Many people need access to a private internet but do not or cannot have a permanent connection. By design, there is minimal security within a private internet but a strong wall around the outside of the network (think of a classic medieval castle). Remote access is like doors or tunnels through the wall, and they need to be protected. Some types of access can compromise the security of a private internet unless special care is taken. This document is aimed primarily at those types of remote access, where special precautions need to be taken.
This is primarily aimed at desktop machines with answering modems, but the principles apply to all SGI machines with modems.
There must be no un-passworded accounts on any dialin machines. Many of the standard accounts are not intended to be logged into, especially accounts on a server. These accounts must be disabled by placing an "*" in the second field of /etc/passwd file. Accounts in this category include: sysadm, diag, daemon, bin, uucp, sys, adm, lp, man, nobody, nuucp, tutor, demos and 4Dgifts (add rfindd, dbadmin, auditor, cmwlogin, sgiweb, EZsetup, OutOfBox, and noaccess in various later releases). Active accounts that need good passwords include: root, guest, and all user accounts.
% su # echo "+ +" >~guest/.rhosts # chown root.sys ~guest ~guest/.rhosts # chmod 444 ~guest/.rhosts # chmod a+w,+t ~guest # exit %Note: NIS accounts (aka YP, ones that start with a "+") are at least as important to check as the local ones. In addition, these accounts may be harder to secure.
If there is a /.rhosts file, it is mandatory that it be
minimal and secure. Minimize the number of entries! Refer to this
% su # chown root.sys /.rhosts # chmod 400 /.rhosts # exit %
To eliminate this, create a file /etc/ftpusers and put in all the accounts that you don't want to have FTP access, one userid per line. This includes all SLIP and PPP accounts, and may include root itself.
Passwords may be added to accounts either using the System Manager, or from
a shell as follows:
% su # passwd nuucp Changing password for nuucp on host. New password: Re-enter new password: # exit %
Create an /etc/dialups file with the following entries:
/dev/ttyd1 /dev/ttym1 /dev/ttyf1 /dev/ttyd2 /dev/ttym2 /dev/ttyf2
Create an /etc/d_passwd file with the following entries:
/bin/csh:*: /bin/tcsh:*: /bin/sh:*: /bin/ksh:*: /bin/bash:*: /usr/lib/uucp/uucico:*: /usr/etc/remoteslip:: /usr/etc/ppp:: /usr/etc/dbslip:: /usr/etc/ppp/Login::The preceding configuration allows PPP and SLIP accounts to login via modems on ports 1 and 2, but disallows all shell accounts. Putting an encrypted password (same format as in /etc/passwd) in place of the the :*: or :: will use that as a dialup password, which is prompted for by the system after the normal user password.