[ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken.

Lance Albertson lance at osuosl.org
Mon Oct 11 22:09:25 UTC 2021


Here's the latest report from last week. Looks like all of those Apache
reports were resolved on the golang host. However, I still see X Server
ports on a few hosts along with NTP ports.

Any updates on getting the CI fixed on those JDK hosts so they don't leave
the X server port open to the internet?

Thanks-

On Thu, Oct 7, 2021 at 10:14 AM Lance Albertson <lance at osuosl.org> wrote:

> I haven't had a chance to look at the recent reports. I was waiting on the
> report for this week to send an update but haven't gotten it yet. Once I
> get the most recent report, I'll send an update. There hasn't been much
> change in the past few weeks when I checked so I'm going to assume similar
> findings.
>
> On Wed, Oct 6, 2021 at 11:27 PM Michael Felt <aixtools at felt.demon.nl>
> wrote:
>
>> And, are we passing? I know a lot of work was being done - has that been
>> effective?
>> On 21/09/2021 21:09, Lance Albertson wrote:
>>
>> Here's the latest report we got yesterday. Can we please fix the NTP
>> issue and the X Server issue soon please?
>>
>> Thanks!
>>
>> On Wed, Aug 25, 2021 at 1:57 AM Michael Felt <aixtools at felt.demon.nl>
>> wrote:
>>
>>> * per below, mariadb is fixed.
>>> * in earlier convos, golang admins have indicated they will update the
>>> HTTP software.
>>> * I have opened a slack chat with ojdk infrastructure re: the active
>>> port 6000. The jenkins user is starting the program /usr/bin/X11/X - if
>>> it is needed for testing my proposal will be to block port 6000 on the
>>> WAN interface (leaving it open on 127.0.0.1).
>>>
>>> On 25/08/2021 05:44, Daniel Black wrote:
>>> > Opps, me looks up
>>> >
>>> > On Thu, Aug 19, 2021 at 6:44 AM Michael Felt <aixtools at felt.demon.nl>
>>> wrote:
>>> >> If you don't need any of the inetd services - also stop the inetd
>>> process.
>>> >>
>>> >> # /usr/sbin/chrctcp -S -d inetd
>>> >>
>>> >
>>> > On Wed, Aug 25, 2021 at 1:43 PM Daniel Black <daniel at mariadb.org>
>>> wrote:
>>> >> On Wed, Aug 25, 2021 at 10:09 AM Lance Albertson <lance at osuosl.org>
>>> wrote:
>>> >>> All,
>>> >>>
>>> >>> Thanks for resolving the issues as reported last week. It looks like
>>> all of the ntp problems have been resolved! I've attached the report from
>>> yesterday so everyone can see.
>>> >>>
>>> >>> However we do have a few issues left that need to be fixed. It
>>> appears that rexecd is running again on p8-aix1-mariadb.osuosl.org. We
>>> need to make sure that service is either disabled always or at least
>>> blocked off.
>>> >> Thanks Lance,
>>> >>
>>> >> Seems corrected - (thanks Michael?)
>>> >>
>>> >> root at p8-aix1-mariadb:[/root]egrep -v '^(#|$)' /etc/inetd.conf
>>> >> daytime stream  tcp     nowait  root    internal
>>> >> time    stream  tcp     nowait  root    internal
>>> >> daytime dgram   udp     wait    root    internal
>>> >> time    dgram   udp     wait    root    internal
>>> >> xmquery dgram   udp6    wait    root    /usr/bin/xmtopas xmtopas -p3
>>> >> caa_cfg stream  tcp6    nowait  root    /usr/sbin/clusterconf
>>> >> clusterconf >>/var/adm/ras/clusterconf.log 2>&1
>>> >>
>>> >> root at p8-aix1-mariadb:[/root]grep exec /etc/inetd.conf
>>> >> ##      needs to be executed for inetd to re-read the inetd.conf file.
>>> >> #exec    stream  tcp6    nowait  root    /usr/sbin/rexecd       rexecd
>>> >>
>>> >> Is disabling inetd possible/recommended?
>>> >>
>>> >> Is commenting all /etc/inetd.conf service the right way?
>>> >>
>>> >> Is disabling /etc/rc.tcpip to disable inetd and others sane?
>>> >>
>>> >> https://www.ibm.com/docs/en/aix/7.1?topic=files-rctcpip-file-tcpip
>>> >>
>>> >>> I'll check back on this next week to see any progress.
>>> --
>>> ibm-aix-ibmi-hosting mailing list
>>> ibm-aix-ibmi-hosting at osuosl.org
>>> https://lists.osuosl.org/mailman/listinfo/ibm-aix-ibmi-hosting
>>>
>>
>>
>> --
>> Lance Albertson
>> Director
>> Oregon State University | Open Source Lab
>>
>> --
>> ibm-aix-ibmi-hosting mailing list
>> ibm-aix-ibmi-hosting at osuosl.org
>> https://lists.osuosl.org/mailman/listinfo/ibm-aix-ibmi-hosting
>>
>
>
> --
> Lance Albertson
> Director
> Oregon State University | Open Source Lab
>


-- 
Lance Albertson
Director
Oregon State University | Open Source Lab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/ibm-aix-ibmi-hosting/attachments/20211011/a6a3ee9a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aix-20211003.csv
Type: text/csv
Size: 2049 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/ibm-aix-ibmi-hosting/attachments/20211011/a6a3ee9a/attachment.csv>


More information about the ibm-aix-ibmi-hosting mailing list