Thursday, 5 November 2015
AIX announces AIX 7.2
I found this article in the latest release of the AIX Systems Magazine: http://www.ibmsystemsmag.com/aix/trends/whatsnew/aix72-commitment/
Whilst I am encouraged to hear that IBM continues to develop AIX I cannot help feeling that they are now retreating within themselves and no longer talking to the rest of thie IT World as many of the new features can only be described as niche and not really relevant for the rest of us.
For me the killer feature of Linux is the ability to use tools such as YUM to download a product with a single command without having to worry about dependencies. That said there are still some areas where Linux us weak e.g. the lack of a mirrored boot disk, and mksysb.
Whilst I am encouraged to hear that IBM continues to develop AIX I cannot help feeling that they are now retreating within themselves and no longer talking to the rest of thie IT World as many of the new features can only be described as niche and not really relevant for the rest of us.
For me the killer feature of Linux is the ability to use tools such as YUM to download a product with a single command without having to worry about dependencies. That said there are still some areas where Linux us weak e.g. the lack of a mirrored boot disk, and mksysb.
Sunday, 9 August 2015
Show differences between LPAR Profile and Running configuration on IBM POWER servers
prdiff - Show differences between LPAR Profile and Running configuration on IBM POWER servers
http://prdiff.sourceforge.net/
Sunday, 14 June 2015
Maintaining an AIX firewall
IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.
1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:
# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...
..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.
2. flush all existing filter rules
/usr/sbin/rmfilt -v4 -n all
3. import filter rule file from directory
/usr/sbin/impfilt -f /root
4. list imported filter rules
/usr/sbin/lsfilt -v 4 –O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all 0 none Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.105666
10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10516
2
5. Activate the new rules
/usr/sbin/mkfilt -v4 -u -g start
You can also configure ipfilt from smit as follows:
smitty tcpip
TCP/IP
Move cursor to desired item and press Enter.
Minimum Configuration & Startup
Further Configuration
Use DHCP for TCPIP Configuration & Startup
IPV6 Configuration
Quality of Service Configuration & Startup
Configure IP Security (IPv4)
Configure IP Security (IPv6)
Configure IP Security (IPv4):
Configure IP Security (IPv4)
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration
Advanced IP Security Configuration:
Advanced IP Security Configuration
Move cursor to desired item and press Enter.
Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD
Configure IP Security Filter Rules
Configure IP Security Filter Rules
Move cursor to desired item and press Enter.
List IP Security Filter Rules
Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.
1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:
# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...
..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.
2. flush all existing filter rules
/usr/sbin/rmfilt -v4 -n all
3. import filter rule file from directory
/usr/sbin/impfilt -f /root
4. list imported filter rules
/usr/sbin/lsfilt -v 4 –O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all 0 none Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.105666
10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10516
2
5. Activate the new rules
/usr/sbin/mkfilt -v4 -u -g start
You can also configure ipfilt from smit as follows:
smitty tcpip
TCP/IP
Move cursor to desired item and press Enter.
Minimum Configuration & Startup
Further Configuration
Use DHCP for TCPIP Configuration & Startup
IPV6 Configuration
Quality of Service Configuration & Startup
Configure IP Security (IPv4)
Configure IP Security (IPv6)
Configure IP Security (IPv4):
Configure IP Security (IPv4)
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration
Advanced IP Security Configuration:
Advanced IP Security Configuration
Move cursor to desired item and press Enter.
Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD
Configure IP Security Filter Rules
Configure IP Security Filter Rules
Move cursor to desired item and press Enter.
List IP Security Filter Rules
Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.
Wednesday, 6 May 2015
An interesting article about MPIO performance
MPIO (Multi-path IO) has always been an interesting and complex subject. This article has some interesting suggestions:
https://www.ibm.com/developerworks/aix/library/au-aix-mpio/
https://www.ibm.com/developerworks/aix/library/au-aix-mpio/
Sunday, 19 April 2015
PCI-DSS 3.1
The latest version of PCI-DSS (3.1) has recently released http://searchsecurity.techtarget.com/news/4500244448/PCI-DSS-31-debuts-requires-detailed-new-SSL-security-management-plan and this includes much tighter rules on the use of certificates and encryption algorithms.
