ROOTVG

can you please point out ways to protect AIX system from intruders and move it to a secure enviroment i.e. (password, disable services, blockpackets,...etc)

Depends on your level of AIX.

For AIX 5.2 (and less with some modifications) a good start is this redbook: AIX 5L Version 5.2 Security Supplement (http://www.redbooks.ibm.com/abstracts/sg246066.html). In particular, for your question I reccomend reading the Appendix A.

This book is a supplement for the AIX Security "whitebook" that can be found for each version of AIX via the Information Center links (use the rootvg weblink on the right for your version of AIX).

If you have AIX 5.3 or AIX 6.1, one relatively easy way to harden AIX is to use AIX Security Expert (command line: aixpert).

If you have more (specific) questions - just ask.

am using AIX 5.3

root@node1/#uname -a
AIX node1 3 5 00073759D600

For details of what to do with passwords, see the headers in the files /etc/security/user & /etc/security/login.cfg.

For services, as in network services,
the file /etc/inetd.conf controls the "transient" ones - comment out anything you don't want to start,
for other permanently running daemons see the files /etc/rc.tcpip or /etc/rc.nfs, and so on.

There is no supplied way to block (network) packets with AIX.  There was once a firewall product that could
be installed on AIX or Windows, but that fell by the wayside in the face of competition from other types of firewall
often specialised integrated devices.  You still have unrelated things like tunnels and encryption.

This server uses our own "blockip" tool to block specific offending IP addresses - details here:
www.rootvg.net/blockip.html (http://www.rootvg.net/blockip.html)

how could you deny access to your server or  limit an access, i want to  deny ssh for all and then allow it just certain hosts. 

accept ssh for 10.5.0.0, 192.168.0.0, 10.4.1.1
and deny ssh for other ALL

For TCP services that are handled by /etc/inted.conf, e.g. telnet and FTP,
you can install the freeware TCP_wrapper program downloadable from the BULL site,
and put that in front of the required services, then you have /etc/hosts.allow and .deny to control
access to the services.

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
telnetd: 10.5.0.0
telnetd: 192.168.0.0
telnetd: 10.4.1.1

/etc/inetd.conf:
telnet  stream  tcp    nowait  root    /usr/local/bin/tcpd  telnetd -a 
## telnet  stream  tcp    nowait  root    /usr/sbin/telnetd      telnetd -a   

However, that's no good for SSH.  Depending on which version of it you have,
SSHD is permanently set running from inittab using essentially the "start" section
of /etc/rc.openssh for example, which calls on the daemon configuration file
sshd_config:
                print "Starting OpenSSH daemon on port 22"
                cmd /usr/local/sbin/sshd \               
                        -f /etc/openssh/sshd_config \     
                        -h /etc/openssh/ssh_host_key;     
In the config file I have there are no options relating to the control/blocking of
particular IPs for the service.

many thanks for your help, but I cant find the TCP_wrapper on Bull for AIX 5.3
where can i download it and how to install it please.....
one thing  the 2x Server are clustered through GPFS  my etc/hosts

127.0.0.1       loopback localhost

######  Public Network   ########
10.5.1.1        node1
10.5.1.2        node2   
######  Virtual IP Address #######
10.5.1.10       node1_vip
10.5.1.20       node2_vip
#######  Interconnect RAC  ####
192.166.1.1     node1_prv
192.166.1.2     node2_prv
######   Interconnect GPFS  ######
20.20.20.10     node1_gpfs
20.20.20.20     node2_gpfs
######### SiteB Nodes ##########
10.4.1.11       node_b1
10.4.1.12       node_b2
10.4.1.11       node_b1_gpfs
10.4.1.12       node_b2_gpfs

I have disabled telnet on the servers through inetd and enabled only ssh
how this will this effect my configuration on the hosts.allow having the above /etc/hosts

tcp_wrapper is suppled on the AIX 5.3 extensions CD.

root@aix530:[/export/lpp/expansion]installp -L -d . | grep -i wrap
netsec.options:netsec.options.tcpwrapper.base:1.1.0.0::I:T:::::N:TCP-wrapper::::0::
netsec.options:netsec.options.tcpwrapper.license:1.1.0.0::I:T:::::N:TCP-wrapper License::::0::
netsec.options:netsec.options.tcpwrapper.man.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Doc (en_US)::::0::
netsec.options:netsec.options.tcpwrapper.msg.en_US:1.1.0.0::I:T:::::N:TCP-wrapper Msg (en_US)::::0::

Another approach is to use the bos.net.ipsec filesets.

e.g., a selection of the rules I use on my login server:


6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0
7|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0


or a bit more verbose:

Basically, these two rules permit incoming and outgoing traffic on tcp port 22 for the network 192.168.129.0/24.
If I would add two deny rules for everything (else), i.e. from 0.0.0.0 and to 0.0.0.0 after these rules, ssh (port 22) would only be permitted on this single network.