提高AIX的安全性研究

為了提高IBM AIX的安全性,使系統基本達到安全基線標準,需要進行安全設定操作。為了減少工作量，減少重複操作，減少人為錯誤，提高工作的效率，特編輯了安全設定批次處理指令碼，與相關安全配置檔案一起，實現自動安全升級的目標。具體的安全配置步驟如下：

一. 下載tcp wrapper安裝程式(netsec.options),生成.toc檔案

二.編輯配置檔案ftpusers,hosts.allow,hosts.deny,inetd.conf

三.編輯指令碼檔案secure.sh

四.將安全設定目錄打包,用於進行批次AIX安全設定

五.使用安全配置包,在新的aix中進行安全設定操作

六. 檢查安全設定的結果

注: 安全配置檔案、相關安全安裝檔案、安全設定指令碼檔案都存放在/setup目錄下

本文主要描述的是aix 5.3版本.

[@more@]

一. 下載tcp wrapper安裝程式(netsec.options),生成.toc檔案

關於tcp_wrapper安裝檔案(netsec.options)的下載的一些資訊:

Network security options TCP Wrapper 1.1.0.0

TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. The TCP Wrapper home page is located at:

ftp://ftp.porcupine.org/pub/security/index.html

TCP Wrapper is added to the netsec.options package on the AIX 5.3 Expansion Pack.

源文件 <>

如果手頭上有aix 5.3 expansion pack盤的話,搜尋netsec.options檔案.

#cd /setup

#ls -lt netsec.options

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

#inutoc .

生成netsec.options安裝指令碼檔案(.toc),用於後面secure.sh檔案自動執行install_p時使用.

# ls -lt .toc

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

二. 編輯配置檔案ftpusers,hosts.allow,hosts.deny,inetd.conf

AIX 的環境設定範本及相關配置檔案內容如下:

# cd /setup

# ls

.toc ftpusers hosts.allow hosts.deny inetd.conf netsec.options secure.sh

# ls -lt

total 888

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r--r-- 1 root system 5 Aug 17 17:09 ftpusers

-rw-r--r-- 1 root system 1881 Aug 17 16:42 .toc

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

# more ftpusers

root

注:不允許使用root使用者ftp登入到本機

# more hosts.allow

……

ftpd:30.216.18.128:allow

ftpd:30.216.18.128:allow

sshd:30.216.18.1268:allow

sshd:30.216.18.128:allow

注:

因為在inetd.conf檔案中禁止了telnet服務,所以這裡只需要設定ftp和ssh的訪問許可權.

關於如何在aix中關閉telnet,安裝升級ssh的操作,請參看我的部落格文章:http://djb1008.itpub.net/post/42280/502007.

這裡設定能夠訪問的IP清單.只有清單的這些計算機才可以ftp和ssh到本機.

# more hosts.deny

ALL : ALL : severity auth.info

# more inetd.conf

## service socket protocol wait/ user server server program

## name type nowait program arguments

##

ftp stream tcp6 nowait root /usr/sbin/tcpd ftpd

#telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a

shell stream tcp6 nowait root /usr/sbin/rshd rshd

#kshell stream tcp nowait root /usr/sbin/krshd krshd

login stream tcp6 nowait root /usr/sbin/rlogind rlogind

#klogin stream tcp nowait root /usr/sbin/krlogind krlogind

exec stream tcp6 nowait root /usr/sbin/rexecd rexecd

#comsat dgram udp wait root /usr/sbin/comsat comsat

#uucp stream tcp nowait root /usr/sbin/uucpd uucpd

#bootps dgram udp wait root /usr/sbin/bootpd bootpd /etc/bootptab

##

## Finger, systat and netstat give out user information which may be

## valuable to potential "system crackers." Many sites choose to disable

## some or all of these services to improve security.

##

#finger stream tcp nowait nobody /usr/sbin/fingerd fingerd

#systat stream tcp nowait nobody /usr/bin/ps ps -ef

#netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet

#

#tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n

#talk dgram udp wait root /usr/sbin/talkd talkd

#ntalk dgram udp wait root /usr/sbin/talkd talkd

#

# rexd uses very minimal authentication and many sites choose to disable

# this service to improve security.

#

#rquotad sunrpc_udp udp wait root /usr/sbin/rpc.rquotad rquotad 100011 1

#rexd sunrpc_tcp tcp wait root /usr/sbin/rpc.rexd rexd 100017 1

#rstatd sunrpc_udp udp wait root /usr/sbin/rpc.rstatd rstatd 100001 1-3

#rusersd sunrpc_udp udp wait root /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2

#rwalld sunrpc_udp udp wait root /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1

#sprayd sunrpc_udp udp wait root /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1

#pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2

#echo stream tcp nowait root internal

#discard stream tcp nowait root internal

#chargen stream tcp nowait root internal

#daytime stream tcp nowait root internal

#time stream tcp nowait root internal

#echo dgram udp wait root internal

#discard dgram udp wait root internal

#chargen dgram udp wait root internal

#daytime dgram udp wait root internal

#time dgram udp wait root internal

## The following line is for installing over the network.

#instsrv stream tcp nowait netinst /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts

#imap2 stream tcp nowait root /usr/sbin/imapd imapd

#pop3 stream tcp nowait root /usr/sbin/pop3d pop3d

ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1

cmsd sunrpc_udp udp wait root /usr/dt/bin/rpc.cmsd cmsd 100068 2-5

wsmserver stream tcp nowait root /usr/websm/bin/wsmserver wsmserver -start

xmquery dgram udp wait root /usr/bin/xmtopas xmtopas -p3

#example of the use of tcpwrapper with telnet

#telnet stream tcp6 nowait root /usr/sbin/tcpd telnetd -a

#auth stream tcp6 nowait root /usr/sbin/authd authd

注:停止了大部分不必須的服務: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc

停止的方法很簡單,就是在相應服務的行頭加上#

# more secure.sh

#install tcp_wrapper

/usr/lib/instl/sm_inst installp_cmd -a -Q -d '.' -f '_all_latest' '-c' '-N' '-g' '-X' '-G' '-Y'

#backup some configure files

mv /etc/hosts.deny /etc/hosts.deny.bak

mv /etc/hosts.allow /etc/hosts.allow.bak

mv /etc/inetd.conf /etc/inetd.conf.bak

mv /etc/ftpusers /etc/ftpusers.bak

cp /etc/profile /etc/profile.bak

cp /etc/security/user /etc/security/user.bak

#update new configure files to /etc

cp /setup/hosts.deny /etc

cp /setup/hosts.allow /etc

cp /setup/inetd.conf /etc

cp /setup/ftpusers /etc

#remove some users

rmuser -p lp

rmuser -p uucp

rmuser -p nuucp

rmuser -p lpd

rmuser -p invscout

#change some users ,lock and disable login

chuser account_locked=true login=false imnadm

chuser account_locked=true login=false ldap

chuser account_locked=true login=false snapp

#change some users,disable login

chuser login=false daemon

chuser login=false bin

chuser login=false sys

chuser login=false adm

#change /etc/security/user file,update some password policy.

chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "hissize = 10" -a "mindiff = 2"

#refresh inetd service

refresh -s inetd

#stop sendmail service,config sendmail service not start on next reboot.

stopsrc -s sendmail

chrctcp -d sendmail

#config timeout time to 600 seconds,user umask to 022

chmod u+w /etc/profile

cat /etc/profile|grep -v TMOUT>>/etc/profile

echo 'TMOUT=600'>>/etc/profile

cat /etc/profile|grep -v umask>>/etc/profile

echo 'umask 022'>>/etc/profile

chmod u-w /etc/profile

四. 將安全設定目錄打包,用於進行批次AIX安全設定

#cd /setup

#ls -lt

total 888

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

#tar -cvf /tmp/secure.tar /setup

五. 使用安全配置包,在新的aix中進行安全設定操作

注:將secure.tar 複製或者ftp到新的aix主機的/tmp目錄下,以下的操作是在新的AIX下完成

#mkdir /setup

#tar -xvf /tmp/secure.tar /setup

# tar -xvf /tmp/secure.tar /setup

x /setup

x /setup/hosts.allow, 787 bytes, 2 media blocks.

x /setup/hosts.deny, 126 bytes, 1 media blocks.

x /setup/ftpusers, 6 bytes, 1 media blocks.

x /setup/inetd.conf, 5137 bytes, 11 media blocks.

x /setup/secure.sh, 1162 bytes, 3 media blocks.

x /setup/netsec.options, 422912 bytes, 826 media blocks.

x /setup/.toc, 1881 bytes, 4 media blocks.

# cd /setup

# ls -lt

total 888

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

#./secure.sh

六. 檢查安全設定的結果

# lssrc -l -s inetd

Subsystem Group PID Status

inetd tcpip 245912 active

……

Service Command Description Status

xmquery /usr/bin/xmtopas xmtopas -p3 active

wsmserver /usr/websm/bin/wsmserver wsmserver -start active

cmsd /usr/dt/bin/rpc.cmsd cmsd 100068 2-5 active

ttdbserver /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1 active

exec /usr/sbin/rexecd rexecd active

login /usr/sbin/rlogind rlogind active

shell /usr/sbin/rshd rshd active

ftp /usr/sbin/tcpd ftpd active

注: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc等子服務都被停止了.

另外,如果使用者的口令沒有符合安全設定的話,登入時將要求您修改口令,新的可令也必須符合口令策略.本次安裝設定的口令策略是:

口令中至少有4個字母,1個非字元數字字元,口令最大週期為52周,最小長度為8位,最小使用週期為1周,口令不重複的次數為10次,至少有2個字元與舊口令不同,具體的設定chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "histsize = 10" -a "mindiff = 2"命令如下:

設定後只有/etc/hosts.allow檔案裡的計算機才可以透過ssh來訪問本主機.

如果安裝了netbacup備份系統檔案,需要重新啟動一下netback client程式

#/etc/rc.client.netbackup