HP UX Bastille User Manual page 48

Actions
IPFilter.block_wbem
Headline
Default
Description
Actions
IPFilter.block_webadmin
Headline
Default
Description
Actions
IPFilter.configure_ipfilter
Headline
Default
Description
48 Question modules
is the best way to do it. You should only block Secure Shell access if you have
an alternate, secure method to manage your machine (such as physical access
to the console or a secure terminal server) or if you do not use Secure Shell.
Otherwise, answer no to this question.
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow SecureShell incoming connections
pass in quick proto tcp from any to any port = 22 flags S keep state
keep frags
BLOCK incoming WBEM https connections with IPFilter.
N
Web-Based Enterprise Management (WBEM) is a Distributed Management
Task Force (DMTF) industry standard, http(s)-based management protocol
which features encryption and authentication. It is much better than SNMP,
which has a history of security issues and is by default a clear-text,
unauthenticated protocol. Like SNMP, WBEM can be a powerful aid in
managing multiple machines and it is by default much more secure. However,
any service can be a security risk, so you should block it if you are not going
to use it.
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow wbem incoming connections
pass in quick proto tcp from any to any port = 5989 flags S keep state keep
frags
BLOCK incoming web admin connections with IPFilter.
Y
Port 1188 is used by web-based tools that are replacements for areas of SAM.
The listener on this port is the HP release of Apache with a custom
configuration file that loads only a minimum set of modules. It is also restricted
to use https for all communication and can only be used to run the system
management tools. In general, this web server is running only when in use.
It exits after a period of inactivity. Disabling this port means that some system
administration functions are only available using the command line.
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow webadmin incoming connections
pass in quick proto tcp from any to any port = 1188
frags
# do allow webadminautostart incoming connections
pass in quick proto tcp from any to any port = 1110
frags
Set up basic firewall rules with these properties.
N
Firewalls generally make up the first line of defense in any network security
architecture. IPFilter is a free, host-based firewall which is available for HP-UX.
It looks like you have IPFilter installed, but that does not mean that it has been
flags S keep state keep
flags S keep state keep