[ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken.

David Edelsohn edelsohn at us.ibm.com
Wed Aug 18 20:36:49 UTC 2021 



Lance aleady said "You can use time.osuosl.org which resolves to
128.193.10.15."

David Edelsohn, Ph.D.
STSM, IBM Open Source Ecosystem, CTO, GCC Technology
IBM T.J. Watson Research Center
Phone: +1 914 945 4364



From:	"Michael Felt" <aixtools at felt.demon.nl>
To:	"Daniel Black" <daniel at mariadb.org>
Cc:	ibm-aix-ibmi-hosting at osuosl.org
Date:	08/18/2021 16:35
Subject:	[EXTERNAL] Re: [ibm-aix-ibmi-hosting] Recurring security scans
            - and actions to be taken.
Sent by:	"ibm-aix-ibmi-hosting"
            <ibm-aix-ibmi-hosting-bounces at osuosl.org>



Thanks. I'll also check if osuosl has an internal NTP server that can be
used instead of a 'global' server.

On 17/08/2021 00:37, Daniel Black wrote:
> Michael,
>
> I looked though
>
https://www.ibm.com/support/pages/ibm-aix-disable-ntp-mode-6-and-7-queries
>
> and implemented the following (shared for reuse if desired).
>
> Did I miss anything on the ntp side for a basic ntp service that keeps
> the lpar time accurate?
>
> diff --git a/ansible/host_vars/us-ibm-aix71.yml
> b/ansible/host_vars/us-ibm-aix71.yml
> index 12d0deb..014259f 100644
> --- a/ansible/host_vars/us-ibm-aix71.yml
> +++ b/ansible/host_vars/us-ibm-aix71.yml
> @@ -103,3 +103,13 @@ aix_security_limits_raw: |
>   aix_buildbot_rc: |
>     #!/bin/sh
>     su - buildbot -c "env PATH=/opt/freeware/bin:$PATH
> /home/buildbot/buildbot-worker/bin/buildbot-worker $1"
> +
> +aix_ntp_conf: |
> +  driftfile /etc/ntp.drift
> +  tracefile /etc/ntp.trace
> +  restrict default notrust nomodify nopeer noquery notrap
> +  server 127.127.1.0
> +  server 0.pool.ntp.org
> +  server 1.pool.ntp.org
> +  server 2.pool.ntp.org
> +  server 3.pool.ntp.org
> diff --git a/ansible/mdbf_aix.yml b/ansible/mdbf_aix.yml
> index 245c5a1..76ced0b 100644
> --- a/ansible/mdbf_aix.yml
> +++ b/ansible/mdbf_aix.yml
> @@ -51,3 +51,16 @@
>           group: system
>           mode: "0555"
>           content: "{{ aix_buildbot_rc }}"
> +
> +    - name: secure ntp /etc/ntp.conf
> +      copy:
> +        dest: "/etc/ntp.conf"
> +        owner: root
> +        group: system
> +        mode: "0664"
> +        content: "{{ aix_ntp_conf }}"
> +      notify: ntp restart
> +
> +  handlers:
> +    - name: ntp restart
> +      command: refresh -s xntpd
>
>
>
> TASK [secure ntp /etc/ntp.conf]
>
**********************************************************************************************************************************************************************************************************

> --- before: /etc/ntp.conf
> +++
after: /home/dan/.ansible/tmp/ansible-local-123953z4zf3g0t/tmpym3lc8h2
> @@ -1,16 +1,7 @@
> -# Default NTP configuration file.
> -#
> -#   Broadcast client, no authentication.
> -#
> -# broadcastclient
>   driftfile /etc/ntp.drift
>   tracefile /etc/ntp.trace
> +restrict default notrust nomodify nopeer noquery notrap
>   server 127.127.1.0
> -# add whenevre possible - a local ntp server
> -# server ntp.home.local
> -
> -# external ntp servers - useful when you have direct (outgoing) access
> -# or, for configuring your local ntp server
>   server 0.pool.ntp.org
>   server 1.pool.ntp.org
>   server 2.pool.ntp.org
>
> changed: [us-ibm-aix71]
>
> RUNNING HANDLER [ntp restart]
>
************************************************************************************************************************************************************************************************************

> changed: [us-ibm-aix71]
>
> On Tue, Aug 17, 2021 at 12:49 AM Michael Felt <aixtools at felt.demon.nl>
wrote:
>> Dear all,
>>
>> On several of the lpars there are a number of issues, the most pressing
>> are insecure protocols such as telnet, rexec, etc. being active. And
>> further, NTP mode 6 queries.
>>
>> I can work on this for you - but I want your explicit permission to make
>> changes for security hardening.
>>
>> Please contact me directly - if you wish to do it yourself I will send
>> the relevant lines related to your system(s).
>>
>> Regards,
>>
>> Michael
>>
>> --
>> ibm-aix-ibmi-hosting mailing list
>> ibm-aix-ibmi-hosting at osuosl.org
>> https://lists.osuosl.org/mailman/listinfo/ibm-aix-ibmi-hosting
[attachment "OpenPGP_0x722BFDB61F396FC2.asc" deleted by David
Edelsohn/Watson/IBM] [attachment "OpenPGP_signature" deleted by David
Edelsohn/Watson/IBM] --
ibm-aix-ibmi-hosting mailing list
ibm-aix-ibmi-hosting at osuosl.org
https://lists.osuosl.org/mailman/listinfo/ibm-aix-ibmi-hosting


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/ibm-aix-ibmi-hosting/attachments/20210818/98233e49/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/ibm-aix-ibmi-hosting/attachments/20210818/98233e49/attachment-0001.gif>

More information about the ibm-aix-ibmi-hosting mailing list