Making An HP 3000 More Secure
March 28, 2012
The Internet includes a wealth of advice, but it also harbors guidelines for IT malice. Not long ago the HP 3000 mailing list and newsgroup included a message that pointed to a pair of documents about hacking into the HP 3000. One expert in the system said these were dated, but still effective.
There's always been a lot in MPE that makes your servers more secure, of course, plus independent software to bolt its doors shut. (Security/3000 from VEsoft comes to mind. User Robert Mills says that "it is well worth the cost and time involved in setting up.") Even MPE's included passwords and permissions usage might be in the dim recesses of your memory, however. Consultant Michael Anderson of J3K Solutions supplied some refresher material.
An easy way into a MPE box is when the default passwords are left unchanged, like the TELESUP account and a few more third-party accounts that are well known. Securing your HP 3000 is simple.
1. Set unique passwords on all user/accounts, and maybe even groups.
2. Use PASSEXEMPT to avoid keeping passwords in job streams, enabling you to change passwords frequently.
3. Make sure ACCESS= & CAPABILTIES are set properly to avoid the use of the RELEASE command.
4. Programatically audit, audit, and then audit some more!
When anyone does log on, there are more options as well.
I don't have my HP 3000 plugged directly into the Internet. However, if it wasn't behind a firewall, I believe it would take the beating and keep on ticking.
I've configured my firewall to forward all telnet traffic to the HP 3000 directly, and I do see attempts to hack it everyday. But none are successful. On the other hand, I've had my Unix and Linux machines hacked, using buffer-overflows and brute force attacks, several times.