- In
/etc/inittab
the line for local services must be present:
rlcl::bootwait:/etc/rc.local >/dev/console 2>&1 # 4-char ID ! should be placed before ...
vue :34:respawn:/etc/vuerc # ... VUE validation and invocation (9.x)
Note that /etc/rc.local should exist and must have execute permissions:
touch /etc/rc.local
chmod g+x /etc/rc.local
chmod u+x /etc/rc.local
- !
In
/etc/rc.local
set some protective network options:
# set network options to improve performance and security
echo "Setting network options"
# protection against SYN flood attacks
/usr/sbin/no -o clean_partial_conns=1
# protection against ICMP redirects
/usr/sbin/no -o ipignoreredirects=1
# protection against illegal access via source routing
/usr/sbin/no -o ipsendredirects=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ip6srcrouteforward=0
/usr/sbin/no -o tcp_pmtu_discover=0
/usr/sbin/no -o udp_pmtu_discover=0
- ! In
/etc/ssh/ssh_config
enable ForwardX11
- ! In
/etc/ssh/sshd_config
allow X11Forwarding,
disable UsePrivilegeSeparation,
and set the correct sftp-server location
(/usr/sbin/sftp-server)
- !
In
/etc/rc.local ssh related startups
startsrc -s prngd # not necessary for AIX 5.2 ?
startsrc -s sshd
- !
If "unsecure" services like
rsh, ftp, et al, are to be enabled,
use at least tcp_wrappers, in /etc/inetd.conf:
ftp stream tcp6 nowait root /local/bin/tcpd ftpd -l -u077
shell stream tcp6 nowait root /local/bin/tcpd rshd
telnet stream tcp6 nowait root /local/bin/tcpd telnetd -a
login stream tcp6 nowait root /local/bin/tcpd
where /local/bin/tcpd is the actual TCP wrapper.
In this case, root access from some machines may be allowed via /.rhosts:
<machine>.gsi.de root
The general format is
<machine>.gsi.de root
<machine> root
This list
should be restricted to an absolute minimum, for admin purposes only.