[rescue] irix insecurity (was: Sparcstation 2 help! Please)

[G W Adkins]

> > System Security involves three things, physical access control, network
> > access control, and eliminating exploitable scenarios in software and
the
> > OS.
>
> My viewpoint on this is that I could probably secure an IRIX box doing
> normal Web stuff, like HTTP, SCP, SSH, and mail (I really don't
> recommend FTP to customers, but some of them insist they want it so...)
> using the following:
>
> vi (to edit inetd.conf)
> tcp_wrappers
> postfix as a replacement for sendmail
> ipfilter (or similar, whatever is the best implementation for IRIX)
>
> block whatever is not 80, 22, 25, + ICMP etc. and you are done.
>
> Am I wrong about that?  This does assume that the local users are not
> trying to hack the box - that would take a little longer to secure.  In
> some cases my users only need scp, thus, I would disable shell logins.
>
No, you are not wrong, there might be some other things you would want to
do, security patching and the like, but the approach is sound, Namely:
1. Control Physical access to the box (locked up on premises, not sitting
unattended in a lobby)
2. Control Network access ( Port control as you stated, perhaps source
address control for non-public services)
3. Eliminating exploits (security audit of the services listening on those
ports)

you've covered most of the bases as far as a non-local user hack.  Account
control, Password security and enforcement and regular audit and Maint.
cover the other aspects.  This is simplistic, but it covers the bases for
most machines in most instances.  You can get tougher and tighter by putting
in hardened firewalls, intrusion detection, etc.