Wednesday, 9 July 2008

Performance Optimization (On AIX)

Disabling Unnecessary Services

Where are services started?

On an AIX system, network services are usually started in four ways:

  • An entry in the /etc/inittab file. These services are activated at system startup, and depending on the method used, may automatically respawn if killed.
  • An entry in the /etc/rc.tcpip file. This shell script is executed during system startup via an entry in /etc/inittab, and is responsible for starting the bulk of the standard network daemons.
  • An entry in the /etc/inetd.conf file. This configuration file for the inetd daemon (the "super-server") contains numerous entries for services that are useful and possibly necessary, but also many of dubious value in a secured environment.
  • Manually, by the invocation of a command by a user. Programs that bind to a port number above 1024 and accept connections from the network do not have to be run by the root user. Any user who has the ability to log in to a system also has the ability to run their own network services.

Each of the above methods must be checked for insecure or unnecessary services if the system is to be protected from network-originating attacks.

The services in /etc/inittab: Overview

The following text, an excerpt from the default /etc/inittab, has items that are network-related displayed in red. 

init:2:initdefault:
brc::sysinit:/sbin/rc.boot 3 >/dev/console 2>&1 # Phase 3 of system boot
powerfail::powerfail:/etc/rc.powerfail 2>&1 | alog -tboot > /dev/console # Power Failure Detection
mkatmpvc:2:once:/usr/sbin/mkatmpvc >/dev/console 2>&1
atmsvcd:2:once:/usr/sbin/atmsvcd >/dev/console 2>&1
load64bit:2:wait:/etc/methods/cfg64 >/dev/console 2>&1 # Enable 64-bit execs
rc:2:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks
fbcheck:2:wait:/usr/sbin/fbcheck 2>&1 | alog -tboot > /dev/console # run /etc/firstboot
srcmstr:2:respawn:/usr/sbin/srcmstr # System Resource Controller
rcnetw:2:wait:/etc/rc.netware #start Netware
cnsview:2:wait:/usr/bin/cnsview -c "daemon start" >/dev/console 2>&1 # Start cnsview daemon
rctcpip:2:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons
rcnfs:2:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons
cron:2:respawn:/usr/sbin/cron
piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit >/dev/null 2>&1  # pb cleanup
qdaemon:2:wait:/usr/bin/startsrc -sqdaemon
writesrv:2:wait:/usr/bin/startsrc -swritesrv
uprintfd:2:respawn:/usr/sbin/uprintfd
logsymp:2:once:/usr/lib/ras/logsymptom # for system dumps
httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console 2>&1
diagd:2:once:/usr/lpp/diagnostics/bin/diagd >/dev/console 2>&1
imnss:2:once:/usr/IMNSearch/bin/imnss -start imnhelp >/dev/console 2>&1
imqss:2:once:/usr/IMNSearch/bin/imq_start >/dev/console 2>&1
pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon
dt:2:wait:/etc/rc.dt
cons:0123456789:respawn:/usr/sbin/getty /dev/console
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
l7:7:wait:/etc/rc.d/rc 7
l8:8:wait:/etc/rc.d/rc 8
l9:9:wait:/etc/rc.d/rc 9

Unlike most configuration files in AIX, entries in /etc/inittab can NOT be disabled by placing a pound sign ("#") at the beginning of the line. To disable an inittab entry, it must either be deleted from the file, have a colon (":") as the first character of the line, or have the value of the "action" field set to "off". Changes to /etc/inittab may also be made via the "chitab" command; entries may be deleted with the "rmitab" command.

Before making changes to this file, ensure that there is a good backup copy available, as problems with the inittab file can prevent a system from starting up.

Dealing with the /etc/inittab entries

  • rcnetw:2:wait:/etc/rc.netware #start Netware

The rcnetw entry executes the /etc/rc.netware script, which in turn, loads drivers for the Novell NetWare networking protocols. If NetWare will not be used with this system, it is safe to disable or delete this entry.

  • rctcpip:2:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons

The majority of the "stand-alone" network daemons are started from within the /etc/rc.tcpip shell script, which is executed at startup via this inittab entry. The contents of this script and the services started by it will be discussed in detail further in this tutorial.

  • rcnfs:2:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons

NIS/YP and NFS services are started by the /etc/rc.nfs script. However, the lines that start up NIS are commented out by default, and unless your site uses NIS, they should remain disabled.

