- In
/etc/inittab
the line for local services must be present:
diagd:2:once:/usr/lpp/diagnostics/bin/diagd >/dev/console 2>&1
rclocal:2:once:/etc/rc.local # starting local services
dt:2:wait:/etc/rc.dt
Note that /etc/rc.local
must have execute permissions:
chmod g+x /etc/rc.local
chmod u+x /etc/rc.local
-
In
/etc/rc.local
set some protective network options:
# set network options to improve performance and security
echo "Setting network options"
# protection against SYN flood attacks
/usr/sbin/no -o clean_partial_conns=1
# protection against ICMP redirects
/usr/sbin/no -o ipignoreredirects=1
# protection against illegal access via source routing
/usr/sbin/no -o ipsendredirects=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ip6srcrouteforward=0
/usr/sbin/no -o tcp_pmtu_discover=0
/usr/sbin/no -o udp_pmtu_discover=0
-
In
/etc/rc.local
enable ssh
related startups
(check/verify also prngd
,
ssh
)
startsrc -s prngd # not necessary for AIX >= 5.2 or if installed via Toolbox
startsrc -s sshd # not necessary for AIX >= 5.2 or if installed via Toolbox
-
If "unsecure" services like
rsh
, ftp
, et al, must be enabled,
use at least monitoring
tcp_wrappers
,
in /etc/inetd.conf
:
ftp stream tcp6 nowait root /opt/bin/tcpd ftpd -l -u077
shell stream tcp6 nowait root /opt/bin/tcpd rshd
telnet stream tcp6 nowait root /opt/bin/tcpd telnetd # AIX 3.2
telnet stream tcp6 nowait root /opt/bin/tcpd telnetd -a # AIX > 3.2, better performance
login stream tcp6 nowait root /opt/bin/tcpd rlogind
Where /opt/bin/tcpd
is the actual TCP wrapper,
installed as extra freeware.
For AIX >= 5.3, TCP wrapper comes as netsec
fileset
and the daemon resides in
/usr/sbin/tcpd
for AIX >= 5.3.
In this case, do not forget to
configure
the /etc/hosts.*
files.
Use
refresh -s inetd
to activate changes made in /etc/inetd.conf
.
With wrappers active, root access may be
allowed via /.rhosts
,
the general format is
<machine>.gsi.de root
<machine> root
This list
should be restricted to an absolute minimum, for admin purposes only.