HP reaches to futures with outside labs
TBT: HP translates brags about fresh e3000

Protecting a 3000 by Eliminating Its Services

Ron as PrivateHere on this day when we celebrate people who have served in the armed forces, a question emerged about enabling HP 3000 JINETD services. Or disabling them, to make a 3000 more powerful and secure. (Yes, it seems to defy the logic about more services being better, one that we can hear in national defense debates. We didn't have such debates at Signal Corps training for the Second Battalion.) The solution to the 3000 service problem included advice on how to trim back risk as well as performance drains on a 3000.

Grigor Terterian said he was having a Series 979 freeze up, because JINETD was receiving a call "for echo udb." Mark Ranft and Denys Beauchemin said the fastest repair would be to comment out echo in the inetdcnf file. Ranft got specific with an example.

:print inetdcnf.net
# Internet server configuration database
#
#echo  stream tcp nowait MANAGER.SYS internal
#echo  dgram  udp nowait MANAGER.SYS internal
#daytime  stream tcp nowait MANAGER.SYS internal
#daytime  dgram  udp nowait MANAGER.SYS internal
#time  stream tcp nowait MANAGER.SYS internal
#time  dgram  udp nowait MANAGER.SYS internal
#discard  stream tcp nowait MANAGER.SYS internal
#discard  dgram  udp nowait MANAGER.SYS internal
#chargen stream tcp nowait MANAGER.SYS internal
#chargen dgram  udp nowait MANAGER.SYS internal
telnet  stream tcp nowait MANAGER.SYS internal
#bootps  dgram  udp wait   MANAGER.SYS /SYS/NET/BOOTPD bootpd
#tftp  dgram  udp wait   NET.SYS   /SYS/NET/TFTPD tftpd
ftp  stream tcp nowait MANAGER.SYS /SYS/ARPA/FTPSRVR ftpsrvr

In the example above, only telnet and ftp services are enabled, Ranft said. This led Art Bahrs, a Certified Security Professional, to add that the services you leave on are the ones that can cause trouble, if you don't need them enabled.

Bahrs, who's also a retired Marine, celebrated his Veterans Day with this advice.

You should never, ever, no time, (did I mention 'never'?) run services you don't use or have a business or production need for.

Two reasons: First is security minded. If you have a service active, it is just another way to be hacked. Second is that an active, running service uses machine power, which is wasteful of electrons if there’s no need for it.

Ranft added his experience with inetd on MPE/iX:

Note that the command:

inetd.net.sys - c

will have inetd re-read the configuration.

Your success with this may vary. I've had lots of trouble with inetd in the far past. They got a lot better with the latest (final, for MPE/iX) set of patches. But on occasion, a scheduled restart (inetd.net.sys -k) and re-stream will probably help prevent issues.

I run my inetd with the logging feature.

!job jinetd, manager.sys
!....
!run inetd.net.sys;pri=cs;info="-l"
!eoj

This allows one to see the offending IP address in the $STDLIST.

Received call for: telnet tcp
telnet/tcp: Connection from unknown (10.0.1.226) at Fri Nov 6 19:56:28 2015
Received call for: echo tcp
echo/tcp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:56:45 2015
Received call for: echo udp
echo/udp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:57:07 2015
Received call for: echo udp
echo/udp: Connection from unknown (127.0.0.1) at Wed Nov 11 12:57:25 2015

As one veteran to others, I honor the services of all on this day, and thank you for your efforts toward our security. Long may it wave.

Comments