Tuesday, 14 April 2015
Locking-down smit
It is possible to restrict a user's access to smit (menus) and to escape to the shell from a smit session:
If you run:
$ export SMIT_SHELL=n
for a user when they press F9 they will see the following error message:
+--------------------------------------------------------------------------+
| INFORMATION MESSAGE |
| |
| Press Enter or Cancel to return to the |
| application. |
| |
| The Shell function is not available for this |
| session. |
| |
| F1=Help F2=Refresh F3=Cancel |
F1| F8=Image F10=Exit Enter=Do |
F9+--------------------------------------------------------------------------+
Menu access can also be restricted by editing "/etc/security/smitacl.user" and adding a stanza for a user e.g.
$ cat /etc/security/smitacl.user
default:
screens = *
funcmode = roles+acl
backup:
screens = shutdown,mksysb
funcmode = roles+acl
If you run:
$ export SMIT_SHELL=n
for a user when they press F9 they will see the following error message:
+--------------------------------------------------------------------------+
| INFORMATION MESSAGE |
| |
| Press Enter or Cancel to return to the |
| application. |
| |
| The Shell function is not available for this |
| session. |
| |
| F1=Help F2=Refresh F3=Cancel |
F1| F8=Image F10=Exit Enter=Do |
F9+--------------------------------------------------------------------------+
Menu access can also be restricted by editing "/etc/security/smitacl.user" and adding a stanza for a user e.g.
$ cat /etc/security/smitacl.user
default:
screens = *
funcmode = roles+acl
backup:
screens = shutdown,mksysb
funcmode = roles+acl
Thursday, 26 February 2015
NTP attacks
There are a lot of NTP reflection attacks currently being launched, it is therefore vital that you check if you version of NTP is vulnerable.
Run xnpdc as root:
# xntpdc
xntpdc> host <Your server name>
current host set to XXXX
xntpdc> monlist
***Server reports data not found
xntpdc> listpeers
client ntp1.XXX
client ntp0.XXX
broadcast 172.27.1.127
The monlist command should not return any results. You can also launch it directly from the command-line as follows:
# xntpdc -c monlist <IP_Address>
If you have any questions about the configuration of the "/etc/ntp.conf" file you can consult the sample files provided as standard by AIX in the "/usr/samples/xntp" directory:
/usr/samples/xntp/default.conf
/usr/samples/xntp/example.keys
/usr/samples/xntp/localclock.conf
/usr/samples/xntp/ntp.copyrights
If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the "AIX Web Download Pack Programs" site.
NTP4 Install images v7.1.0.3 for AIX 7.1
ntp4-7.1.0.3.tar (1.45 MB)
README-7.1.0.3
README-7.1.0.3.txt (317 B)
NTP4 Install images v6.1.6.3 for AIX 6.1
ntp4-6.1.6.3.tar (1.45 MB)
README-6.1.6.3
README-6.1.6.3.txt (317 B)
It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:
CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-6.1.6.3 for AIX 6.1 contains the fix for the above vulnerabilities.
To restrict the hosts that NTP will respond to edit the "/etc/ntp.conf" file:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
or
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
https://support.ntp.org/bin/view/Support/AccessRestrictions
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/ntp.htm
You can also further harden your NTP daemon by installing keys:
# /usr/sbin/ntpkeygen4
To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:
# /usr/sbin/xntpd -k /etc/ntp.new.keys
The keys are stored in "/etc/ntp.keys" and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.
