Special Security Configuration for UNIX in the DMZ
Limiting access into the NNM system is where security begins. Shut down all network services first, then turn on just the ones you need. Remove all user accounts and then add back the ones you need. Therefore, the file /etc/hosts.deny should contain (at least initially) the line:
ALL: ALL
in order to disable access to all services and all systems. Then you can open up the inbound telnet service to some systems by adding a line to the /etc/hosts.allow file as follows:
in.telnetd: [email protected], [email protected]
You may also consider completely disabling telnet and use secure shell (ssh) for remote access instead. Many UNIX system administrators swear by ssh.
You may want to further deter spoofing attempts and configure the ident service to require that client hosts cooperate by running identd. This service returns the login name of the user requesting a network connection. See the manpages for hosts.allow, hosts.deny, snmpd.conf, and identd for more detail. Note that identd (identification daemon) and inetd (internet daemon) are different, yet are easily confused.
Ensure that shadow passwords are enabled. Configure the file /etc/ securetty to contain only the console device entry, so root can’t log in directly through the network. This forces every user to log in as a normal user first. Disable the.rhosts feature. Enable auditing and take advantage of ITO to monitor failed login attempts (or at least write a few simple scripts for this task). NIS and NFS services are consequently disabled to prevent network access to the file system. All daemons that normally run continuously, are started at boot time, and don’t provide an essential service, should be disabled.
All non-essential network services controlled by inetd are commented out of the inetd.conf file. Also consider using “TCP wrappers” to control connections to and from inetd. It can allow/disallow connections based on port and/or address. If FTP is important, ensure that /etc/hosts.allow is used to limit access to this service. On an HP-UX system take advantage of /usr/adm/inetd.sec to limit access to network services to the golden subnet.
Configure the NNM system to use DNS servers intended for the DMZ, but if the number of managed devices is relatively small, it is safer to use a local /etc/hosts file instead to ensure configuration control. At the very least, you should take advantage of the BIND version 8 security features.
In general, try to avoid autoconfiguring protocols like ARP and RIP. You should hand-configure the IP and MAC addressees of all devices in the DMZ into the ARP table to avoid spoofing. All routing protocols should be disabled and static routes used instead.
Finally, as a general rule, there should be no world-writable files. Since there are many of these on UNIX systems, and because NNM also creates and uses some, you have to write a script to find them all and modify the permissions. This should be done at installation time, after patches are installed, and then periodically, because the running software may create new world-readable files during normal operation. Where NNM needs to write to certain files generally, the NNM processes should be configured to execute under an additional group to which all these files are members.