Startup procedures and profiles


Startup

  1. In /etc/inittab the line for local services must be present:
    diagd:2:once:/usr/lpp/diagnostics/bin/diagd >/dev/console 2>&1
    rclocal:2:once:/etc/rc.local # starting local services
    dt:2:wait:/etc/rc.dt
    
    Note that /etc/rc.local must have execute permissions:
    chmod g+x /etc/rc.local
    chmod u+x /etc/rc.local
    
  2. In /etc/rc.local
    set some protective network options:
    # set network options to improve performance and security
    echo "Setting network options"
    # protection against SYN flood attacks
    /usr/sbin/no -o clean_partial_conns=1
    # protection against ICMP redirects
    /usr/sbin/no -o ipignoreredirects=1
    # protection against illegal access via source routing
    /usr/sbin/no -o ipsendredirects=0
    /usr/sbin/no -o ipsrcroutesend=0
    /usr/sbin/no -o ipsrcrouteforward=0
    /usr/sbin/no -o ip6srcrouteforward=0
    /usr/sbin/no -o tcp_pmtu_discover=0
    /usr/sbin/no -o udp_pmtu_discover=0
    
  3. In /etc/rc.local enable ssh related startups (check/verify also prngd, ssh)
    startsrc -s prngd # not necessary for AIX >= 5.2 or if installed via Toolbox
    startsrc -s sshd  # not necessary for AIX >= 5.2 or if installed via Toolbox
    
  4. If "unsecure" services like rsh, ftp, et al, must be enabled, use at least monitoring tcp_wrappers, in /etc/inetd.conf:
    ftp     stream  tcp6    nowait  root    /opt/bin/tcpd       ftpd -l -u077
    shell   stream  tcp6    nowait  root    /opt/bin/tcpd       rshd
    telnet  stream  tcp6    nowait  root    /opt/bin/tcpd       telnetd       # AIX 3.2
    telnet  stream  tcp6    nowait  root    /opt/bin/tcpd       telnetd -a    # AIX > 3.2, better performance
    login   stream  tcp6    nowait  root    /opt/bin/tcpd       rlogind
    
    Where /opt/bin/tcpd is the actual TCP wrapper, installed as extra freeware.
    For AIX >= 5.3, TCP wrapper comes as netsec fileset and the daemon resides in /usr/sbin/tcpd for AIX >= 5.3. In this case, do not forget to configure the /etc/hosts.* files.
    Use
    refresh -s inetd
    
    to activate changes made in /etc/inetd.conf.
    With wrappers active, root access may be allowed via /.rhosts, the general format is
    <machine>.gsi.de root
    <machine>        root
    
    This list should be restricted to an absolute minimum, for admin purposes only.

Profiles


Last update: 26-Apr-2013, M.Kraemer