SGI: Security

Hey guys, contemplating dusting the dust off my SGI boxes. Looking for some ideas on securing, or improving security, or generally hardening the machines. I haven't worked with any UNIX for awhile, so even general/not IRIX specific stuff would be great. Thanks!

remove sendmail, replace with patched qmail
remove inetd, replace with UCSPI
enable strict IPFilter rules
or the easier alternative, use behind a firewall

But you need to take care of application security as well, I would be especially cautious of netscape and acrobat.

robespierre wrote: or the easier alternative, use behind a firewall

Concur. I've got a really solid firewall between my home LAN and the Internet and I've never had any security problems with my IRIX boxes at all. Although, disclaimer wise I don't use my IRIX boxes to surf the Internet. But many members here do and no one's yet reported that their IRIX boxes were attacked as a result...

Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.

That's by far the best approach.

ClassicHasClass wrote: Most of my machines are on a secured network that can't route (directly) to the Internet. Only a few have outside facing NICs, and none of them are the SGIs.

All my vintage systems are on a network that has no physical connections to the main network. The only way to get files in and out of the network is by attaching a crossover cable to a FreeBSD box where the files are staged. I just don't feel that my IRIX boxes should be on the internet.

If you wanted to get more exotic with security protection on IRIX with one of the best products for locking down a system (my opinion).. eTrust Access Control (owned by CA) works with lots of Unix type platforms including IRIX. Last I worked with that product was with eTrust Access Control for UNIX version 8. Its like a tripwire tool but with enforcement and central auditing and control sortof like SELinux and sudo (although it can work standalone on a single system). Intruders cannot circumvent its protections or exploit vulns in apps that easily.

Looking through the CDs for version 5.1.. it seems that it works on the following platforms: DECUNIX4, DYNIXPTX, IRIX64, IRIX, LINUX390, LINUX, NCR, SINIX, SOLARIS x86, UNIXWARE, RSV, Solaris, STOP, AIX43, AIX4, HPUX1020, HPUX10, HPUX11, couple mainframes and NT-i386.

I never did try it on IRIX before.. another weekend project
Its downfall may be it is not simple to setup, poor marketing by CA. Plus, not sure on how much it costs.

-Kevin

just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.
then you can surf and whatever else you wanna do with your sgis and any other specials you might have

Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..."

I'm with Vishnu here. My SGIs are all firewalled and have unnecessary services turned off, but otherwise do have Internet access. So far, no problems that I'm aware of.

Overall, I think ancient copies of Firefox and a dead-end and niche OS are not really what you'd call major attack targets. Everything these days seems to focus on Windows or mobile phones where a successful attack can yield a lot more benefit for attackers.

The long time since the last patch means that researching new exploits isn't the point. All the old ones still work and serving an exploit to a vulnerable machine has long been completely automated.

just run everything behind a router/firewall and you're fine. general, golden rule; goes for all systems.

Heartbleed? What's that?

vishnu wrote:

Krokodil wrote: just don't feel that my IRIX boxes should be on the internet.

But if they're behind a NATing firewall are they really on the Internet? I think there's a big difference between being on the Internet and being able to get to the Internet. In the 8 years since I've had IRIX boxes on my LAN, and knowing of my firewall as the Internet gateway, I've never had a problem. I hasten to add that not knowing of any problems doesn't mean there aren't any problems. For all we know the NSA could be sitting inside all our computers. Although, if they were inside mine, why haven't I been cuffed and stuffed yet? "Guilty of every computer crime we have a law for..."

I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.

Krokodil wrote: I know they're not directly facing the internet, but the browsers and applications like java are stone age and questionable in todays wild west internet.

I concur with that sentiment, I don't use any Internet software on any of my sgi's. But I know a lot of folks here have been using firefox 3 on their sgi's with no apparent problem.

Krokodil wrote: Guilty of every computer crime, eh? lol.
If the NSA is in your computer the reason you haven't been busted is because they don't consider whatever your doing enough to justify blowing their secrecy. But every roadblock you put up against these jerks makes their job that much harder and makes them spend more money on it, it may even force them to risk exposing themselves - like breaking into your house and getting caught.

Nah, this is the Land of the Free, they'd get some idiot judge to sign a warrant and then they'd show up in an armored personnel carrier, shoot tear gas canisters through my windows, use a robotic battering ram to knock down my door, throw in a dozen flash bang grenades, rush in wearing body armored ninja suits wielding m4 carbines with the safeties off, most likely shoot me fifty or sixty times and then hold a press conference to tell the world what a huge favor they've done them...

