Description

FTP is a legacy protocol. It is a clear-text protocol, like Telnet, and allows an

 

attacker to eavesdrop on sessions and steal passwords. This also allows an

 

attacker to take over an FTP session, using a clear-text-takeover tool like Hunt

 

or Ettercap. It can make effective firewalling difficult because of the way FTP

 

requires many ports to stay open. Every major FTP daemon has had a long

 

history of security vulnerability. They represent one of the major successful

 

attack vectors for remote root attacks.

Actions

In the /etc/inetd.conf file, comment out the entry for ftp.

SecureInetd.deactivate_ident

Headline

Ensure that the inetd ident service does not run on this system.

Default

N

Description

The ident service implements the TCP/IP proposed standard IDENT user

 

identification protocol as specified in the RFC 1413 document. The identd

 

service operates by looking up specific TCP/IP connections and returning the

 

user name of the process owning the connection. This service can be used to

 

determine user information on a given machine in preparation for a brute-force

 

password attack like a dictionary attack. HP recommends disabling this service

 

unless compelled by application specific needs.

Actions

In the /etc/inetd.conf file, comment out the entry for auth or ident.

SecureInetd.deactivate_ktools

Headline

Ensure that the inetd klogin and kshell services do not run on this

 

system.

Default

N

Description

The kshell and klogin services use Kerberos authentication protocols. If

 

this machine is not using the Kerberos scheme, HP recommends disabling

 

these services. Any service or daemon running on the system that is not needed

 

or used should be disabled.

Actions

In the /etc/inetd.conf file, comment out the entry for kshell and

 

klogin.

SecureInetd.deactivate_ntalk

Headline

Ensure that the inetd ntalk service does not run on this system.

Default

N

Description

The ntalk service is a visual communication program that predates instant

 

messaging applications and copies lines from your terminal to another user's

 

terminal. The ntalk service is considered a light security hazard, but should

 

be disabled if not used on this machine.

Actions

In the /etc/inetd.conf file, comment out the entry for ntalk.

SecureInetd.deactivate_printer

Headline

Ensure the inetd printer service does not run on this system.

Default

N

Description

The printer service is a line printer daemon that accepts remote spool

 

requests. It uses the rlp daemon to process remote print requests and displays

 

the queue and removes jobs from the queue upon request. If this machine is

 

not used as a remote print spooler, this service should be disabled.

Actions

In the /etc/inetd.conf file, comment out the entry for printer.

57

Page 57
Image 57
HP UX Bastille Software manual SecureInetd.deactivateident, SecureInetd.deactivatektools, SecureInetd.deactivatentalk