Blog

Nov
13
system-configuration-aix

Your first hour with MySQL on AIX

Most modern Linux distros come with MySQL preinstalled, or it can easily be added later using a tool such as YUM. Unfortunately AIX still has no such tool, and you have to maunally download the individual RPMs and pre-reqs.

Here is an example of how to download the packages, install and configure them:

1. Download the PreReqs:

# wget http://www.oss4aix.org/download/RPMS/openssl/openssl-1.0.1g-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/openssl/openssl-devel-1.0.1g-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/zlib/zlib-devel-1.2.8-1.aix5.1.ppc.rpm

# wget wget http://www.oss4aix.org/download/RPMS/zlib/zlib-devel-1.2.8-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/perl-DBI/perl-DBI-1.622-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/perl-DBD-MySQL/perl-DBD-MySQL-4.022-1.aix5.1.ppc.rpm

2. Download the main packages:

# mkdir /fixes/mysql

# cd /fixes/mysql

# wget http://www.oss4aix.org/download/RPMS/mysql/mysql-5.1.73-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/mysql/mysql-bench-5.1.73-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/mysql/mysql-libs-5.1.73-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/mysql/mysql-server-5.1.73-1.aix5.1.ppc.rpm

# wget http://www.oss4aix.org/download/RPMS/mysql/mysql-test-5.1.73-1.aix5.1.ppc.rpm

These packages are optional:

# wget ftp://www.oss4aix.org/RPMS/mysql/mysql-cluster-5.0.96-1.aix5.1.ppc.rpm

# wget ftp://www.oss4aix.org/RPMS/mysql/mysql-embedded-5.1.73-1.aix5.1.ppc.rpm

3. Install the packages:

# rpm -Uvh ./perl-DBD-MySQL-4.022-1.aix5.1.ppc.rpm

# rpm -Uvh ./perl-DBD-MySQL-4.022-1.aix5.1.ppc.rpm –nodeps

# rpm -Uvh ./openssl-1.0.1g-1.aix5.1.ppc.rpm ./openssl-devel-1.0.1g-1.ai

# rpm -Uvh ./my*

You may have play around with the prereqs before the install works.

The MySQL installation should create a dedicated “mysql”

# id mysql

uid=64400(mysql) gid=64400(mysql) groups=1(staff)

4. Re-linking the applications:

The binaries are installed in”/opt/freeware/bin”

Run ./mysql-switch-to-64_bit.sh to relink the 64-bit binaries.

Several “my.cnf” files are supplied:

/opt/freeware/etc/my.cnf

/opt/freeware/share/mysql-test/suite/federated/my.cnf

/opt/freeware/share/mysql-test/suite/ndb/my.cnf

/opt/freeware/share/mysql-test/suite/rpl/my.cnf

/opt/freeware/share/mysql-test/suite/rpl_ndb/my.cnf

If you would like to view one of the man pages

# man 1 -M /opt/freeware/man/man1 mysql_install_db

5. Start the server:

Ensure that the logfile exists “/var/log/mysqld.log”

# /opt/freeware/libexec/mysqld &

6. Test the databases:

$ /opt/freeware/bin/mysqlcheck –databases mysql -p

Enter password:
mysql.columns_priv OK
mysql.db OK
mysql.event OK
mysql.func OK
mysql.general_…

7. Configure the admin passwords;

# /opt/freeware/bin/mysqladmin -u root password ‘new-password’

# /opt/freeware/bin/mysqladmin -u root -h p520-aix61 password ‘new-password’

8. Check the databases are properly configured:

$ cd /opt/freeware/share/mysql-test ; perl ./mysql-test-run.pl

9. Connect to the database and run some tests:

$ /opt/freeware/bin/mysql -u root mysql

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.73 MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> show tables;

+—————————+
| Tables_in_mysql |
+—————————+
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+—————————+
23 rows in set (0.00 sec)

mysql> select * from db;

