Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
61626364656667686970
Table 4-1 Internet Services Components and Access Verification, Authorization, and
Authentication (continued)
Access Verification, Authorization, or Authentication MechanismInternet Services Component
Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv
file. Also can use Kerberos authentication mechanism defined in /etc/
inetsvcs.conf. See rlogin(1).
rlogin (remote login)
Password verification. If the TAC User ID option is enabled by the telnetd
daemon, telnet uses $HOME/.rhosts or /etc/hosts.equiv file. See
telnet(1) and telnetd(1M).
telnet (remote login using
TELNET protocol)
NOTE: Information (including passwords) is passed between two systems in clear text
and is not encrypted. Use Internet Services only between hosts that are well-known and
defined to each other and within a private internal network behind a firewall. When
communicating over an untrusted network, secure the communications using IPSec or
Kerberos
Remote Access Services connect remote systems in a network. By default, the remote
access services function in a nonsecure environment. To function in a secure environment,
enable the Kerberos V5 network authentication. In a nonsecure environment, you must
have a login name and password to access a remote system, and the login name is not
checked for authentication and authorization. In a secure environment, you need not
have a login name and password. When you attempt to connect to a remote system, the
Kerberos protocol checks if the user is allowed to access the remote system.
4.1.1 Securing ftp
An unauthorized user might try to gain access to a system by using the ftp command.
Following are some suggestions to prevent this problem:
Enable ftp logging in /etc/inetd.conf by using the ftpd -l command.
Review the ftp logs in /var/adm/syslog/syslog.log and /var/adm/
syslog/xferlog for unusual remote access attempts.
See syslogd(1M) and xferlog(5).
Deny ftp access to guest, root, and other accounts by listing them in /etc/
ftpd/ftpusers.
See ftpusers(4).
Regularly search and remove users' ~/.netrc files. The .netrc file contains login,
password, and account information used by the ftp autologin process, by the
rexec() library routine, and by the rexec command.
See netrc(4).
68 Remote Access Security Administration