The biod daemon is required on systems that are either mounting (as a client) or exporting (as a server) filesystems via NFS.

rpc.statd and rpc.lockd provide locking and crash-recovery used by some applications. Both of these daemons have had security problems resulting in the comprimise of a system. Though the versions of rpc.statd and rcp.lockd provided with the latest releases of AIX are not known to be vulnerable, these daemons are often unnecessary, and can usually be disabled with no ill effect on the use of NFS-mounted filesystems.

NFS server capabilities are started if two conditions are met:

    1. The program "/usr/sbin/nfsd" exists and executable.
    2. The file "/etc/exports" exists

If the system is not going to provide NFS services, ensure that at least one of the two conditions listed will not be met, by either removing the executable bit from the nfsd daemon or by changing its name. If the system will not be using NIS or NFS at all, it is safe to disable or delete the entry for rcnfs in /etc/inittab.

  • writesrv:2:wait:/usr/bin/startsrc -swritesrv

The writesrv entry enables the ability of users on remote machines to use the "write" command to send messages to users on the local system. This entry should be disabled or deleted on any system that is connected to a public network. Note that disabling the writesrv service does not prevent users from messaging one another on the local system.

  • httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console 2>&1
  • imnss:2:once:/usr/IMNSearch/bin/imnss -start imnhelp >/dev/console 2>&1
  • imqss:2:once:/usr/IMNSearch/bin/imq_start >/dev/console 2>&1

The above three inittab entries comprise the AIX Documentation Search Service, providing a web site interface for browsing and searching AIX documentation. It is not necessary to run this service on all of the systems in your network, and the web server that IBM provides with this server is fairly limited in its features. These entries should be disabled or deleted from /etc/inittab.

  • dt:2:wait:/etc/rc.dt

The /etc/rc.dt program starts the CDE graphical window server; aside from using up valuable resources, the Common Desktop Environment has been a source of many security vulnerabilities in the past. Though there are no known issues with the latest version, unless there is a specific need for CDE, this entry should be disabled or deleted.

  • l2:2:wait:/etc/rc.d/rc 2
  • l3:3:wait:/etc/rc.d/rc 3
  • l4:4:wait:/etc/rc.d/rc 4
  • l5:5:wait:/etc/rc.d/rc 5
  • l6:6:wait:/etc/rc.d/rc 6
  • l7:7:wait:/etc/rc.d/rc 7
  • l8:8:wait:/etc/rc.d/rc 8
  • l9:9:wait:/etc/rc.d/rc 9

The above inittab entries were added by IBM to AIX 4.3.3 in an attempt to make AIX more "friendly" to administrators of Linux and Solaris systems. They provide a set of directories that application startup scripts can be placed in and be invoked upon entering a given run level, a la System-V-based UNIX systems. While there are no services started by these entries by default on AIX 4.3.3, system administrators must be aware that they exist, and might be used "accidently" by other people with root access on the system.

Unless there are plans to use this System-V adaptation to the AIX startup process, these entries should be disabled or deleted from inittab, and the directory "/etc/rc.d" should be deleted or renamed to prevent misunderstandings.

The services in /etc/rc.tcpip: Overview

The following excerpt from the script /etc/rc.tcpip indicates the services that are started or disabled in a default AIX installation. Items that are displayed in red will be explored further in this tutorial. 

echo "Starting tcpip daemons:"
trap 'echo "Finished starting tcpip daemons."' 0
 
# Start up dhcpcd daemon 
#start /usr/sbin/dhcpcd "$src_running"
 
# Start up autoconf6 process
#start /usr/sbin/autoconf6 "" 
 
# Start up ndpd-host daemon
#start /usr/sbin/ndpd-host "$src_running"
 
# Start up the ndpd-router daemon
#start /usr/sbin/ndpd-router "$src_running"
 
# Start up syslog daemon (for error and event logging)
start /usr/sbin/syslogd "$src_running"
 
# Start up print daemon 
#start /usr/sbin/lpd "$src_running"
 
# Start up routing daemon (only start ONE)
#start /usr/sbin/routed "$src_running" -q
#start /usr/sbin/gated "$src_running"
 
# Start up the sendmail daemon.
 
qpi=30m  # 30 minute interval
 
start /usr/lib/sendmail "$src_running" "-bd -q${qpi}"
 
# Start up Portmapper
start /usr/sbin/portmap "$src_running"
 
# Start up socket-based daemons
start /usr/sbin/inetd "$src_running"
 
# Start up Domain Name daemon
#start /usr/sbin/named "$src_running"
 
# Start up time daemon
#start /usr/sbin/timed "$src_running"
 
# Start up Network Time Protocol (NTP) daemon
#start /usr/sbin/xntpd "$src_running"
 
# Start up rwhod daemon (a time waster)
#start /usr/sbin/rwhod "$src_running"
 
# Start up the Simple Network Management Protocol (SNMP) daemon
start /usr/sbin/snmpd "$src_running"
 
# Start up the DHCP Server
#start /usr/sbin/dhcpsd "$src_running"
 
# Start up the DHCP Relay Agent
#start /usr/sbin/dhcprd "$src_running"
 
# Start up the DPID2 daemon
start /usr/sbin/dpid2 "$src_running"
 
# Start up the mrouted daemon
#start /usr/sbin/mrouted "$src_running"
                              
# Start up the atm subagnet daemon muxatmd
#start /usr/sbin/muxatmd "$src_running"
/usr/lpp/x_st_mgr/bin/x_st_mgrd -b /usr/lpp/x_st_mgr/bin/x_st_mgrd.cf -s x_st_mgrd

Since /etc/rc.tcpip is a Korn shell script, items may be disabled by placing a pound sign ("#") at the beginning of the line, or by deleting the line entirely.

Dealing with the services in /etc/rc.tcpip

  • start /usr/sbin/syslogd "$src_running"

The syslog daemon provides a facility for handling messages and errors from various applications running on a system. Syslogd is started by default on AIX; this is a good thing. Unfortunately, the default configuration also does no logging of any messages received by the daemon. Configuring the syslog daemon will be discussed later in this tutorial.

  • start /usr/lib/sendmail "$src_running" "-bd -q${qpi}"

Sendmail is started in daemon mode by the /etc/rc.tcpip script; in this default configuration, the AIX system provides SMTP service with no restriction or authentication. Unless the systems administrator rectifies this unfortunate fact, the system will be used as a relay, routing tremendous amounts of "spam" to users throughout the Internet and incurring the wrath of the recipients of said mail. Running sendmail in a secure fashion will be discussed later in this tutorial. Until the reader is ready to address the issue of proper configuration, sendmail should be disabled by commenting out this line in rc.tcpip.

  • start /usr/sbin/portmap "$src_running"

The portmap daemon is responsible for reporting the port numbers in use by all Remote Procedure Call (RPC) servers running on the system. Some common RPC servers include those involved in NFS (both client and server), and a number of items started by the inetd daemon, including "rstatd", "rexd", and other items of dubious value and high risk for security vulnerabilities. If after reviewing the active services in use on the system, the administrator determines that there are none that use RPC, this daemon should be commented out or deleted from the rc.tcpip script.

  • start /usr/sbin/inetd "$src_running"

The inetd server is the "super-server", responsible for listening on multiple ports and responding to requests for network services by spawning the appropriate program, as specified in the configuration file /etc/inetd.conf. A large number of the services that inetd provides in its default configuration should not be run on a system connected to a public network, because of either weaknesses in the authentication and authorization methods used by the service, or a history of security problems in the application providing the service. Proper configuration of inetd is addressed later in this tutorial. If after reviewing the services provided by inetd the administrator determines that there are better replacements for the items that are required for the system to function, the inetd daemon can be disabled by commenting out or deleting this entry from the rc.tcpip script.

  • start /usr/sbin/snmpd "$src_running"
  • start /usr/sbin/dpid2 "$src_running"

The snmpd and dpid2 daemons both provide Simple Network Management Protocol services, which can be useful for monitoring the status of the system, but were not designed with a good security model and having multiple known vulnerabilities. Unless the system is secured behind a firewall that restricts SNMP requests to the local network, both of these services should be disabled by commenting out or deleting their entries in rc.tcpip.

The dpid2 daemon in particular should always be disabled, as it is an archaic holdover from earlier SNMP developments, and no longer provides any useful service.

  • /usr/lpp/x_st_mgr/bin/x_st_mgrd -b /usr/lpp/x_st_mgr/bin/x_st_mgrd.cf -s x_st_mgrd

The above command is added to the /etc/rc.tcpip script by the installation of the fileset "X11.x_st_mgr.rte", and it provides services to IBM Xstation graphical workstations. Unless the RS/6000 is providing these services to Xstations, this entry should be deleted from the rc.tcpip file, and the X11.x_st_mgr.rte fileset should be removed from the system.

The services in /etc/inetd.conf: Overview

The following excerpt from /etc/inetd.conf lists all of the services that are active in the default installation of AIX. 