+——+———+——+————-+————-+————-+————-+————-+———–+————+—————–+————+————+———————–+——————+——————+—————-+———————+——————–+————–+————+————–+
| Host | Db | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Create_tmp_table_priv | Lock_tables_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Execute_priv | Event_priv | Trigger_priv |
+——+———+——+————-+————-+————-+————-+————-+———–+————+—————–+————+————+———————–+——————+——————+—————-+———————+——————–+————–+————+————–+
| % | test | | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | N | N | Y | Y |
| % | test\_% | | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | N | N | Y | Y |
+——+———+——+————-+————-+————-+————-+————-+———–+————+—————–+————+————+———————–+——————+——————+—————-+———————+——————–+————–+————+————–+
2 rows in set (0.00 sec)

mysql> select * from user;

+————+——+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+————–+————+———————–+——————+————–+—————–+——————+——————+—————-+———————+——————–+——————+————+————–+———-+————+————-+————–+—————+————-+—————–+———————-+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections |
+————+——+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+————–+————+———————–+——————+————–+—————–+——————+——————+—————-+———————+——————–+——————+————+————–+———-+————+————-+————–+—————+————-+—————–+———————-+
| localhost | root | 39d1b8ab60ad963e | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 |
| p520-aix61 | root | 39d1b8ab60ad963e | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 |
| 127.0.0.1 | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 |
| localhost | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 |
| p520-aix61 | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 |
+————+——+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+————–+————+———————–+——————+————–+—————–+——————+——————+—————-+———————+——————–+——————+————+————–+———-+————+————-+————–+—————+————-+—————–+———————-+
5 rows in set (0.00 sec)


10. Test shutting down the server:

# /opt/freeware/bin/mysqladmin shutdown -p

Enter password:
140516 9:18:07 [Note] /opt/freeware/libexec/mysqld: Normal shutdown

11. This is the main configuration file:

# cat /opt/freeware/etc/my.cnf

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1…..

..

12. Configure auto stop-start:

For some reason the example stop-start file is not correct so I had to create my own. Here is an example:

# cat > /etc/rc.d/init.d/mysqld

#!/usr/bin/ksh
#
# description: MySQL startup script
#

PIDFILE=/var/run/httpd.pid
MYSQLD_BIN=/opt/freeware/libexec/mysqld
USER=root
PASSWORD=Logger98

case “$1” in
start)
if [ -r $PIDFILE ]; then
print “MySQL daemon is already running with PID “$(cat $PIDFILE)”.”
exit 1
else
print “Starting MySQL…”

## Start daemon (writes PID to file $PIDFILE).
$MYSQLD_BIN &
ps -ef | grep -w mysqld | grep -v grep | awk ‘{print $2}’ > ${PIDFILE}
fi
;;
stop)
print “Shutting down MySQL daemon… ”
## Stop daemon.
if [ -r $PIDFILE ]; then
/opt/freeware/bin/mysqladmin shutdown -u $USER –password=$PASSWORD
rm -f $PIDFILE
fi
;;
status)
if [ -r $PIDFILE ]; then
print “MySQL daemon is running with PID “$(cat $PIDFILE)”.”
/opt/freeware/bin/mysqladmin status -u $USER –password=$PASSWORD
else
print “MySQL daemon is not running.”
ps -ef | grep -w “libexec/mysqld” | grep -v grep
fi
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
;;
*)
print “Usage: $0 {start|stop|status|restart}”
exit 1
;;
esac

13-11-2015
Related

Blog

Jun
15

Maintaining an AIX firewall

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.

1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:

# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.

..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.

2. flush all existing filter rules

/usr/sbin/rmfilt -v4 -n all

3. import filter rule file from directory
/usr/sbin/impfilt -f /root

4. list imported filter rules
/usr/sbin/lsfilt -v 4 –O

1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all 0 none  Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.105666

10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10516
2

5. Activate the new rules
/usr/sbin/mkfilt -v4 -u -g start

You can also configure ipfilt from smit as follows:

smitty tcpip

                                     TCP/IP

Move cursor to desired item and press Enter.

Minimum Configuration & Startup
Further Configuration
Use DHCP for TCPIP Configuration & Startup
IPV6 Configuration
Quality of Service Configuration & Startup
Configure IP Security (IPv4)
Configure IP Security (IPv6)

Configure IP Security (IPv4):

                        Configure IP Security (IPv4)

Move cursor to desired item and press Enter.

Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration

Advanced IP Security Configuration:

                       Advanced IP Security Configuration

Move cursor to desired item and press Enter.

Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD

Configure IP Security Filter Rules

                       Configure IP Security Filter Rules

Move cursor to desired item and press Enter.

List IP Security Filter Rules
Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules

The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.

Blog

May
01

Locking-down smit

It is possible to restrict a user’s access to smit (menus) and to escape to the shell from a smit session:

If you run:

$ export SMIT_SHELL=n

for a user when they press F9 they will see the following error message:

  +————————————————————————–+
|                           INFORMATION MESSAGE                            |
|                                                                          |
| Press Enter or Cancel to return to the                                   |
| application.                                                             |
|                                                                          |
|   The Shell function is not available for this                           |
|   session.                                                               |
|                                                                          |
| F1=Help                 F2=Refresh              F3=Cancel                |
F1| F8=Image                F10=Exit                Enter=Do                 |
F9+————————————————————————–+

Menu access can also be restricted by editing “/etc/security/smitacl.user” and adding a stanza for a user e.g.

$ cat /etc/security/smitacl.user
default:
screens    =    *
funcmode   =    roles+acl
backup:
screens    =    shutdown,mksysb
funcmode   =    roles+acl

01-05-2015

Blog

Mar
02

Check if NTP is vulnerable

There are a lot of NTP reflection attacks currently being launched, it is therefore vital that you check if you version of NTP is vulnerable.

Run xnpdc as root:

# xntpdc
xntpdc> host <Your server name>
current host set to XXXX
xntpdc> monlist
***Server reports data not found

xntpdc> listpeers
client    ntp1.XXX
client    ntp0.XXX
broadcast 172.27.1.127

The monlist command should not return any results. You can also launch it directly from the command-line as follows:

# xntpdc -c monlist <IP_Address>

If you have any questions about the configuration of the “/etc/ntp.conf” file you can consult the sample files provided as standard by AIX in the “/usr/samples/xntp” directory:

/usr/samples/xntp/default.conf
/usr/samples/xntp/example.keys
/usr/samples/xntp/localclock.conf
/usr/samples/xntp/ntp.copyrights

If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the “AIX Web Download Pack Programs” site.

NTP4 Install images v7.1.0.3 for AIX 7.1
ntp4-7.1.0.3.tar   (1.45 MB)

README-7.1.0.3
README-7.1.0.3.txt   (317 B)

NTP4 Install images v6.1.6.3 for AIX 6.1
ntp4-6.1.6.3.tar   (1.45 MB)

README-6.1.6.3
README-6.1.6.3.txt   (317 B)

It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:

CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak    seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-6.1.6.3 for AIX 6.1 contains the fix for the above vulnerabilities.

To restrict the hosts that NTP will respond to edit the “/etc/ntp.conf” file:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
or
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

https://support.ntp.org/bin/view/Support/AccessRestrictions
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/ntp.htm

You can also further harden your NTP daemon by installing keys:

# /usr/sbin/ntpkeygen4

To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:

# /usr/sbin/xntpd -k /etc/ntp.new.keys

The keys are stored in “/etc/ntp.keys” and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.

You can check or switch between NTP versions by manipulating the symbolic-links:

$ ls -ld /usr/sbin/ntp*
drwxr-xr-x    2 root     system          256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx    1 root     system           22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx    1 root     system           19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx    1 root     system           23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace

02-03-2015

Blog

Jan
30

DNS lookup configuration

AIX offers a confusing array of options when configuring your system to be a simple DNS client. The traditional way is to create an “/etc/resolv.conf” file and add the address of up to three DNS servers e.g.

nameserver      192.168.1.40
nameserver      192.168.1.1
nameserver      10.10.1.66
domain  mydomain.local

The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).

nameserver      192.168.1.40
nameserver      192.168.1.1
nameserver      10.10.1.66
domain  mydomain.local

options rotate
options timeout:2
options attempts:2

These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.

options debug

Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.

The next file to tune is “/etc/netsvc.conf”:

hosts=local4,bind

In it’s simplest form this statement tells AIX to resolve only IPv4 addresses and to check the “/etc/hosts” file before consulting DNS. This “local,bind” would check both IPv4 and IPv6, and reversing the order, or removing the “local” entry would give DNS absolute precedence.

It doesn’t finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the “/etc/netcd.conf” and it creates a log file: “/var/tmp/netcd.log”.

There is an example configuration file in “/usr/samples/tcpip/netcd.conf”.

Blog

Jan
30
system-configuration-aix

Merging LDAP and local groups

Until recently it was impossible to have a user that was a member of both local and LDAP groups and this makes centrally managing applications such as Oracle, particularly problematic.

This problem can now be overcome by setting the “domainlessgroups” attribute to true in “/etc/security/login.cfg”. The AIX documentation describes it as follows:

“domainlessgroups Defines the system configuration for merging the user’s group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are “true” or “false”. “true” : 
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. “false” : When this attribute is set as false,  the group attribute is not merged from the LDAP and files modules.

Default value is “false”.

Blog

Jan
20

Making your AIX network more secure

These are some common network parameters that should be set in order to improve your system’s network efficiency and security.

Network Service options

To improve system security, there are several network options that you can change using 0 to disable and 1 to enable. The following list identifies these parameters you can use with the nocommand.

Parameter Command Purpose
arpt_killc – arp /usr/sbin/no -o arpt_killc=5 Buffer time-out; default value is 20 minutes. To avoid arp buffer poisoning attacks, this value should be reduced to between 1 and 5 minutes
bcastping /usr/sbin/no -o bcastping=0 Allows response to ICMP echo packets to the broadcast address. Disabling this prevents Smurf attacks.
clean_partial_conns /usr/sbin/no -o clean_partial_conns=1 Specifies whether or not SYN (synchronizes the sequence number) attacks are being avoided.
directed_broadcast /usr/sbin/no -o directed_broadcast=0 Specifies whether to allow a directed broadcast to a gateway. Setting to 0 helps prevent directed packets from reaching a remote network.
icmpaddressmask /usr/sbin/no -o icmpaddressmask=0 Specifies whether the system responds to an ICMP address mask request. Disabling this prevents access through source routing attacks.
ipforwarding /usr/sbin/no -o ipforwarding=0 Specifies whether the kernel should forward packets. Disabling this prevents redirected packets from reaching remote network.
ipignoreredirects /usr/sbin/no -o ipignoreredirects=1 Specifies whether to process redirects that are received.
ipsendredirects /usr/sbin/no -o ipsendredirects=0 Specifies whether the kernel should send redirect signals. Disabling this prevents redirected packets from reaching remote network.
ip6srcrouteforward /usr/sbin/no -o ip6srcrouteforward=0 Specifies whether the system forwards source-routed IPv6 packets. Disabling this prevents access through source routing attacks.
ipsrcrouteforward /usr/sbin/no -o ipsrcrouteforward=0 Specifies whether the system forwards source-routed packets. Disabling this prevents access through source routing attacks.
ipsrcrouterecv /usr/sbin/no -o ipsrcrouterecv=0 Specifies whether the system accepts source-routed packets. Disabling this prevents access through source routing attacks
ipsrcroutesend /usr/sbin/no -o ipsrcroutesend=0 Specifies whether applications can send source-routed packets. Disabling this prevents access through source routing attacks.
nonlocsrcroute /usr/sbin/no -o nonlocsrcroute=0 Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks.
tcp_icmpsecure /usr/sbin/no -o tcp_icmpsecure=1 Protects TCP connections against ICMP (Internet Control Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks. Checks the payload of the ICMP message to test the sequence number of the TCP header is within the range of acceptable sequence numbers. Values: 0=off (default); 1=on.
ip_nfrag /usr/sbin/no -o ip_nfrag=200 Specifies the maximum number of fragments of an IP packet that can be kept on the IP reassembly queue at a time (default value of 200 keeps up to 200 fragments of an IP packet in the IP reassembly queue).
rfc1122addrchk /usr/sbin/no -o rfc1122addrchk=0 Perform RFC1122 address validation; default is to allow. This should be disabled to block incoming & outgoing SYN packets aimed at loopback and multicast addresses.
rfc1323 /usr/sbin/no -o rfc1323=1 Value of 1 indicates that tcp_sendspace andtcp_recvspace can exceed 64KB. Default=0
tcp_mssdflt /usr/sbin/no -o tcp_mssdflt=1370 Default maximum segment size used in communicating with remote networks. Values: Default: 512, Range: 512 to (MTU of local net – 64) Change takes effect immediately. Change is effective until next boot. Permanent change is made by adding no command to /etc/rc.net.

