Your Ad Here

IBM AIX/UNIX system storage administration ksh/perl scripting

Wednesday, March 05, 2008

Disabling undesired TCP/IP services in AIX

With the increased interest in computing and network security, many AIX users are implementing ssh and ssl, and have interest in turning off several TCP/IP services that are on by default in AIX.

The script that follows is an example of how this was done in one customer implementation. Two comments: 1) a machine that will be a nim server must have bootps and tftpd services ON in /etc/inetd.conf. 2) If using the following script during a nim client install, it should not be used as a post-install script; instead, run it as a first boot script (fb_scripts run after the nim client process completes, and after the client reboots.). Now the script:

cp /etc/inetd.conf /etc/inetd.conf.original
cat /etc/inetd.conf.original | sed s/^ftp/#ftp/ | sed s/^telnet/#telnet/ \
| sed s/^shell/#shell/ | sed s/^kshell/#kshell/ \
| sed s/^login/#login/ | sed s/^klogin/#klogin/ \
| sed s/^exec/#exec/ | sed s/^bootps/#bootps/ \
| sed s/^ntalk/#ntalk/ | sed s/^tftp/#tftp/ >/etc/inetd.conf

cp /etc/rc.tcpip /etc/rc.tcpip.original
cat /etc/rc.tcpip.original | \
sed s/^qpi=30m/#qpi=30m/ | \
sed s/"^start \/usr\/lib\/sendmail"/"#start \/usr\/lib\/sendmail"/ | \
sed s/"^start \/usr\/sbin\/snmpd"/"#start \/usr\/sbin\/snmpd"/ | \
sed s/"^start \/usr\/sbin\/portmap"/"#start \/usr\/sbin\/portmap"/ | \
sed s/"^start \/usr\/sbin\/dpid2"/"#start \/usr\/sbin\/dpid2"/ >/etc/rc.tcpip

cp /etc/inittab /etc/inittab.original
cat /etc/inittab.original | sed s/^rcnfs/:rcnfs/ | \
sed s/^qdaemon/:qdaemon/ | \
sed s/^writesrv/:writesrv/ > /etc/inittab

/usr/bin/refresh -s inetd

No comments: