March 28, 2012
Making An HP 3000 More Secure
The Internet includes a wealth of advice, but it also harbors guidelines for IT malice. Not long ago the HP 3000 mailing list and newsgroup included a message that pointed to a pair of documents about hacking into the HP 3000. One expert in the system said these were dated, but still effective.
There's always been a lot in MPE that makes your servers more secure, of course, plus independent software to bolt its doors shut. (Security/3000 from VEsoft comes to mind. User Robert Mills says that "it is well worth the cost and time involved in setting up.") Even MPE's included passwords and permissions usage might be in the dim recesses of your memory, however. Consultant Michael Anderson of J3K Solutions supplied some refresher material.
Write a simple script/program to check the remote IP address at logon, and if it is from the outside you can add additional security requirements, keep a table of allowed addresses, log these events, track outside sessions more rigorously, or simply not allow it.
An easy way into a MPE box is when the default passwords are left unchanged, like the TELESUP account and a few more third-party accounts that are well known. Securing your HP 3000 is simple.
1. Set unique passwords on all user/accounts, and maybe even groups.
2. Use PASSEXEMPT to avoid keeping passwords in job streams, enabling you to change passwords frequently.
3. Make sure ACCESS= & CAPABILTIES are set properly to avoid the use of the RELEASE command.
4. Programatically audit, audit, and then audit some more!
When anyone does log on, there are more options as well.
I don't have my HP 3000 plugged directly into the Internet. However, if it wasn't behind a firewall, I believe it would take the beating and keep on ticking.
I've configured my firewall to forward all telnet traffic to the HP 3000 directly, and I do see attempts to hack it everyday. But none are successful. On the other hand, I've had my Unix and Linux machines hacked, using buffer-overflows and brute force attacks, several times.
No more trying to figure out what runs on
MPE/iX or where to find it. No more worrying
about availability! www.MPE-OpenSource.org
is all things MPE/iX: Open Source packages,
freeware, scripting, plus loads of tools
and information to keep your 3000 system
alive and thriving!
The comments to this entry are closed.