Diagnosis: N/A Tuning: Increase, if practical.

tcp_conn_request_max       20-500 Number of TCP concurrent connections
tcp_recvspace /usr/sbin/no -o tcp_recvspace= Provide the default value of the size of the TCP socket receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be equal to tcp_sendspace and uniform on all frequently accessed AIX systems.
sb_max /usr/sbin/no -o sb_max= Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all frequently accessed AIX systems.
tcp_syn_rcvd_max 500 SYN_Flooding can be used in denial of service attacks
tcp_sendspace /usr/sbin/no -o tcp_sendspace=
tcp_tcpsecure /usr/sbin/no -o tcp_tcpsecure=7 Protects TCP connections against vulnerabilities. Values: 0=no protection; 1=sending a fake SYN to an established connection; 2=sending a fake RST to an established connection; 3=injecting data in an established TCP connection; 5-7=combination of the above vulnerabilities.
tcp_pmtu_discover /usr/sbin/no -o tcp_pmtu_discover=0 Disabling this prevents access through source routing attacks.
udp_pmtu_discover /usr/sbin/no -o udp_pmtu_discover=0 Enables or disables path MTU discovery for TCP applications. Disabling this prevents access through source routing attacks.

Blog

Jan
06

Google announces intention to begin deprocating SHA1

Google has announced a provisional plan and timetable to begin reducing support for X.509 certificates that have been signed using SHA1. The industry is now beginning to replace the SHA1 algorithm in favour of SHA2 or perhaps SHA256 because as computers become more powerful, it is becoming more likely that criminals will be able to brute-force exisinting hashes or to produce fake messages that will have the same hash as a legitimate message.

A hash is a string of characters produced when a one-way encryption algorthim processes a message. This process enables a browser or program API to ensure that a message has not been tampered with.
It is meant to be impossible to find two messages that produce the same hash however in reality there are always are, and when this happens it is referred to as a “hash-collision”.

An attacker can only find a collision by taking the hash of an existing message then hashing millions of other messages until one produces the same string. The problem for legitimate users is that once rainbow-tables containing multiple hashes start to appear, an attacker then only needs a relatively low powered computer to do a search of the tables.

What does this mean to you?

In simple terms you need to make an inventory of all your existing certificates and then determine when they are due for renewal, and how they were signed. You can then either gradually replace them now with certificates signed with SHA2 or buy new certificates when they expire. Great care and a lot of testing is required because some older browsers will not be able to process the new certificates and the users of your website will start to messages like this:
download

If you are using certificates on your AIX system you can use SystemScan AIX to help you to find and document them.

Related

Blog

Jan
06

What does that port do?

Have you ever run lsof or netstat and wondered why a port was open, or what it does? This site is a useful way of checking: https://www.adminsub.net/tcp-udp-port-finder
It also contains a list of the most common attacks kown to be aimed at that port.

You can also look at the entries in “/etc/services”, however they are not guaranteed to be accurate as several ports are used for multiple activities and an attacker can also hide behind a well known port that is not currently in use for other things.

06-01-2015
Related

Blog

Dec
17
checking_bios

Finding Library Dependencies

Have you ever wondered which libraries are being called by a binary or utility?

The AIX package “freeware.aix.tools.rte” includes the “ldd” binary which shows the shared libraries called by an executable. This example shows the shared libaries called by the ping executable.

# /usr/local/bin/ldd /usr/sbin/ping
/usr/lib/libbind.a(shr.o)
/usr/sbin/ping
/usr/lib/libcrypt.a(shr.o)
/usr/lib/libc.a(shr.o)

Remember that some “.o” files are stored with “.a” files. To examine the contents of a “.a” file use the command: ar -tv

E.g.
# ar -tv /usr/lib/libcrypt.a
rwxr-x—   300/1       4638 Mar 28 20:46 2010 shr.o

Related