You can check or switch between NTP versions by manipulating the symbolic-links:
$ ls -ld /usr/sbin/ntp*
drwxr-xr-x 2 root system 256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx 1 root system 22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx 1 root system 19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx 1 root system 23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace
Run xnpdc as root:
# xntpdc
xntpdc> host <Your server name>
current host set to XXXX
xntpdc> monlist
***Server reports data not found
xntpdc> listpeers
client ntp1.XXX
client ntp0.XXX
broadcast 172.27.1.127
The monlist command should not return any results. You can also launch it directly from the command-line as follows:
# xntpdc -c monlist <IP_Address>
If you have any questions about the configuration of the "/etc/ntp.conf" file you can consult the sample files provided as standard by AIX in the "/usr/samples/xntp" directory:
/usr/samples/xntp/default.conf
/usr/samples/xntp/example.keys
/usr/samples/xntp/localclock.conf
/usr/samples/xntp/ntp.copyrights
If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the "AIX Web Download Pack Programs" site.
NTP4 Install images v7.1.0.3 for AIX 7.1
ntp4-7.1.0.3.tar (1.45 MB)
README-7.1.0.3
README-7.1.0.3.txt (317 B)
NTP4 Install images v6.1.6.3 for AIX 6.1
ntp4-6.1.6.3.tar (1.45 MB)
README-6.1.6.3
README-6.1.6.3.txt (317 B)
It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:
CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-6.1.6.3 for AIX 6.1 contains the fix for the above vulnerabilities.
To restrict the hosts that NTP will respond to edit the "/etc/ntp.conf" file:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
or
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
https://support.ntp.org/bin/view/Support/AccessRestrictions
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/ntp.htm
You can also further harden your NTP daemon by installing keys:
# /usr/sbin/ntpkeygen4
To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:
# /usr/sbin/xntpd -k /etc/ntp.new.keys
The keys are stored in "/etc/ntp.keys" and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.
You can check or switch between NTP versions by manipulating the symbolic-links:
$ ls -ld /usr/sbin/ntp*
drwxr-xr-x 2 root system 256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx 1 root system 22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx 1 root system 19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx 1 root system 23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace
Wednesday, 18 February 2015
Cimserver
Cimserver
The cimserver
service is installed as standard with AIX6.1 and the service is started from
the “/etc/inittab”:
$ grep cim /etc/inittab
cimservices:2:once:/usr/bin/startsrc -s cimsys >/dev/null
2>&1
This service can be disabled if
Director is not installed.
When first installed the
cimserver is configured with a test certificate and this can be a problem for your corporate security policy. To view the test certificate:
$ cd /opt/freeware/cimom/pegasus/etc
$ openssl x509 -noout -in ./cert.pem -subject -dates -hash -fingerprint
subject= /C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The
OpenPegasus Project/CN=PEGASUS TEST CERTIFICATE-DO NOT USE
notBefore=Aug 27 09:09:25 2014 GMT
notAfter=Aug 24 09:09:25 2024 GMT
0e7a49a9
SHA1
Fingerprint=8C:95:90:02:73:E4:9A:06:26:77:16:F2:98:28:EA:77:B1:94:72:DB
To generate and install a new
certificate follow these instructions:
$ cat /opt/freeware/cimom/pegasus/etc/cimlistener.conf
listenerPort="6988"
consumerDir="/usr/lib"
consumerConfigDir="../data/indication"
traceFilePath="/opt/freeware/cimom/pegasus/logs/cimlistener.trc"
#traceComponents="LISTENER"
#traceLevel="4"
The cimserver configuration file
is: /opt/freeware/cimom/pegasus/etc/cimserver_current.conf however this file should not edited directly. To make changes use the cimconfig command. The default behaviour is to use SSL for communications, however this can also be disabled if required.
Thursday, 29 January 2015
DNS lookup configuration
AIX offers a confusing array of options when configuring your system to be a simple DNS client. The traditional way is to create an "/etc/resolv.conf" file and add the address of up to three DNS servers e.g.
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
options rotate
options timeout:2
options attempts:2
These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.
options debug
Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.
The next file to tune is "/etc/netsvc.conf":
hosts=local4,bind
In it's simplest form this statement tells AIX to resolve only IPv4 addresses and to check the "/etc/hosts" file before consulting DNS. This "local,bind" would check both IPv4 and IPv6, and reversing the order, or removing the "local" entry would give DNS absolute precedence.
It doesn't finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the "/etc/netcd.conf" and it creates a log file: "/var/tmp/netcd.log".
There is an example configuration file in "/usr/samples/tcpip/netcd.conf".
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
options rotate
options timeout:2
options attempts:2
These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.
options debug
Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.
The next file to tune is "/etc/netsvc.conf":
hosts=local4,bind
In it's simplest form this statement tells AIX to resolve only IPv4 addresses and to check the "/etc/hosts" file before consulting DNS. This "local,bind" would check both IPv4 and IPv6, and reversing the order, or removing the "local" entry would give DNS absolute precedence.
It doesn't finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the "/etc/netcd.conf" and it creates a log file: "/var/tmp/netcd.log".
There is an example configuration file in "/usr/samples/tcpip/netcd.conf".
Wednesday, 28 January 2015
Merging LDAP and local groups
Until recently it was impossible to have a user that was a member of both local and LDAP groups and this makes centrally managing applications such as Oracle, particularly problematic.
This problem can now be overcome by setting the "domainlessgroups" attribute to true in "/etc/security/login.cfg". The AIX documentation describes it as follows:
"domainlessgroups Defines the system configuration for merging the user's group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are "true" or "false". "true" :
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. "false" : When this attribute is set as false, the group attribute is not merged from the LDAP and files modules.
Default value is "false".
This problem can now be overcome by setting the "domainlessgroups" attribute to true in "/etc/security/login.cfg". The AIX documentation describes it as follows:
"domainlessgroups Defines the system configuration for merging the user's group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are "true" or "false". "true" :
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. "false" : When this attribute is set as false, the group attribute is not merged from the LDAP and files modules.
Default value is "false".
Monday, 19 January 2015
Making your AIX network more secure.
These are some common network parameters that should be set in order to improve your system's network efficiency and security.
Network service options
To improve system security, there are
several network options that you can change using 0 to disable and 1 to
enable. The following list identifies these parameters you can use with the no
command.
|
Parameter
|
Command
|
Purpose
|
|
arpt_killc - arp
|
/usr/sbin/no -o arpt_killc=5
|
Buffer time-out; default value is 20 minutes. To avoid arp
buffer poisoning attacks, this value should be reduced to between 1 and 5
minutes
|
|
bcastping
|
/usr/sbin/no -o bcastping=0
|
Allows response to ICMP echo packets to the broadcast
address. Disabling this prevents Smurf attacks.
|
|
clean_partial_conns
|
/usr/sbin/no -o clean_partial_conns=1
|
Specifies whether or not SYN (synchronizes the sequence
number) attacks are being avoided.
|
|
directed_broadcast
|
/usr/sbin/no -o directed_broadcast=0
|
Specifies whether to allow a directed broadcast to a
gateway. Setting to 0 helps prevent directed packets from reaching a remote
network.
|
|
icmpaddressmask
|
/usr/sbin/no -o icmpaddressmask=0
|
Specifies whether the system responds to an ICMP address
mask request. Disabling this prevents access through source routing attacks.
|
|
ipforwarding
|
/usr/sbin/no -o ipforwarding=0
|
Specifies whether the kernel should forward packets.
Disabling this prevents redirected packets from reaching remote network.
|
|
ipignoreredirects
|
/usr/sbin/no -o ipignoreredirects=1
|
Specifies whether to process redirects that are received.
|
|
ipsendredirects
|
/usr/sbin/no -o ipsendredirects=0
|
Specifies whether the kernel should send redirect signals.
Disabling this prevents redirected packets from reaching remote network.
|
|
ip6srcrouteforward
|
/usr/sbin/no -o ip6srcrouteforward=0
|
Specifies whether the system forwards source-routed IPv6
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouteforward
|
/usr/sbin/no -o ipsrcrouteforward=0
|
Specifies whether the system forwards source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouterecv
|
/usr/sbin/no -o ipsrcrouterecv=0
|
Specifies whether the system accepts source-routed
packets. Disabling this prevents access through source routing attacks
|
|
ipsrcroutesend
|
/usr/sbin/no -o ipsrcroutesend=0
|
Specifies whether applications can send source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
nonlocsrcroute
|
/usr/sbin/no -o nonlocsrcroute=0
|
Tells the Internet Protocol that strictly source-routed
packets may be addressed to hosts outside the local network. Disabling this
prevents access through source routing attacks.
|
|
tcp_icmpsecure
|
/usr/sbin/no -o tcp_icmpsecure=1
|
Protects TCP connections against ICMP (Internet Control
Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks.
