By all means, install sgi security related patches. For instance, recent
break-ins on campus exploited a hole in un-patched IRIX 6.2 autofs.
I don't know what patches are available for IRIX 5.x, perhaps you might
want to upgrade to 6.5.x (that also requires upgrading to at least
xwin-nmr 2.5, older versions will not work!).
If you are running a version of xwin-nmr below 2.5, you should also
have a look at:
http://www.bruker.de/analytic/nmr-dep/nmrsoftw/passwd/mailing/mail12.htm
You need an account to access the page(s). If you don't have one, got to:
http://www.bruker.de/analytic/nmr-dep/account.htm
About disabling services, the safest way is only enable services you know
you actually need. If you notice problems, enable missing service as required.
In addition to the those listed by Karen Ann, we don't use:
- tcpmux: has been exploited by crackers. Not enabled on our systems.
- ttdbserverd: has been exploited by crackers. Not enabled on our systems.
- tftpd: has been one of the earliest security holes. Not enabled on our systems.
>From /etc/inetd.conf:
# ToolTalk Database Server
# ttdbserverd/1 stream rpc/tcp wait root ?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd
# TCPMUX based services
# Impressario network scanning support
#tcpmux/sgi_scanner stream tcp nowait root ?/usr/lib/scan/net/scannerd scannerd
# Printer daemon for passing client requests to lpsched
#tcpmux/sgi_printer stream tcp nowait root ?/usr/lib/print/printerd printerd
Using ssh instead of telnet and rlogin is a good idea. There are two versions of ssh,
the original ssh1 (latest version 1.2.27) and ssh2.There are some problems compiling ssh1
under IRIX. One problem is easy to solve (the 'projects' feature), the other is more subtle.
Ssh can be compiled to use tcp wrappers. It is important that the tcp wrappers and ssh are
compiled with the same compiler version. I had libwrap.a compiled with the 7.1 compiler and
used 7.2 for ssh. The result was that /etc/hosts.allow was read, but nothing was restricted...
Re-compiling tcp wrappers made it work.
Another potential problem is that it might be possible for anyone to get an xdm login screen.
I am not 100% certain, but, to me, it looks like the default is to allow any host to request
an xdm session on udp port 177, completely by-passing the tcp_wrappers. To fix this, in
/var/X11/xdm/xdm-config, add
! SECURITY: do not listen for XDMCP or Chooser requests
DisplayManager.requestPort: 0
and restart Xsgi (or re-boot). Note that is is not unique to sgi, XFree86 (Linux, etc)
has the same default.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rudi Nunlist Phone: (510) 642-6407 FAX: (510) 642-8369
University of California Email: nmrlab@purcell.cchem.berkeley.edu
College of Chemistry
NMR Facility
Berkeley, CA 94720-1460 Personal email:rnunlist@purcell.cchem.berkeley.edu
www.cchem.berkeley.edu/College/Facilities/nmr
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=