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd      telnetd -a
shell   stream  tcp6    nowait  root    /usr/sbin/rshd         rshd
kshell  stream  tcp     nowait  root    /usr/sbin/krshd        krshd
login   stream  tcp6    nowait  root    /usr/sbin/rlogind      rlogind
klogin  stream  tcp     nowait  root    /usr/sbin/krlogind     krlogind
exec    stream  tcp6    nowait  root    /usr/sbin/rexecd       rexecd
bootps  dgram   udp     wait    root    /usr/sbin/bootpd       bootpd /etc/bootptab
tftp     dgram  udp6    SRC     nobody  /usr/sbin/tftpd         tftpd -n
ntalk   dgram   udp     wait    root    /usr/sbin/talkd         talkd
rstatd   sunrpc_udp     udp     wait    root    /usr/sbin/rpc.rstatd rstatd 100001 1-3
rusersd sunrpc_udp      udp     wait    root    /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2
rwalld   sunrpc_udp     udp     wait    root    /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1
sprayd   sunrpc_udp     udp     wait    root    /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1
pcnfsd   sunrpc_udp     udp     wait    root    /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2
echo    stream  tcp     nowait  root    internal
discard stream  tcp     nowait  root    internal
chargen stream  tcp     nowait  root    internal
daytime stream  tcp     nowait  root    internal
time    stream  tcp     nowait  root    internal
echo    dgram   udp     wait    root    internal
discard dgram   udp     wait    root    internal
chargen dgram   udp     wait    root    internal
daytime dgram   udp     wait    root    internal
time    dgram   udp     wait    root    internal
ttdbserver      sunrpc_tcp      tcp     wait    root    /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1
ssalld  sunrpc_tcp      tcp     wait    root    /usr/sbin/rpc.ssalld rpc.ssalld 300667 1
instsrv stream  tcp     nowait  netinst /home/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /home/netinst/scripts
dtspc   stream  tcp     nowait  root    /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
cmsd    sunrpc_udp      udp     wait    root    /usr/dt/bin/rpc.cmsd cmsd 100068 2-5

To disable a service listed in the /etc/inetd.conf file, delete the line or place a pound sign ("#") as the first character of the line. Changes to inetd.conf will not take effect until the inetd daemon is restarted by either sending a HUP signal to the PID of the process or by executing the command "refresh -s inetd" as root.

Dealing with the /etc/inetd.conf entries

  • ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd

This entry provides the FTP (File Transfer Protocol) service, enabling the uploading and downloading of files by an FTP client. In general, FTP is not considered a secure protocol, as it transmits user IDs, passwords, and data "in the clear", with no encryption. Secure alternatives, such as "sftp-server" included with OpenSSH, are available, though they require that different client programs be used.

If a more secure alternative is acceptable, or if there is no need to provide download and upload capabilities for the system, the FTP server should be disabled by deleting or commenting out its entry in the /etc/inetd.conf file. If FTP service is required, improving the security of the service is discussed later in this tutorial.

  • telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a

The telnet service gives users the ability to log in to the system remotely, using a standard telnet client. As it is with the FTP service, the telnet protocol is inherently insecure due to its passing of user IDs, passwords and data without encryption. A common, secure alternative is the "sshd" component of the OpenSSH application package. If there is a need for the providing of the telnet service, some level of security can be achieved via the techniques discussed later in this tutorial.

  • shell stream tcp6 nowait root /usr/sbin/rshd rshd
  • kshell stream tcp nowait root /usr/sbin/krshd krshd

The shell and kshell entries both provide the services for the rcp and rsh client programs. There is a large difference, though, in the security of the services provided by the different daemons. The "kshell" service, provided by the krshd daemon, uses Kerberos to verify the identity of the client and to authenticate the user. The "shell" service, however, uses an extremely weak method of authentication, and should not be enabled unless the system is not connected to a public network.

If Kerberos is in use at your organization, disable or delete the entry for "shell", as its availability negates any benefit that has been gained by the deployment of Kerberos. If Kerberos is not in use, the "sshd" component of the OpenSSH application package provides a much more secure "drop-in replacement" for the rshd daemon; in this case, both entries should be disabled.

  • login stream tcp6 nowait root /usr/sbin/rlogind rlogind
  • klogin stream tcp nowait root /usr/sbin/krlogind krlogind

As with the shell/kshell services, the login and klogin entries both provide a similar service: the ability for remote users to log in to the system without specifying a password. Again, the krlogind daemon uses Kerberos for authentication and encryption, while the standard "rlogind" uses the same insecure method for user authentication as the shell service, with no encryption of data passed over the network.

The "login" service should be disabled or deleted from inetd.conf, as the Kerberized "klogin" service is much more secure. If Kerberos is not in use at your site, disable both services and use ssh.

  • exec stream tcp6 nowait root /usr/sbin/rexecd rexecd

The "exec" service is yet another holdover from the time when networks were friendly, and security was not a prime concern. The rexecd daemon gives remote users the ability to run commands on the system, with poor authentication and no encryption of passwords or data. This entry should be disabled, as there are numerous secure alternatives for this service.

  • bootps dgram udp wait root /usr/sbin/bootpd bootpd /etc/bootptab
  • tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n

The bootpd and tftpd daemons make available the ability to do network booting of remote systems. Unless it is required that the system provide this service, the bootps and tftp inetd.conf entries should be disabled or deleted.

  • ntalk dgram udp wait root /usr/sbin/talkd talkd

Similar in purpose to the "writesrv" service started from /etc/inittab, the "talkd" daemon receives messages from users on remote systems, displaying them on the terminals of local users. This daemon has been successfully exploited in the past, and should be disabled.

  • rstatd sunrpc_udp udp wait root /usr/sbin/rpc.rstatd rstatd 100001 1-3
  • rusersd sunrpc_udp udp wait root /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2

The rstatd and rusersd services provide information about the system and the users; this information should not be available outside of the local network. They should both be disabled if the system is connected to a public network.

  • rwalld sunrpc_udp udp wait root /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1

The rwalld daemon accepts incoming messages and writes the message to the terminals of all logged-in users. This inetd.conf entry should be disabled or deleted.

  • sprayd sunrpc_udp udp wait root /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1

The sprayd daemon, in conjunction with the spray command, can provide network performance statistics. It can also provide a platform for denial of service attacks. It should be disabled or deleted.

  • pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2

The rpc.pcnfsd daemon receives connections from Personal Computer-Network File System (PC-NFS) clients. This service primarily used for printing from desktop computers with non-UNIX-based operating systems to print spools on the AIX server. There have been several vulnerabilities in this daemon, and there are more modern, secure alternatives.

Unless your environment requires the use of PC-NFS, this inetd.conf entry should be disabled.

  • echo stream tcp nowait root internal
  • discard stream tcp nowait root internal
  • chargen stream tcp nowait root internal
  • daytime stream tcp nowait root internal
  • time stream tcp nowait root internal
  • echo dgram udp wait root internal
  • discard dgram udp wait root internal
  • chargen dgram udp wait root internal
  • daytime dgram udp wait root internal
  • time dgram udp wait root internal

The above services are handled internally by the inetd daemon. While none of the internal services have been the source of a large vulnerability, each entry represents another open port and an opportunity to host a denial of service attack. Therefore, disable these entries unless there is a specific need for the service that they provide.

  • ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1

The ToolTalk Database Server (rpc.ttbdserver) is a component of the Common Desktop Environment (CDE), used by AIXWindows. This daemon has a history of security vulnerabilities, and it should be disabled, as it is unlikely that a server would require the availability of CDE.

  • ssalld sunrpc_tcp tcp wait root /usr/sbin/rpc.ssalld rpc.ssalld 300667 1

The rpc.ssalld daemon is the part of the SSA network agent for the IBM StorWatch Serial Storage Expert (StorX) application. Unless StorX is in use at your site and is monitoring this host, the ssalld entry should be disabled or deleted from /etc/inetd.conf.

  • instsrv stream tcp nowait netinst /home/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /home/netinst/scripts

The instsrv service is a part of the Network Installation Tools, useful only for providing service to RS/6000s running AIX version 3.2 or earlier. This inetd.conf entry should be disabled, and the fileset that it is associated with, boos.compt.Netinst, should be removed from the system.

  • dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

· cmsd sunrpc_udp udp wait root /usr/dt/bin/rpc.cmsd cmsd 100068 2-5

Both the dtspcd daemon and the rpc.cmsd daemon are part of the Common Desktop Environment. dtspc enables the launching of applications from remote hosts. The cmsd service communicates with the dtcm client calendaring application. Neither of these services should be active

Posted by at

2 comments:

Jnaneshwara said...

Hey Madhu Nice to c ur Blog..

25 March 2009 at 03:47
Jnaneshwara said...

Hi Madhu,
nice to see your blog

25 March 2009 at 03:49

Post a Comment

Subscribe to: Post Comments (Atom)