Recommendations

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
Ravege
Posts: 14
Joined: Fri Jan 16, 2004 1:43 pm

Recommendations

Unread postby Ravege » Fri Oct 30, 2015 10:00 am

Hey guys, contemplating dusting the dust off my SGI boxes. Looking for some ideas on securing, or improving security, or generally hardening the machines. I haven't worked with any UNIX for awhile, so even general/not IRIX specific stuff would be great. Thanks!
:Octane: 2x600 R14K, 8G, V12
:O2: 1x600 R7K, 1G
:Indigo2IMP: 1x75 R8K, 256M

robespierre
Posts: 1578
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Recommendations

Unread postby robespierre » Fri Oct 30, 2015 11:21 am

remove sendmail, replace with patched qmail
remove inetd, replace with UCSPI
enable strict IPFilter rules
or the easier alternative, use behind a firewall
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

robespierre
Posts: 1578
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Recommendations

Unread postby robespierre » Fri Oct 30, 2015 12:37 pm

But you need to take care of application security as well, I would be especially cautious of netscape and acrobat.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
vishnu
Donor
Donor
Posts: 3189
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Recommendations

Unread postby vishnu » Tue Nov 03, 2015 4:57 pm

robespierre wrote:or the easier alternative, use behind a firewall


Concur. I've got a really solid firewall between my home LAN and the Internet and I've never had any security problems with my IRIX boxes at all. Although, disclaimer wise I don't use my IRIX boxes to surf the Internet. But many members here do and no one's yet reported that their IRIX boxes were attacked as a result...
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
ClassicHasClass
Donor
Donor
Posts: 2108
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Recommendations

Unread postby ClassicHasClass » Tue Nov 03, 2015 10:21 pm

Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

robespierre
Posts: 1578
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Recommendations

Unread postby robespierre » Wed Nov 04, 2015 7:53 am

That's by far the best approach.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
Krokodil
Donor
Donor
Posts: 478
Joined: Fri Apr 17, 2015 2:32 pm
Location: The House of Particular Individuals

Re: Recommendations

Unread postby Krokodil » Sun Nov 08, 2015 11:57 am

ClassicHasClass wrote:Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.


All my vintage systems are on a network that has no physical connections to the main network. The only way to get files in and out of the network is by attaching a crossover cable to a FreeBSD box where the files are staged. I just don't feel that my IRIX boxes should be on the internet.
:Octane2: - :O2: - :Octane: - :Indigo2IMP:

User avatar
necron2600
Posts: 278
Joined: Tue May 26, 2015 10:38 pm
Location: Boston

Re: Recommendations

Unread postby necron2600 » Mon Nov 09, 2015 9:33 am

If you wanted to get more exotic with security protection on IRIX with one of the best products for locking down a system (my opinion).. eTrust Access Control (owned by CA) works with lots of Unix type platforms including IRIX. Last I worked with that product was with eTrust Access Control for UNIX version 8. Its like a tripwire tool but with enforcement and central auditing and control sortof like SELinux and sudo (although it can work standalone on a single system). Intruders cannot circumvent its protections or exploit vulns in apps that easily.

Looking through the CDs for version 5.1.. it seems that it works on the following platforms: DECUNIX4, DYNIXPTX, IRIX64, IRIX, LINUX390, LINUX, NCR, SINIX, SOLARIS x86, UNIXWARE, RSV, Solaris, STOP, AIX43, AIX4, HPUX1020, HPUX10, HPUX11, couple mainframes and NT-i386.

I never did try it on IRIX before.. another weekend project ;)
Its downfall may be it is not simple to setup, poor marketing by CA. Plus, not sure on how much it costs.

-Kevin

User avatar
foetz
Moderator
Moderator
Posts: 6592
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Recommendations

Unread postby foetz » Mon Nov 09, 2015 9:40 am

just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.
then you can surf and whatever else you wanna do with your sgis and any other specials you might have

User avatar
vishnu
Donor
Donor
Posts: 3189
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Recommendations

Unread postby vishnu » Mon Nov 16, 2015 11:00 am

Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..." :lol:
Attachments
smith.jpg
smith.jpg (7.87 KiB) Viewed 1369 times
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
Trippynet
Donor
Donor
Posts: 812
Joined: Thu Aug 15, 2013 6:22 am
Location: Aberdeen, Scotland, UK

Re: Recommendations

Unread postby Trippynet » Mon Nov 16, 2015 12:28 pm

I'm with Vishnu here. My SGIs are all firewalled and have unnecessary services turned off, but otherwise do have Internet access. So far, no problems that I'm aware of.

Overall, I think ancient copies of Firefox and a dead-end and niche OS are not really what you'd call major attack targets. Everything these days seems to focus on Windows or mobile phones where a successful attack can yield a lot more benefit for attackers.
Systems in use:
:Indigo2IMP: - Nitrogen: R10000 195MHz CPU, 384MB RAM, SolidIMPACT Graphics, 36GB 15k HDD & 300GB 10k HDD, 100Mb/s NIC, New/quiet fans, IRIX 6.5.22
:Fuel: - Lithium: R14000 600MHz CPU, 4GB RAM, V10 Graphics, 72GB 15k HDD & 300GB 10k HDD, 1Gb/s NIC, New/quiet fans, IRIX 6.5.30
Other system in storage: :O2: R5000 200MHz, 224MB RAM, 72GB 15k HDD, PSU fan mod, IRIX 6.5.30

robespierre
Posts: 1578
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Recommendations

Unread postby robespierre » Mon Nov 16, 2015 12:50 pm

The long time since the last patch means that researching new exploits isn't the point. All the old ones still work and serving an exploit to a vulnerable machine has long been completely automated.

just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.

Heartbleed? What's that?
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
Krokodil
Donor
Donor
Posts: 478
Joined: Fri Apr 17, 2015 2:32 pm
Location: The House of Particular Individuals

Re: Recommendations

Unread postby Krokodil » Mon Nov 16, 2015 2:56 pm

vishnu wrote:
Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..." :lol:


I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.
:Octane2: - :O2: - :Octane: - :Indigo2IMP:

User avatar
vishnu
Donor
Donor
Posts: 3189
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Recommendations

Unread postby vishnu » Mon Nov 16, 2015 11:33 pm

Krokodil wrote:I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

I concur with that sentiment, I don't use any Internet software on any of my sgi's. But I know a lot of folks here have been using firefox 3 on their sgi's with no apparent problem.
Krokodil wrote:Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.

Nah, this is the Land of the Free, they'd get some idiot judge to sign a warrant and then they'd show up in an armored personnel carrier, shoot tear gas canisters through my windows, use a robotic battering ram to knock down my door, throw in a dozen flash bang grenades, rush in wearing body armored ninja suits wielding m4 carbines with the safeties off, most likely shoot me fifty or sixty times and then hold a press conference to tell the world what a huge favor they've done them... :shock:
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

diegel
Donor
Donor
Posts: 354
Joined: Tue Nov 17, 2009 2:08 am
Location: Hamburg, Germany

Re: Recommendations

Unread postby diegel » Mon Nov 16, 2015 11:35 pm

I am still running Irix systems on the Internet. This are private projects, like the nekoware mirror and I had never problems with it. Our company used around the year 2000 a Challenge S as a secondary nameserver. This server was located at another Internet service provider (for free) and we simply forget this server. When this company moved the location some years ago, they asked us if we still using this server. So we got it back and examined it, it was running Irix 6.2 and never get hacked after 10 years running without any administration.
:Tezro: :Fuel: :Octane2: :Octane: :Onyx2: :O2+: :O2: :Indy: :Indigo: :Cube:


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 0 guests