Protecting a 3000 by Eliminating Its Services
November 11, 2015
Here on this day when we celebrate people who have served in the armed forces, a question emerged about enabling HP 3000 JINETD services. Or disabling them, to make a 3000 more powerful and secure. (Yes, it seems to defy the logic about more services being better, one that we can hear in national defense debates. We didn't have such debates at Signal Corps training for the Second Battalion.) The solution to the 3000 service problem included advice on how to trim back risk as well as performance drains on a 3000.
Grigor Terterian said he was having a Series 979 freeze up, because JINETD was receiving a call "for echo udb." Mark Ranft and Denys Beauchemin said the fastest repair would be to comment out echo in the inetdcnf file. Ranft got specific with an example.
:print inetdcnf.net
# Internet server configuration database
#
#echo stream tcp nowait MANAGER.SYS internal
#echo dgram udp nowait MANAGER.SYS internal
#daytime stream tcp nowait MANAGER.SYS internal
#daytime dgram udp nowait MANAGER.SYS internal
#time stream tcp nowait MANAGER.SYS internal
#time dgram udp nowait MANAGER.SYS internal
#discard stream tcp nowait MANAGER.SYS internal
#discard dgram udp nowait MANAGER.SYS internal
#chargen stream tcp nowait MANAGER.SYS internal
#chargen dgram udp nowait MANAGER.SYS internal
telnet stream tcp nowait MANAGER.SYS internal
#bootps dgram udp wait MANAGER.SYS /SYS/NET/BOOTPD bootpd
#tftp dgram udp wait NET.SYS /SYS/NET/TFTPD tftpd
ftp stream tcp nowait MANAGER.SYS /SYS/ARPA/FTPSRVR ftpsrvr
In the example above, only telnet and ftp services are enabled, Ranft said. This led Art Bahrs, a Certified Security Professional, to add that the services you leave on are the ones that can cause trouble, if you don't need them enabled.
You should never, ever, no time, (did I mention 'never'?) run services you don't use or have a business or production need for.
Two reasons: First is security minded. If you have a service active, it is just another way to be hacked. Second is that an active, running service uses machine power, which is wasteful of electrons if there’s no need for it.
Ranft added his experience with inetd on MPE/iX:
Note that the command:
inetd.net.sys - c
will have inetd re-read the configuration.
Your success with this may vary. I've had lots of trouble with inetd in the far past. They got a lot better with the latest (final, for MPE/iX) set of patches. But on occasion, a scheduled restart (inetd.net.sys -k) and re-stream will probably help prevent issues.
I run my inetd with the logging feature.
!job jinetd, manager.sys !.... !run inetd.net.sys;pri=cs;info="-l" !eoj
This allows one to see the offending IP address in the $STDLIST.
Received call for: telnet tcp
telnet/tcp: Connection from unknown (10.0.1.226) at Fri Nov 6 19:56:28 2015
Received call for: echo tcp
echo/tcp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:56:45 2015
Received call for: echo udp
echo/udp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:57:07 2015
Received call for: echo udp
echo/udp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:57:25 2015
As one veteran to others, I honor the services of all on this day, and thank you for your efforts toward our security. Long may it wave.