# # How do I secure services on a SCO Unix system?
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

SCO Unix TCP/IP and NFS FAQ

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.



Some material is very old and may be incorrect today

© December 2003 (various)

This article is from a FAQ concerning SCO operating systems. While some of the information may be applicable to any OS, or any Unix or Linux OS, it may be specific to SCO Xenix, Open There is lots of Linux, Mac OS X and general Unix info elsewhere on this site: Search this site is the best way to find anything.

How do I secure services on an older SCO Unix system?

(Probably the best answer is to migrate its apps to Linux, but, failing that..)



First, consider that production machines should never be firewalls. Two important functions like that should be on separate machines. However, you shouldn't just depend on a firewall either; each internal machine should be at least reasonably secured by shutting off unnecessary services etc.

Many services are run by the inetd daemon. You turn them off by editing /etc/inetd.conf, commenting them out, and either rebooting or sending inetd a signal 1 (which tells it to re-read inetd.cong).

Some people edit /etc/services. I think that's wrong, because inetd.conf is what really controls inetd. Services is the just translation of names to numbers, and I think it's potentially confusing to do it the other way, because anyone looking at it would think that the service could run.

For example, find the fingerd in /etc/inetd.conf and put a # sign at the beginning of the line. Then signal inetd

 kill -1 `cat /etc/inetd.pid`
 
Note the backtics in the above command - those are the single quotes that are unshifted ~, not unshifted "

Some things (like http) are started in the scripts at /etc/rc2.d. You stop them by running (for example)

 /etc/rc0.d/K78atlas
 /etc/rc0.d/S90fasttrack
 

Those scripts stop the SCO Netscape servers.

To keep them from starting again, you need to edit

/etc/rc2.d/S90atlas and /etc/rc2.d/S90fasttrack

and put "exit 0" at the top of each script. Or skip the K78atlas etc. and just reboot after adding the "exit 0" to these scripts. (you can also start and stop individual servers through the Netscape Admin server rather than just stopping everything)

A very few things start in /etc/tcp, for example snmp and ntp. You'll find lines like :

 if [ -x /etc/ntp.conf ] ; then
 /etc/ntpd -g
 fi
 

To stop that one from starting, you'd remove or rename /etc/ntp.conf. What happens there is the the "-x" tests to see if /etc/ntp.conf exists; if it does, then "/etc/ntpd -g" is run. If it does not exist, nothing happens. You'd need to reboot for these to take effect, or you could run

 /etc/tcp stop
 /etc/tcp start
 

after making your changes, or track down what you have disabled with "ps"

 ps -e | grep routed
 

and kill each process manually.


Finally, consider running tcpwrappers and/or ipfilters. See http://aplawrence.com/Security/general.html and http://aplawrence.com/Security/ipfilter.html

If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> How do I secure services on a SCO Unix system?


Inexpensive and informative Apple related e-books:

Digital Sharing Crash Course

Take Control of iCloud

Take Control of OS X Server

Take Control of Apple Mail, Third Edition

Take Control of Pages






Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





Don't blame me for the fact that competent programming, as I view it as an intellectual possibility, will be too difficult for "the average programmer" — you must not fall into the trap of rejecting a surgical technique because it is beyond the capabilities of the barber in his shop around the corner. (Edsger W. Dijkstra)




Linux posts

Troubleshooting posts


This post tagged:

FAQ

Networking

SCO_OSR5

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode