AIX offers a confusing array of options when configuring your system to be a simple DNS client. The traditional way is to create an "/etc/resolv.conf" file and add the address of up to three DNS servers e.g.
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
The problem is that this configuration will only ever contact the first nameserver in the list, and only move to the next if the resolution fails, and following a timeout. This can be seen when you login to a server and it takes a long time before the password prompt appears (there could be other reasons for this).
nameserver 192.168.1.40
nameserver 192.168.1.1
nameserver 10.10.1.66
domain mydomain.local
options rotate
options timeout:2
options attempts:2
These additional cause the server to contact the servers on a round-robin basis and to move to the next server following two failed attempts, with a two second timeout.
options debug
Those that are interested in analysing their traffic can add the debug option, however this will generate a lot of information and affect performance.
The next file to tune is "/etc/netsvc.conf":
hosts=local4,bind
In it's simplest form this statement tells AIX to resolve only IPv4 addresses and to check the "/etc/hosts" file before consulting DNS. This "local,bind" would check both IPv4 and IPv6, and reversing the order, or removing the "local" entry would give DNS absolute precedence.
It doesn't finish there as there is also a dedicated network caching daemon (netcd) which is started from the SRC (lssrc -s netcd).The daemon is controlled by the "/etc/netcd.conf" and it creates a log file: "/var/tmp/netcd.log".
There is an example configuration file in "/usr/samples/tcpip/netcd.conf".
Thursday 29 January 2015
Wednesday 28 January 2015
Merging LDAP and local groups
Until recently it was impossible to have a user that was a member of both local and LDAP groups and this makes centrally managing applications such as Oracle, particularly problematic.
This problem can now be overcome by setting the "domainlessgroups" attribute to true in "/etc/security/login.cfg". The AIX documentation describes it as follows:
"domainlessgroups Defines the system configuration for merging the user's group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are "true" or "false". "true" :
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. "false" : When this attribute is set as false, the group attribute is not merged from the LDAP and files modules.
Default value is "false".
This problem can now be overcome by setting the "domainlessgroups" attribute to true in "/etc/security/login.cfg". The AIX documentation describes it as follows:
"domainlessgroups Defines the system configuration for merging the user's group attributes among LDAP and files Modules. Only files and LDAP modules are supported. Valid values are "true" or "false". "true" :
When this attribute is set as true, the group attribute is merged from the LDAP and files modules i.e. LDAP users can be assigned local groups and vice versa. "false" : When this attribute is set as false, the group attribute is not merged from the LDAP and files modules.
Default value is "false".
Monday 19 January 2015
Making your AIX network more secure.
These are some common network parameters that should be set in order to improve your system's network efficiency and security.
Network service options
To improve system security, there are
several network options that you can change using 0 to disable and 1 to
enable. The following list identifies these parameters you can use with the no
command.
|
Parameter
|
Command
|
Purpose
|
|
arpt_killc - arp
|
/usr/sbin/no -o arpt_killc=5
|
Buffer time-out; default value is 20 minutes. To avoid arp
buffer poisoning attacks, this value should be reduced to between 1 and 5
minutes
|
|
bcastping
|
/usr/sbin/no -o bcastping=0
|
Allows response to ICMP echo packets to the broadcast
address. Disabling this prevents Smurf attacks.
|
|
clean_partial_conns
|
/usr/sbin/no -o clean_partial_conns=1
|
Specifies whether or not SYN (synchronizes the sequence
number) attacks are being avoided.
|
|
directed_broadcast
|
/usr/sbin/no -o directed_broadcast=0
|
Specifies whether to allow a directed broadcast to a
gateway. Setting to 0 helps prevent directed packets from reaching a remote
network.
|
|
icmpaddressmask
|
/usr/sbin/no -o icmpaddressmask=0
|
Specifies whether the system responds to an ICMP address
mask request. Disabling this prevents access through source routing attacks.
|
|
ipforwarding
|
/usr/sbin/no -o ipforwarding=0
|
Specifies whether the kernel should forward packets.
Disabling this prevents redirected packets from reaching remote network.
|
|
ipignoreredirects
|
/usr/sbin/no -o ipignoreredirects=1
|
Specifies whether to process redirects that are received.
|
|
ipsendredirects
|
/usr/sbin/no -o ipsendredirects=0
|
Specifies whether the kernel should send redirect signals.
Disabling this prevents redirected packets from reaching remote network.
|
|
ip6srcrouteforward
|
/usr/sbin/no -o ip6srcrouteforward=0
|
Specifies whether the system forwards source-routed IPv6
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouteforward
|
/usr/sbin/no -o ipsrcrouteforward=0
|
Specifies whether the system forwards source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouterecv
|
/usr/sbin/no -o ipsrcrouterecv=0
|
Specifies whether the system accepts source-routed
packets. Disabling this prevents access through source routing attacks
|
|
ipsrcroutesend
|
/usr/sbin/no -o ipsrcroutesend=0
|
Specifies whether applications can send source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
nonlocsrcroute
|
/usr/sbin/no -o nonlocsrcroute=0
|
Tells the Internet Protocol that strictly source-routed
packets may be addressed to hosts outside the local network. Disabling this
prevents access through source routing attacks.
|
|
tcp_icmpsecure
|
/usr/sbin/no -o tcp_icmpsecure=1
|
Protects TCP connections against ICMP (Internet Control
Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks.
Checks the payload of the ICMP message to test the sequence number of the TCP
header is within the range of acceptable sequence numbers. Values: 0=off (default);
1=on.
|
|
ip_nfrag
|
/usr/sbin/no -o ip_nfrag=200
|
Specifies the maximum number of fragments of an IP packet
that can be kept on the IP reassembly queue at a time (default value of 200
keeps up to 200 fragments of an IP packet in the IP reassembly queue).
|
|
rfc1122addrchk
|
/usr/sbin/no -o rfc1122addrchk=0
|
Perform RFC1122 address validation; default is to allow.
This should be disabled to block incoming & outgoing SYN packets aimed at
loopback and multicast addresses.
|
|
rfc1323
|
/usr/sbin/no -o rfc1323=1
|
Value of 1 indicates that tcp_sendspace and tcp_recvspace
can exceed 64KB. Default=0
|
|
tcp_mssdflt
|
/usr/sbin/no -o tcp_mssdflt=1370
|
Default maximum segment size used in communicating with
remote networks. Values: Default: 512, Range: 512 to (MTU of local net - 64)
Change takes effect immediately. Change is effective until next boot.
Permanent change is made by adding no command to /etc/rc.net.
Diagnosis: N/A Tuning: Increase, if practical.
|
|
tcp_conn_request_max
|
20-500
|
Number of TCP concurrent connections
|
|
tcp_recvspace
|
/usr/sbin/no -o tcp_recvspace=
|
Provide the default value of the size of the TCP socket
receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be
equal to tcp_sendspace and uniform on all frequently accessed AIX
systems.
|
|
sb_max
|
/usr/sbin/no -o sb_max=
|
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all
frequently accessed AIX systems.
|
|
tcp_syn_rcvd_max
|
500
|
SYN_Flooding can be used in denial of service attacks
|
|
tcp_sendspace
|
/usr/sbin/no -o tcp_sendspace=
|
|
|
tcp_tcpsecure
|
/usr/sbin/no -o tcp_tcpsecure=7
|
Protects TCP connections against vulnerabilities. Values:
0=no protection; 1=sending a fake SYN to an established connection; 2=sending
a fake RST to an established connection; 3=injecting data in an established
TCP connection; 5-7=combination of the above vulnerabilities.
|
|
tcp_pmtu_discover
|
/usr/sbin/no -o tcp_pmtu_discover=0
|
Disabling this prevents access through source routing
attacks.
|
|
udp_pmtu_discover
|
/usr/sbin/no -o udp_pmtu_discover=0
|
Enables or disables path MTU discovery for TCP
applications. Disabling this prevents access through source routing attacks.
|
Sunday 18 January 2015
A quick HMC Tip
This tool can enable you to do some of your shell-based tasks from a menu:
http://sourceforge.net/projects/ezh/files/
http://sourceforge.net/projects/ezh/files/
Thursday 8 January 2015
More worrying news for IBMers
IBM agressive downsizing strategy seems now to have reached India and I expect that if there are mass redundancies, there will be a lot of Indian ITer's looking for work in Europe:
http://www.computerweekly.com/news/2240237667/Millions-of-Indian-IT-staff-could-unionise-putting-low-cost-offshore-model-in-question
Whilst I do agree with most of the article I think it fails to address the fundamental point of off-shoring was to cut-costs, and as wages and costs rise in off-shore locations, their appeal wains accordingly.
http://www.computerweekly.com/news/2240237667/Millions-of-Indian-IT-staff-could-unionise-putting-low-cost-offshore-model-in-question
Whilst I do agree with most of the article I think it fails to address the fundamental point of off-shoring was to cut-costs, and as wages and costs rise in off-shore locations, their appeal wains accordingly.
Subscribe to:
Posts (Atom)