Checks the payload of the ICMP message to test the sequence number of the TCP
header is within the range of acceptable sequence numbers. Values: 0=off (default);
1=on.
|
|
ip_nfrag
|
/usr/sbin/no -o ip_nfrag=200
|
Specifies the maximum number of fragments of an IP packet
that can be kept on the IP reassembly queue at a time (default value of 200
keeps up to 200 fragments of an IP packet in the IP reassembly queue).
|
|
rfc1122addrchk
|
/usr/sbin/no -o rfc1122addrchk=0
|
Perform RFC1122 address validation; default is to allow.
This should be disabled to block incoming & outgoing SYN packets aimed at
loopback and multicast addresses.
|
|
rfc1323
|
/usr/sbin/no -o rfc1323=1
|
Value of 1 indicates that tcp_sendspace and tcp_recvspace
can exceed 64KB. Default=0
|
|
tcp_mssdflt
|
/usr/sbin/no -o tcp_mssdflt=1370
|
Default maximum segment size used in communicating with
remote networks. Values: Default: 512, Range: 512 to (MTU of local net - 64)
Change takes effect immediately. Change is effective until next boot.
Permanent change is made by adding no command to /etc/rc.net.
Diagnosis: N/A Tuning: Increase, if practical.
|
|
tcp_conn_request_max
|
20-500
|
Number of TCP concurrent connections
|
|
tcp_recvspace
|
/usr/sbin/no -o tcp_recvspace=
|
Provide the default value of the size of the TCP socket
receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be
equal to tcp_sendspace and uniform on all frequently accessed AIX
systems.
|
|
sb_max
|
/usr/sbin/no -o sb_max=
|
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all
frequently accessed AIX systems.
|
|
tcp_syn_rcvd_max
|
500
|
SYN_Flooding can be used in denial of service attacks
|
|
tcp_sendspace
|
/usr/sbin/no -o tcp_sendspace=
|
|
|
tcp_tcpsecure
|
/usr/sbin/no -o tcp_tcpsecure=7
|
Protects TCP connections against vulnerabilities. Values:
0=no protection; 1=sending a fake SYN to an established connection; 2=sending
a fake RST to an established connection; 3=injecting data in an established
TCP connection; 5-7=combination of the above vulnerabilities.
|
|
tcp_pmtu_discover
|
/usr/sbin/no -o tcp_pmtu_discover=0
|
Disabling this prevents access through source routing
attacks.
|
|
udp_pmtu_discover
|
/usr/sbin/no -o udp_pmtu_discover=0
|
Enables or disables path MTU discovery for TCP
applications. Disabling this prevents access through source routing attacks.
|
Sunday, 18 January 2015
A quick HMC Tip
This tool can enable you to do some of your shell-based tasks from a menu:
http://sourceforge.net/projects/ezh/files/
http://sourceforge.net/projects/ezh/files/
Thursday, 8 January 2015
More worrying news for IBMers
IBM agressive downsizing strategy seems now to have reached India and I expect that if there are mass redundancies, there will be a lot of Indian ITer's looking for work in Europe:
http://www.computerweekly.com/news/2240237667/Millions-of-Indian-IT-staff-could-unionise-putting-low-cost-offshore-model-in-question
Whilst I do agree with most of the article I think it fails to address the fundamental point of off-shoring was to cut-costs, and as wages and costs rise in off-shore locations, their appeal wains accordingly.
http://www.computerweekly.com/news/2240237667/Millions-of-Indian-IT-staff-could-unionise-putting-low-cost-offshore-model-in-question
Whilst I do agree with most of the article I think it fails to address the fundamental point of off-shoring was to cut-costs, and as wages and costs rise in off-shore locations, their appeal wains accordingly.
Subscribe to:
Posts (Atom)