I am still running Irix systems on the Internet. This are private projects, like the nekoware mirror and I had never problems with it. Our company used around the year 2000 a Challenge S as a secondary nameserver. This server was located at another Internet service provider (for free) and we simply forget this server. When this company moved the location some years ago, they asked us if we still using this server. So we got it back and examined it, it was running Irix 6.2 and never get hacked after 10 years running without any administration.

diegel wrote: I am still running Irix systems on the Internet. This are private projects, like the nekoware mirror and I had never problems with it. Our company used around the year 2000 a Challenge S as a secondary nameserver. This server was located at another Internet service provider (for free) and we simply forget this server. When this company moved the location some years ago, they asked us if we still using this server. So we got it back and examined it, it was running Irix 6.2 and never get hacked after 10 years running without any administration.

So wait, by decree of the IETF every domain name has to have at least two nameservers, with different IP addresses, serving the domain. So did you guys forget about that nameserver or just not worry about it since it was working? Cuz otherwise I don't see how you could actually literally forget about one of your nameservers, unless you had dozens, which admittedly the big providers do...

vishnu wrote:

diegel wrote: So wait, by decree of the IETF every domain name has to have at least two nameservers, with different IP addresses, serving the domain. So did you guys forget about that nameserver or just not worry about it since it was working? Cuz otherwise I don't see how you could actually literally forget about one of your nameservers, unless you had dozens, which admittedly the big providers do...

First of all we are using more than one secondary and we are spreading this over more than one network provider. And of course we first moved the service to more modern hardware before we forget this server.

diegel wrote: irst of all we are using more than one secondary and we are spreading this over more than one network provider. And of course we first moved the service to more modern hardware before we forget this server.

Oh, the joys, of a life in IT. https://groups.google.com/forum/#!forum/alt.sysadmin.recovery

If you want to secure your installation....

Minimize running services. If you want to really see the ins-and-outs of your SGI machine, run a Nessus scan on there. If you are running it for yourself a Tenable allows home users to download it for free (there are some limitations, such as how many hosts you can scan and you can not do compliance checking). That should give you a very good starting point on where to start disabling extra running software, and should point you at a lot of out dated software.

Step two: Update your software. For things that you are using, use the most updated copy you can. Nekoware provides a lot of easy to install tardists that are much newer then what SGI provided, and you can also consider building your own software.

Step three: Secure your network. Firewalls, IPS/IDS, and such are your friends.

Disclaimer: I am a former employee of Tenable Network Security. This is not a paid advertisement, nor do I represent the company in any way, shape, or form. I just think they still make the best Vulnerability Scanner on the market.

Plus.. you could place any services you are running inside a chroot. Call it a form of virtualization... IRIX-containers, IRIX-zones, IRIX-jails, etc.. (yeah, i know its not virtualization.. but its probably as close as we'll get with IRIX).

Chroot's can still be broken out of.. but better than giving a remote attacker full access immediately to your root filesystem that comes complete with exploitable binaries and apps.

octane 14# gtar xpvf chroot-irix.tar
chroot-irix/
chroot-irix/dev/
chroot-irix/dev/zero
chroot-irix/dev/null
chroot-irix/dev/random
chroot-irix/dev/urandom
chroot-irix/sbin
chroot-irix/incoming/
chroot-irix/usr/
chroot-irix/usr/lib32/
chroot-irix/usr/lib32/libc.so.1
chroot-irix/bin/
chroot-irix/bin/chmod
chroot-irix/bin/chown
chroot-irix/bin/groups
chroot-irix/bin/ldd
chroot-irix/bin/ln
chroot-irix/bin/ls
chroot-irix/bin/mkdir
chroot-irix/bin/mv
chroot-irix/bin/pwd
chroot-irix/bin/rm
chroot-irix/bin/rmdir
chroot-irix/bin/scp
chroot-irix/bin/sh
chroot-irix/bin/csh
chroot-irix/lib32/
chroot-irix/lib32/libc.so.1
chroot-irix/lib32/rld
chroot-irix/lib32/libcrypto.so.0
chroot-irix/lib32/libz.so
chroot-irix/etc/
chroot-irix/etc/passwd
chroot-irix/etc/group

octane 15# cd chroot-irix
octane 16# chroot . /bin/sh
# pwd
/

Place a /usr/nekoware/lib/ dir in the chroot with any required libraries for your app.. and your good to go inside a chroot. Run a webserver, mailserver, etc.. Will take some fiddling to get the required libs and dirs in place.

-Kevin