do with your sgis and any other specials you might have

Re: Recommendations

Posted: Mon Nov 16, 2015 11:00 am
by vishnu
Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..." :lol:

Re: Recommendations

Posted: Mon Nov 16, 2015 12:28 pm
by Trippynet
I'm with Vishnu here. My SGIs are all firewalled and have unnecessary services turned off, but otherwise do have Internet access. So far, no problems that I'm aware of.

Overall, I think ancient copies of Firefox and a dead-end and niche OS are not really what you'd call major attack targets. Everything these days seems to focus on Windows or mobile phones where a successful attack can yield a lot more benefit for attackers.

Re: Recommendations

Posted: Mon Nov 16, 2015 12:50 pm
by robespierre
The long time since the last patch means that researching new exploits isn't the point. All the old ones still work and serving an exploit to a vulnerable machine has long been completely automated.

just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.

Heartbleed? What's that?

Re: Recommendations

Posted: Mon Nov 16, 2015 2:56 pm
by Krokodil
vishnu wrote:
Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..." :lol:


I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.

Re: Recommendations

Posted: Mon Nov 16, 2015 11:33 pm
by vishnu
Krokodil wrote:I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

I concur with that sentiment, I don't use any Internet software on any of my sgi's. But I know a lot of folks here have been using firefox 3 on their sgi's with no apparent problem.
Krokodil wrote:Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.

Nah, this is the Land of the Free, they'd get some idiot judge to sign a warrant and then they'd show up in an armored personnel carrier, shoot tear gas canisters through my windows, use a robotic battering ram to knock down my door, throw in a dozen flash bang grenades, rush in wearing body armored ninja suits wielding m4 carbines with the safeties off, most likely shoot me fifty or sixty times and then hold a press conference to tell the world what a huge favor they've done them... :shock:

Re: Recommendations

Posted: Mon Nov 16, 2015 11:35 pm
by diegel
I am still running Irix systems on the Internet. This are private projects, like the nekoware mirror and I had never problems with it. Our company used around the year 2000 a Challenge S as a secondary nameserver. This server was located at another Internet service provider (for free) and we simply forget this server. When this company moved the location some years ago, they asked us if we still using this server. So we got it back and examined it, it was running Irix 6.2 and never get hacked after 10 years running without any administration.