Server hardening is one of the first things that should be looked into when securing any information infrastructure.<\/p>\n
<\/p>\n
\n
\nWhat are the basic things <\/b>to be looked into during server hardening?<\/p>\n
<\/p>\n
\n– Remove unnecessary applications
\n– Tighten configurations on remaining applications\/ services
\n– Set proper network options
\n– Tighten user accounts
\n– Monitor system files<\/p>\n
<\/p>\n
\nLet us now see how to handle these issues for AIX Servers <\/b><\/p>\n
<\/p>\n
\n – Remove unnecessary applications<\/b>
\na. Use netstat -af inet or a tool like nmap and remove those applications which you do not require.
\nb. From \/etc\/inittab remove applications that you do not need. Some usually unnecessary applications include:
\npiobe, qdaemon – Used for scheduling printing
\nhttpsdlite, inmss, inqss – Used for docsearch (which is easily replaced with ‘man’)
\ndt – Used for common desktop environment – not needed on servers
\nc. Remove entries from \/etc\/rc.tcpip which starts the TCP\/IP daemons
\nautocon6, lpd, routed, named, timed, rwhod, snmpd, mrouted may be some of the daemons you do not need
\nd. Remove entries from \/etc\/inetd.conf
\nThe inetd daemon is like a master server that invokes other daemons
\nSome of the applications that are not required include: telnet, rlogin, rsh, ftp, comsat (only required if mail is used), finger, talk, ntalk, sprayd, pcnfsd, echo, chargen, time, daytime and discard
\nBootp & tftp: Use only if remote booting of clients is required<\/p>\n
<\/p>\n
\n– Tighten configurations on remaining services<\/b>
\na. Secure DNS – restrict zone transfers, restrict dynamic updates, restrict recursions, restrict queries, restrict DNS cache update
\nb. Secure Sendmail – Get the latest version, apply patches, deny VRFY, EXPN, use PrivacyOptions in the configuration file, do not run sendmail as root, turn off banner information etc.
\nc. Secure SNMP: Use hard to guess community strings, use the latest versions; do not use SNMP v1, <\/p>\n
<\/p>\n
\n– Set proper network options<\/b>
\nNetwork options determine how TCP, IP and ICMP behave.
\nProtect against SYN attacks, smurf attacks, prevent ICMP redirects and source routing<\/p>\n
<\/p>\n
\n– Tighten user accounts<\/b>
\na. remove unnecessary default accounts like uucp, nuucp, lpd, imnadm, guest etc.
\nb. User attributes like number of login retries, preventing root from remotely logging in etc can be done in \/etc\/security\/user
\nc. Secure root user: Disable remote login, set up exceptionally strong passwords, make extensive use of roles to limit root logins
\nd. Set up strong password policy: \/etc\/security\/user
\nUse a dictionary (words in the dictionary cannot be used in passwords), implement histexpire (number of weeks before passwords can be reused), maxage (number of weeks before password expires), minalpha, minother, minlength, mindiff (minimum number of characters in the new password that must be different from the old password), passwarntime.<\/p>\n
<\/p>\n
\n– Monitor system logs and files<\/b>
\n\/var\/adm\/sulog – use of ‘su’ command
\n\/var\/adm\/wtmp – all logins and logouts
\n\/etc\/security\/failedlogin – Failed logins
\nfind \/ -perm -0007 -type d -ls (World writable directories)
\nfind \/ -perm -2 -type f -ls (World writable files)
\ncronadm cron -l (monitor cron jobs)
\ncronadm at -l (monitor at jobs)<\/p>\n
<\/p>\n
\n","protected":false},"excerpt":{"rendered":"
Server hardening is one of the first things that should be looked into when securing any information infrastructure. <\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-1561","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-pb","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=1561"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1561\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=1561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=1561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=1561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}