Blog

Jan
30

DNS lookup configuration

AIX offers a confusing array of options when configuring your system to be a simple DNS client. The traditional way is to create an “/etc/resolv.conf” file and add the address of up to three DNS servers e.g.

nameserver      192.168.1.40
nameserver      192.168.1.1
nameserver      10.10.1.66
domain  mydomain.local

The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).

nameserver      192.168.1.40
nameserver      192.168.1.1
nameserver      10.10.1.66
domain  mydomain.local

options rotate
options timeout:2
options attempts:2

These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.

options debug

Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.

The next file to tune is “/etc/netsvc.conf”:

hosts=local4,bind

In it’s simplest form this statement tells AIX to resolve only IPv4 addresses and to check the “/etc/hosts” file before consulting DNS. This “local,bind” would check both IPv4 and IPv6, and reversing the order, or removing the “local” entry would give DNS absolute precedence.

It doesn’t finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the “/etc/netcd.conf” and it creates a log file: “/var/tmp/netcd.log”.

There is an example configuration file in “/usr/samples/tcpip/netcd.conf”.

Blog

Jan
30
system-configuration-aix

Merging LDAP and local groups

Until recently it was impossible to have a user that was a member of both local and LDAP groups and this makes centrally managing applications such as Oracle, particularly problematic.

This problem can now be overcome by setting the “domainlessgroups” attribute to true in “/etc/security/login.cfg”. The AIX documentation describes it as follows:

“domainlessgroups Defines the system configuration for merging the user’s group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are “true” or “false”. “true” : 
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. “false” : When this attribute is set as false,  the group attribute is not merged from the LDAP and files modules.

Default value is “false”.

Blog

Jan
20

Making your AIX network more secure

These are some common network parameters that should be set in order to improve your system’s network efficiency and security.

Network Service options

To improve system security, there are several network options that you can change using 0 to disable and 1 to enable. The following list identifies these parameters you can use with the nocommand.

Parameter Command Purpose
arpt_killc – arp /usr/sbin/no -o arpt_killc=5 Buffer time-out; default value is 20 minutes. To avoid arp buffer poisoning attacks, this value should be reduced to between 1 and 5 minutes
bcastping /usr/sbin/no -o bcastping=0 Allows response to ICMP echo packets to the broadcast address. Disabling this prevents Smurf attacks.
clean_partial_conns /usr/sbin/no -o clean_partial_conns=1 Specifies whether or not SYN (synchronizes the sequence number) attacks are being avoided.
directed_broadcast /usr/sbin/no -o directed_broadcast=0 Specifies whether to allow a directed broadcast to a gateway. Setting to 0 helps prevent directed packets from reaching a remote network.
icmpaddressmask /usr/sbin/no -o icmpaddressmask=0 Specifies whether the system responds to an ICMP address mask request. Disabling this prevents access through source routing attacks.
ipforwarding /usr/sbin/no -o ipforwarding=0 Specifies whether the kernel should forward packets. Disabling this prevents redirected packets from reaching remote network.
ipignoreredirects /usr/sbin/no -o ipignoreredirects=1 Specifies whether to process redirects that are received.
ipsendredirects /usr/sbin/no -o ipsendredirects=0 Specifies whether the kernel should send redirect signals. Disabling this prevents redirected packets from reaching remote network.
ip6srcrouteforward /usr/sbin/no -o ip6srcrouteforward=0 Specifies whether the system forwards source-routed IPv6 packets. Disabling this prevents access through source routing attacks.
ipsrcrouteforward /usr/sbin/no -o ipsrcrouteforward=0 Specifies whether the system forwards source-routed packets. Disabling this prevents access through source routing attacks.
ipsrcrouterecv /usr/sbin/no -o ipsrcrouterecv=0 Specifies whether the system accepts source-routed packets. Disabling this prevents access through source routing attacks
ipsrcroutesend /usr/sbin/no -o ipsrcroutesend=0 Specifies whether applications can send source-routed packets. Disabling this prevents access through source routing attacks.
nonlocsrcroute /usr/sbin/no -o nonlocsrcroute=0 Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks.
tcp_icmpsecure /usr/sbin/no -o tcp_icmpsecure=1 Protects TCP connections against ICMP (Internet Control Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks. Checks the payload of the ICMP message to test the sequence number of the TCP header is within the range of acceptable sequence numbers. Values: 0=off (default); 1=on.
ip_nfrag /usr/sbin/no -o ip_nfrag=200 Specifies the maximum number of fragments of an IP packet that can be kept on the IP reassembly queue at a time (default value of 200 keeps up to 200 fragments of an IP packet in the IP reassembly queue).
rfc1122addrchk /usr/sbin/no -o rfc1122addrchk=0 Perform RFC1122 address validation; default is to allow. This should be disabled to block incoming & outgoing SYN packets aimed at loopback and multicast addresses.
rfc1323 /usr/sbin/no -o rfc1323=1 Value of 1 indicates that tcp_sendspace andtcp_recvspace can exceed 64KB. Default=0
tcp_mssdflt /usr/sbin/no -o tcp_mssdflt=1370 Default maximum segment size used in communicating with remote networks. Values: Default: 512, Range: 512 to (MTU of local net – 64) Change takes effect immediately. Change is effective until next boot. Permanent change is made by adding no command to /etc/rc.net.

Diagnosis: N/A Tuning: Increase, if practical.

tcp_conn_request_max       20-500 Number of TCP concurrent connections
tcp_recvspace /usr/sbin/no -o tcp_recvspace= Provide the default value of the size of the TCP socket receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be equal to tcp_sendspace and uniform on all frequently accessed AIX systems.
sb_max /usr/sbin/no -o sb_max= Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all frequently accessed AIX systems.
tcp_syn_rcvd_max 500 SYN_Flooding can be used in denial of service attacks
tcp_sendspace /usr/sbin/no -o tcp_sendspace=
tcp_tcpsecure /usr/sbin/no -o tcp_tcpsecure=7 Protects TCP connections against vulnerabilities. Values: 0=no protection; 1=sending a fake SYN to an established connection; 2=sending a fake RST to an established connection; 3=injecting data in an established TCP connection; 5-7=combination of the above vulnerabilities.
tcp_pmtu_discover /usr/sbin/no -o tcp_pmtu_discover=0 Disabling this prevents access through source routing attacks.
udp_pmtu_discover /usr/sbin/no -o udp_pmtu_discover=0 Enables or disables path MTU discovery for TCP applications. Disabling this prevents access through source routing attacks.

Blog

Jan
06

Google announces intention to begin deprocating SHA1

Google has announced a provisional plan and timetable to begin reducing support for X.509 certificates that have been signed using SHA1. The industry is now beginning to replace the SHA1 algorithm in favour of SHA2 or perhaps SHA256 because as computers become more powerful, it is becoming more likely that criminals will be able to brute-force exisinting hashes or to produce fake messages that will have the same hash as a legitimate message.

A hash is a string of characters produced when a one-way encryption algorthim processes a message. This process enables a browser or program API to ensure that a message has not been tampered with.
It is meant to be impossible to find two messages that produce the same hash however in reality there are always are, and when this happens it is referred to as a “hash-collision”.

An attacker can only find a collision by taking the hash of an existing message then hashing millions of other messages until one produces the same string. The problem for legitimate users is that once rainbow-tables containing multiple hashes start to appear, an attacker then only needs a relatively low powered computer to do a search of the tables.

What does this mean to you?

In simple terms you need to make an inventory of all your existing certificates and then determine when they are due for renewal, and how they were signed. You can then either gradually replace them now with certificates signed with SHA2 or buy new certificates when they expire. Great care and a lot of testing is required because some older browsers will not be able to process the new certificates and the users of your website will start to messages like this:
download

If you are using certificates on your AIX system you can use SystemScan AIX to help you to find and document them.

Related

Blog

Jan
06

What does that port do?

Have you ever run lsof or netstat and wondered why a port was open, or what it does? This site is a useful way of checking: https://www.adminsub.net/tcp-udp-port-finder
It also contains a list of the most common attacks kown to be aimed at that port.

You can also look at the entries in “/etc/services”, however they are not guaranteed to be accurate as several ports are used for multiple activities and an attacker can also hide behind a well known port that is not currently in use for other things.

06-01-2015
Related