Hi,

I'm sorry as I had to post this question to the group. I was requested
to harden my AIX5.1 cluster server. I had encountered big problem last
year when I hardened the server. Then, disaster happen. My server
cannot do failover and the application cannot be started. So we
fallback to original config by restoring to its previous mksysb. And
its running fine now. 8 months later, again, the security team had
instructed me to harden the server.

I've spent most of time with HACMP related documentation and unlucky
for me, I've haven't found what I've been looking for. Now they became
extremely impatient. Does anyone know what are the services required
by HACMP? I planned to disable telnet , ftp, login, cmsd, ntalk, rexd,
uucp etc.

Any info is highly appreciated.

Thanks

In the old days most inter-node communication was done via good old
rsh. I believe in release 5.1 came the introduction of clcomd which
handles all inter-node communications.
You basically don't need /.rhosts, but instead use
/usr/es/sbin/cluster/etc/rhosts....read up on it....

bigtiny

mrkhairy@yahoo.com (mr kay) wrote in message news:<61039684.0409200007.440764ac@posting.google. com>...
> Hi,
>
> I'm sorry as I had to post this question to the group. I was requested
> to harden my AIX5.1 cluster server. I had encountered big problem last
> year when I hardened the server. Then, disaster happen. My server
> cannot do failover and the application cannot be started. So we
> fallback to original config by restoring to its previous mksysb. And
> its running fine now. 8 months later, again, the security team had
> instructed me to harden the server.
>
> I've spent most of time with HACMP related documentation and unlucky
> for me, I've haven't found what I've been looking for. Now they became
> extremely impatient. Does anyone know what are the services required
> by HACMP? I planned to disable telnet , ftp, login, cmsd, ntalk, rexd,
> uucp etc.
>
> Any info is highly appreciated.
>
> Thanks

THanks for the info. I assumed it is safe to disable telnet and ftp in
hacmp environment as hacmp uses rshd and snmp to operate correctly (I
think). Is this true? Correct me if i'm wrong.

Regards

bigtiny@mac.com (bigtiny) wrote in message news:<c4435822.0409201305.5edaf22@posting.google.c om>...
> In the old days most inter-node communication was done via good old
> rsh. I believe in release 5.1 came the introduction of clcomd which
> handles all inter-node communications.
> You basically don't need /.rhosts, but instead use
> /usr/es/sbin/cluster/etc/rhosts....read up on it....
>
> bigtiny
>
> mrkhairy@yahoo.com (mr kay) wrote in message news:<61039684.0409200007.440764ac@posting.google. com>...
> > Hi,
> >
> > I'm sorry as I had to post this question to the group. I was requested
> > to harden my AIX5.1 cluster server. I had encountered big problem last
> > year when I hardened the server. Then, disaster happen. My server
> > cannot do failover and the application cannot be started. So we
> > fallback to original config by restoring to its previous mksysb. And
> > its running fine now. 8 months later, again, the security team had
> > instructed me to harden the server.
> >
> > I've spent most of time with HACMP related documentation and unlucky
> > for me, I've haven't found what I've been looking for. Now they became
> > extremely impatient. Does anyone know what are the services required
> > by HACMP? I planned to disable telnet , ftp, login, cmsd, ntalk, rexd,
> > uucp etc.
> >
> > Any info is highly appreciated.
> >
> > Thanks

On Wed, 22 Sep 2004 20:02:40 -0700, mr kay wrote:

> bigtiny@mac.com (bigtiny) wrote in message
> news:<c4435822.0409201305.5edaf22@posting.google.c om>...
>> In the old days most inter-node communication was done via good old rsh.
>> I believe in release 5.1 came the introduction of clcomd which handles
>> all inter-node communications. You basically don't need /.rhosts, but
>> instead use /usr/es/sbin/cluster/etc/rhosts....read up on it....

> THanks for the info. I assumed it is safe to disable telnet and ftp in
> hacmp environment as hacmp uses rshd and snmp to operate correctly (I
> think). Is this true? Correct me if i'm wrong.

As Bigtiny said, HA does not use rsh any more. V4 did so you cannot remove
it if that's what you're running. I have direct from IBM:

HACMP v5.2 does NOT use rsh anymore, but uses clcomd. This will do away
with all the rsh related problems

Which I sincerely hope is true as I suffer from a number of rsh related
problems.

I can't be sure about where the change came in, as I only asked about 5.2
as that's what I intend to upgrade to. But I think it's most likely that
it changed between V4 and V5, it's a pretty major change that's only
likely to have happened at a version update. I don't know why they didn't
just use ssh.

So basically you cannot harden an HACMP V4 cluster, if that's what you
have you have to upgrade it. Rsh is fundamentally insecure and if you have
it enabled you are not "hard".

SNMP is no security risk to the best of my knowledge.

Remember that HA also has its own services such as clver and godm (V4 does
- I havn't installed V5 yet) and you can't stop these or the cluster will
not verify. But you can have an external firewall blocking access to them
from outside the cluster which would be a good idea in a secure
environment.

Regards, Ian