Making IRIX secure.

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
cvisors
Moderator
Moderator
Posts: 179
Joined: Fri Jan 31, 2003 2:50 am
Location: Melbourne Australia
Contact:

Making IRIX secure.

Unread postby cvisors » Thu Jun 12, 2003 3:38 am

I have felt that most UNIXES, out of the box, so to speak, are set up in a fairly open manner.

For example IRIX, on a default install, still has a lot of services open which are not usefull, for example, chargen, echo and the like.

so how do you all go about making IRIX more secure?

I will post what I have done, when I get home from work, when I am back infront of my sgi boxes.

Benjamin

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

tips

Unread postby squeen » Thu Jun 12, 2003 4:23 am

Here's one very basic link: http://www.security.ku.edu/hardening/irix.shtml

Another is a paper I found recently called "Hardening the IRIX Operating System" by Michael Evanoff is very exhaustive, search for "Irix" on the page http://www.giac.org/GCUX_100.php. There's another (older) paper there two called "Checklist for Installing a Secure IRIX 6.5 Workstation" which is not bad either.

Lastly, the BIG catch-all for net baddies is the ipfilter daemon. There's an older one that was part of the IRIX kernel (optional install?) and a newer one at http://www.sgi.com/products/evaluation/. I'm still on the older one (which can be tricky to set up...and seems to fight with NFS sometimes).

User avatar
whiter
Posts: 975
Joined: Tue Apr 29, 2003 2:02 pm
Location: Melbourne, Australia
Contact:

Unread postby whiter » Thu Jun 12, 2003 8:45 am

I realy need something that makes an Irix box so secure that it is acceptable to use it as an internet server.
I don't dare to put any of my irix boxes online at the moment because I fear they'll be hacked right away.
Shall I describe it to you? Or do you want me to get you a box?

User avatar
semi-fly
Posts: 786
Joined: Fri Feb 21, 2003 5:29 am
Location: Ypsitucky, MI
Contact:

Unread postby semi-fly » Thu Jun 12, 2003 8:56 am

I Regularly run 'nmap' on all my systems, especially after updates. Somtimes I'll forget to turn off insecure services and what not...

User avatar
semi-fly
Posts: 786
Joined: Fri Feb 21, 2003 5:29 am
Location: Ypsitucky, MI
Contact:

Unread postby semi-fly » Thu Jun 12, 2003 8:59 am

Heres a basic how-to on securing IRIX 6.5 from sans.org. It's one of the first articles I read on the subject.
http://www.sans.org/rr/paper.php?id=326

User avatar
whiter
Posts: 975
Joined: Tue Apr 29, 2003 2:02 pm
Location: Melbourne, Australia
Contact:

Unread postby whiter » Thu Jun 12, 2003 8:59 am

nmap isn't enough.
There can very well be security holes in the tcp stack or in the raw ip layer. But I don't know anything about the security states of those.
Shall I describe it to you? Or do you want me to get you a box?

User avatar
semi-fly
Posts: 786
Joined: Fri Feb 21, 2003 5:29 am
Location: Ypsitucky, MI
Contact:

Unread postby semi-fly » Thu Jun 12, 2003 9:03 am

whiter wrote:nmap isn't enough.
There can very well be security holes in the tcp stack or in the raw ip layer. But I don't know anything about the security states of those.

Your right, 'nmap' isn't enough, but it's helpful with getting basic tcp etc. info off a machine, which is what I use it for. :)

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Thu Jun 12, 2003 11:16 am

You can set up the ipfilter so only requests on port 80 (http) are answered...everything else is dropped (except for a specific client list of IP addresses if you so choose).

vegac
Posts: 745
Joined: Thu Jan 23, 2003 11:34 am
Contact:

Unread postby vegac » Thu Jun 12, 2003 12:27 pm

For those of you curious about IPFilter, here's my /etc/ipf.conf
This is seutp on my O2, which is one of my small servers here...should help you peoples out maybe?

---begin file now---
#Loopback rules - always pass
#This way localhost is always available to everything
pass out quick on lo0 all
pass in quick on lo0 all

#-ICMP rules, allow only ping and traceroute
pass in quick on ec0 proto icmp from any to (my-ip-here) icmp-type 0
pass in quick on ec0 proto icmp from any to (my-ip-here) icmp-type 11
block in quick on ec0 proto icmp from any to any

#block all internal-only services, such as RPC, NFS, FAM, etc.
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 111
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 2049
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 806
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 1024
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 629
block in quick on ec0 proto tcp/udp from any to (my-ip-here) port = 1027

#allow X server access only from my internal network's IP block
block in on ec0 proto tcp/udp from any to (my-ip-here) port = 6000
pass in on ec0 proto tcp/udp from (my-ip-block-here)/28 to (my-ip-here) port = 6000

#allow any outgoing connections I choose to make
pass out quick on ec0 proto tcp from (my-ip-here) to any keep state
pass out quick on ec0 proto udp from (my-ip-here) to any keep state

---end file now---


any questions? let me know

User avatar
whiter
Posts: 975
Joined: Tue Apr 29, 2003 2:02 pm
Location: Melbourne, Australia
Contact:

Unread postby whiter » Thu Jun 12, 2003 2:57 pm

squeen wrote:You can set up the ipfilter so only requests on port 80 (http) are answered...everything else is dropped (except for a specific client list of IP addresses if you so choose).


If there is an error in the tcp stack or a lower layer. This will be of no use. Since the data might already have poisoned the stack and gained entrance to the system before ipfilter got even aware of a connection.

So I would love to get to some place with info about past and maybe current issues with these lowlevel layers and stacks. Now if they just had it made opensource I'd squeeeeeel those bugs out there....
Shall I describe it to you? Or do you want me to get you a box?

User avatar
semi-fly
Posts: 786
Joined: Fri Feb 21, 2003 5:29 am
Location: Ypsitucky, MI
Contact:

Unread postby semi-fly » Thu Jun 12, 2003 3:05 pm

whiter wrote:So I would love to get to some place with info about past and maybe current issues with these lowlevel layers and stacks. Now if they just had it made opensource I'd squeeeeeel those bugs out there....


There's no bugs here. There's nothing to see. please move along, Everything is under control.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest