
encounter problem when ftp programs to x8web.com
i不能 ftp 文件到x8web.com

encounter problem when ftp programs to x8web.com

1. log on to www.x8web.com
2. go to cPanel X
3. navigate to File Manager
4. You will see a list of files including .ftpquote
5. click .ftpquote
6. you can see a menu of fuctions as below on top right corner
Show File
Delete File
Edit File
Change Permissions
Rename File
Copy File
Move File

7. use "Delete File " to delete .ftpquote
8. refire up FTP software, you will be able to ftp programs to x8web.com successfully


JBOSS 3.0.4 配置及使用初步


为了学习jboss,我想大多数人可能都要从http://www.jboss.org ;那里下载其本身的文档,如3.x版本就有文档JBoss.3.0QuickStart.Draft3.pdf 来进行入门指导。但是令人万万没有想到的是,JBoss.3.0QuickStart.Draft3.pdf文档中甚至也有错误的地方,完全按照它的指引,大家将会走弯路的。



在jboss自己的网站http://www.jboss.org ;下载jboss3.0.4,有jboss-3.0.4.zip和jboss-3.0.4_tomcat-4.1.12.zip。后者是jboss和tomcat整合到一起的版本,这里主要介绍前者,既单独的jboss3.0.4。












Jboss3.0.4有三种启动类型,分别为all, default, minimal。如在windows平台下启动jboss,可直接启动bin目录下的run.bat既可。此时默认为以default形式启动,如需其它启动方式,则需要参数设置,如想以all模式启动,则运行run.bat –c all命令。至于三种启动模式的区别,无非就是启动的服务多少不同,具体请参照JBoss.3.0QuickStart.Draft3.pdf文档。该文档也有设置jboss启动为windows服务的一段,也可以参照,不过我按照它的做法尝试了一下,发现居然jboss的服务会占据90%以上的CPU资源(当时我用的是赛扬233,脸红中……)。

查看JBOSS端口这本来不应单独成为一章,但是,网上各资料和JBoss.3.0QuickStart.Draft3.pdf 中都在这一部分对使用者进行了误导,我想在这里我有必要进行澄清。

启动jboss后,我们可以查看8080端口,在浏览器地址栏中键入http://localhost:8080 ;,我们会发现一个错误页面,内容为“HTTP ERROR: 404 / Not Found RequestURI=/”这是正常的,因为你根本就没有页面可以显示。

在按照网上资料和JBoss.3.0QuickStart.Draft3.pdf的要求查看8082端口时,我们就会发现,根本和资料中讲述不一致了。JBoss.3.0QuickStart.Draft3.pdf中的原文是这样的:“To check if JBoss is running please open a browser and enter http://localhost:8082 ;which will list all JBoss components running.”但是,我们将会出现一个错误页面!并不是象它所说的会列出所有运行的JBOSS组件。经过查找,发现其实应该是http://localhost:8080/jmx-console ;。此点一定注意,否则会打击初学者学习jboss的兴趣的。我们通过这个页面进行对JBOSS的各服务的配置和管理。

我们再查看http://localhost:8083 ;会出现一个没有错误的空白页,正常,应该是这样。

我们再查看http://localhost:1099 ;会出现一大堆乱字符,当然,里面包含了你的IP地址等等类似的信息。1099是jnp协议监听名字服务的缺省端口,RMI的缺省端口也是一样的。在JNDI中,我们需要用到此端口。




package examples;import javax.ejb.EJBObject;public interface Example extends EJBObject { public String example() throws java.rmi.RemoteException;}


package examples;import javax.ejb.EJBHome;public interface ExampleHome extends EJBHome { Example create() throws java.rmi.RemoteException,javax.ejb.CreateException;}


package examples;import javax.ejb.EJBLocalObject;public interface ExampleLocal extends EJBLocalObject { public String example();}


package examples;import javax.ejb.EJBLocalHome;public interface ExampleLocalHome extends EJBLocalHome { ExampleLocal create() throws javax.ejb.CreateException;}


package examples;import java.rmi.RemoteException;import javax.ejb.EJBException;import javax.ejb.SessionBean;import javax.ejb.SessionContext;public class ExampleBean implements SessionBean { public ExampleBean() { super(); } public void setSessionContext(SessionContext arg0) throws EJBException, RemoteException { System.out.println("setSessionContext"); } public void ejbCreate() { System.out.println("ejbCreate"); } public void ejbRemove() throws EJBException, RemoteException { System.out.println("ejbRemove"); } public void ejbActivate() throws EJBException, RemoteException { System.out.println("ejbActivate"); } public void ejbPassivate() throws EJBException, RemoteException { System.out.println("ejbPassivate"); } public String example() { System.out.println("example()"); return "Just a simple example!"; }}


package examples;import javax.naming.*;import javax.rmi.PortableRemoteObject;import java.util.Properties;public class ExampleClient { public ExampleClient() { super(); } public static void main(String[] args){ try{ Properties props =new Properties(); props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory"); props.put(Context.PROVIDER_URL,""); Context ctx = new InitialContext(props); System.out.println("start ejb client test"); Object obj=ctx.lookup("Example"); ExampleHome home = (ExampleHome)PortableRemoteObject.narrow(obj,ExampleHome.class); Example example = home.create(); System.out.println(example.example()); example.remove(); }catch(Exception e) { e.printStackTrace(); } }}





Your first EJB application JUST A TEST Example examples.ExampleHome examples.Example examples.ExampleLocalHome examples.ExampleLocal examples.ExampleBean Stateless Container



Example Example true



jar cvf myfirst.jar examples/*.class META-INF/*.xml


至此,我们已经形成了一个可以在不同EJB容器下执行的EJB JAR包了,下面要讲述的是在jboss3.0.4中如何具体部署我们的myfirst.jar。


不同的启动jboss模式,就将该jar文件放入对应的目录中。例如:我们用run –c all命令启动,则就将myfirst.jar放入server目录下的all\deploy目录下,则此时,运行中的JBOSS会自动识别并根据jar中的META-INF\*.xml自动部署它。



在编译ExampleClient.java时, CLASSPATH需要引入jboss目录client下的jar文件,才能编译成功并正常运行。


start ejb client test
Just a simple example!


13:35:31,250 INFO [STDOUT] setSessionContext
13:35:31,250 INFO [STDOUT] ejbCreate
13:35:31,250 INFO [STDOUT] example()


几个jboss 基础问题,install,start,stop

bin: 命令和脚本
client: 客户端jars
docs: jboss的文档
lib: 服务器端jars
server: 服务器配置文件


键入:cd %jboss_home%bin;
键入:run [-c default|minimal|all]。

键入:cd $jboss_home/bin;
键入:./run [-c default|minimal|all]。
12:16:27,812 info [server] jboss (mx microkernel) [4.0.1sp1 (build: cvstag=jboss_4_0_1_sp1 date=200502160314)] started in 20s:429ms

如果在windows的命令行窗口或者当前的unix shell下运行jboss,只需要简单的按下ctrl+c即可关闭jboss。
键入:cd %jboss_home%bin;
键入:shutdown -s或者shutdown --server=url
如果在unix shell的后台运行:
键入:cd $jboss_home/bin;
键入:./shutdown -s或./shutdown --server=url

Install JBOSS on Linux




解压jdk到一个路径如:/usr/local/jdk,然后把"/usr/local/jdk/bin"添加到路径中去.并且设置JAVA_HOME ="/usr/local/jdk". 如果java能够执行,则说明安装正确.

在/root目录下配置 .bash_profile 添加环境变量
在/usr/local/jboss/bin 运行 sh run.sh 启动jboss服务器

jboss的后台运行命令 nohup ./run.sh&


    以下方法在hpux11下测试通过,如在hpux下实现此功能,需要安装wu_ftp这个软 件,或者更新你的ftp。


    ftptest:Aci$xi:555:555:ftp user for chroot:/home/ftptest/./:/bin/ksh
    (确信/etc/shells中有/bin/ksh,否则请加上,密码由你自己决定 )
    #mkdir /home/ftptest
    #chown ftptest:ftptest /home/ftptest
    #su - ftptest
    $pwd //make sure it is under /home/ftptest
    $mkdir -p usr/bin
    $cp /sbin/ls usr/bin ; cp /bin/pwd usr/bin
    $mkdir etc
    $cp /etc/passwd etc ; cp /etc/group etc (为了安全,你需要修改passwd中
    ftp stream tcp nowait root /usr/lbin/ftpd ftp -l -a (一定要加上 -a 这
    5。重新初始化inetd : 执行: inetd -c
    #cd /etc/ftpd
    #touch ftpgroups
    #vi ftpaccess //这个文件的内容大致如下:

    class all real,guest,anonymous *

    # Define the line that limits the ftponly group to their own directories

    # in the ftp-root heirarchy.
    guestgroup ftptest //这里要和你的组ftptest一致。

    email xxxx@xxxx.com //这里用你自己的email地址

    loginfails 5

    readme README* login
    readme README* cwd=*

    message /welcome.msg login
    message .message cwd=*

    compress yes all
    tar yes all
    chmod no guest,anonymous
    delete no guest,anonymous
    overwrite no guest,anonymous
    rename no guest,anonymous

    log transfers anonymous,real inbound,outbound

    shutdown /etc/shutmsg

    passwd-check rfc822 warn

    How to find what is the version of C++ of HP-UX

    HP-UX下如何确定已安装C++ 的版本?

    本文出自: http://www.hp.com.cn
    Ansi C++ (aCC)


    what /opt/aCC/bin/aCC


    - HP-UX 11.x

    HP aC++ B3910B A.03.05
    HP aC++ B3910B A.03.04 (970930) Support Library

    - HP-UX 10.x

    HP aC++ B3910B A.01.07
    HP aC++ B3910B A.01.01 Support Library

    - HP-UX 9.x

    This product is NOT supported on 9.0X

    第一行给出已安装产品的产品名称(HP aC++),产品编号(B3910B),以及当前版本。

    第二行给出aCC 支持库的产品名称,产品编号,以及当前版本,它通常与编译器

    Cfront C++ (CC)

    对于HP-UX 11.x和10.x,用下面的命令确定版本:

    what /opt/CC/bin/CC

    您应当在 HP-UX 11.x 和 10.x上看到与下面类似的结果:

    - HP-UX 11.x

    HP C++ HPCPLUSPLUS A.11.00 (971008) AR

    - HP-UX 10.0X

    HP C++ HPCPLUSPLUS A.10.32

    对于HP-UX 9.x,用下面的命令确定版本:

    what /usr/bin/CC

    您应当在HP-UX 9.x上看到与下面类似的结果:

    HP C++ HPCPLUSPLUS A.03.78

    how to reduce the size of var for HP-UX


    进入维护模式 hpux -lm
    #vgchange -a y vg00
    #lvextend -L 500 /dev/vg00/lvol8
    #extendfs -F vxfs /dev/vg00/rlvol8
    #mount /dev/vg00/lvol8 /var



    重建boot.config文件。在SAM--》Kernel configuration--> Parameter会自动运行
    getkinfo 命令。


    *range maxfiles<=60000
    *range maxfiles_lim<=60000


    mv /var/sam/boot.config /var/sam/boot.config.bak


    /usr/sam/lbin/getkinfo -b

    to recreate the boot.config file.

    本文出自:www.hp.com.cn 作者


    ---- 在网络和多用户系统日益流行的今天,大家共亨服务器实现各种不同的应用已日趋广泛。惠普公司的HP-UX企业服务器以其良好的开放性、稳定性、易扩充性及优异的服务而广泛应用于我国金融、气象、石化、电信等大用户、大行业中,并创造了巨大的经济效益。但随着服务器用户的大量增加,尤其近年来Internet的迅猛发展,服务器空间、容量虽不断扩充但仍日趋紧张,用户访问后留下的大量废文件不仅降低了服务器的整体性能,也影响了其它用户的正常使用。本文介绍的是如何在HP-UX服务器上实现用户空间限制,达到规划合理、规范使用、互不影响、良性发展的目的。

    ---- 二、环境设置:

    ---- 操作系统选 HP-UX 10.10 或 HP-UX 10.20。

    ---- 以系统中存在两个用户 sea 和 sky为例。

    ---- 用户空间所在主目录为 /home,所在物理卷为 /dev/vg01/lvol1,用户空间限制为5M, 最多不超过8M,容纳文件数为20个,最多不超过30个。如果超出限制给予警告,提示清理,此时还可进行新的写入,如果用户在给定时间(设为20天)内未清理或继续操作超出了设定的最大限制,禁止新的写入。用户清理文件低于限制后,一切才恢复正常。

    ---- 三、实现步骤:

    ---- 1.用root用户登录

    ---- 如果用户所在主目录/home 没有mount上,执行#mount /dev/vg01/lvol1 /home

    ---- 2.生成名为quotas的控制参数文件:

    ---- #cpset /dev/null /home/quotas 600 root bin /dev/null 表示文件 /home/quotas 开始为一空文件。600 root bin表示该文件的限、属主及属组.

    ---- 3.通过命令/usr/sbin/edquota 设置用户空间参数。

    ---- 对sea用户:

    ---- #/usr/sbin/edquota sea

    ---- 针对提示按以上环境设置配置如下:

    ---- fs /home blocks (soft = 5000, hard = 8000) inodes (soft = 20, hard = 30)

    ---- 注: 以后需删除该用户时,先执行以上相同命令,修改其中的soft= 及 hard= 值均为0,这样该用户从系统中删除后,/home/quotas文件不保留该用户信息。

    ---- 4.复制以上参数给其它用户(本例为sky)

    ---- #edquota -p sea sky

    ---- 5.设置超出基本限制后允许用户继续操作的时间范围。

    ---- #edquota -t

    ---- 针对提示按以上环境设置配置如下:

    ---- fs /home blocks time limit = 20.00 days , files time limit = 30.00 days

    ---- 注: 如果不设limit值,系统缺省为7天。

    ---- 6. 激活用户空间限制功能。

    ---- 先修改 /etc/fstab文件,将原其中一行

    ---- /dev/vgo1/lvol1 /home hfs rm,suid 0 2 改为:

    ---- /dev/vgo1/lvol1 /home hfs rm,suid, quota 0 2

    ---- 通过以下三种方法激活用户空间限制功能

    ---- < 1 >系统重启。

    ---- < 2 >无需重启系统,执行:

    ---- #umount /home

    ---- #mount /home

    ---- #quotacheck -v /home

    ---- 注:quotacheck 检查/home/quotas文件的一致性和正确性并自动修正。

    ---- < 3 >无需umount /home,执行:

    ---- #quotaon -v /home

    ---- #quotacheck -v /home

    ---- 即可实现对以上操作的两用户 sea 和 sky 进行合理的限制。

    ---- 四、日常维护

    ---- 1.用户通过quota -v命令检查自己空间的使用情况,收到告警时及时清理 废文件或请求系统管理员修改原定参数。

    ---- 2.如要关闭某用户空间限制功能,例sea用户, 系统管理员使用命令:

    ---- #edquota sea

    ---- 修改其中soft= ,hard= 的值改为0即可。

    ---- 3.系统管理员查看/home下的所有用户空间使用情况可使用命令:

    ---- #repquota /home

    ---- 4.超级用户root不受以上限制

    ---- 五、结束语

    ---- 经过以上配置后,HP-UX服务器不再经常提示空间满信息,各用户均正常工 作,互不影响,针对某些特殊用户的需求,系统管理员调整相应参数即可。

    本文出自:http://www2.ccw.com.cn 作者:杨跃峰

    怎样升级到HP-UX 11.0?


    按照手册'Installing HP-UX 11.0 and Updating HP-UX 10.x to 11.0.'中的说明,
    删除补丁信息。参考附录C,第8节,265页的`Loading HP-UX Patches Using
    Ignite-UX,'。按照说明`Removing Prior Patch Information'中的指导去做。




    find /var/adm/sw/products | cpio -pdumv /tmp

    2. 输入swmodify命令:

    swmodify -u PH[CKNS][OLES]_\*\.* PH[CKNS][OLES]_\*


    3. 删除补丁目录:

    rm -rf /var/adm/sw/patch


    在您从HP-UX 10.x升级到11.0之前,您必须安装SD(软件发行人(Software Distributor))

    版本。按照'Installing HP-UX 11.0 and Updating from HP-UX 10.x to 11.0.'第
    二章的`Updating SD-UX Before Installing/Updating Software'的指导去做,指导

    另外,参考 'Patch May Be Needed To Run SD'一节,第23页的Readme。

    唯一不必预装11.0 SD的情况是您在一个没有操作系统的新系统上进行“冷安装”
    HP-UX 11.0,或 “重新冷安装”,也就是清空系统磁盘,重新开始。在那种情况下,您不必首先安装SD的原因是安装程序将会为您做这一切。

    Swinstall 的必选项


    界面(graphical user interface)(GUI))。参考'Running swinstall
    on 10.30'的第15页。

    看'New Version Required'的第13页。这个版本的swinstall要求选项指明新操作系统的
    些选项。例如,为了在交互式模式调用swinstall将HP-UX 10.x升级到11.0的32位版本,

    swinstall -x os_name=HP-UX:32 -x os_release=B.11.00

    从HP-UX 10.20升级到64位11.0

    参考'Do You Have the Right Hardware and Firmware?'的第11页,确定您的硬件支持64位HP-UX 11.0。

    从HP-UX 10.20 升级到11.0的64位版本, 使用这个命令:

    swinstall -x os_name=HP-UX:64 -x os_release=B.11.00

    在32位 HP-UX 11.0和64位 11.0之间转换

    “ -x allow_incompatible=true”选项。如果您使用这个选项,它可能会导致升

    在32位 11.0和64位 11.0之间转换,使用下列步骤:


    注:参看'New Version Required'的第13页。

    2.用适当的选项-x os_name 和 -x os_release来执行swinstall,并指明
    -x reinstall=true 和 -x reinstall_files=true。例如,将32位的11.0升级位64位

    swinstall -x os_name=HP-UX:64 -x os_release=B.11.00 \

    -x reinstall=true -x reinstall_files=true


    - 从命令行更新:


    注:参看`New Version Required'的第13页。


    swinstall -x autoreboot=true -x os_name=HP-UX:32 \
    -x os_release=B.11.00-x match_target=true

    - 使用终端界面更新:

    a. 获取SD的新版本.

    注:参看`New Version Required'的第13页。

    export DISPLAY=


    swinstall -x os_name=HP-UX:32 -x os_release=B.11.00

    本文出自: http://www.hp.com.cn
    这里是一些为升级到HP-UX 11.0的基本指令。为了得到更多的细节,参见手册
    'Installing HP-UX 11.0 and Updating HP-UX 10.xto 11.0,'
    'Installing HP-UX 11.0,' 和 'Readme Before Installing or
    Updating to HP-UX 11.0.'

    HP-UX 根磁盘故障后如何恢复?




    1. 定期打印下列命令的输出:

    /usr/sbin/ioscan -fk
    /usr/sbin/vgdisplay -v
    /usr/sbin/lvlnboot -v
    /usr/sbin/lvdisplay -v /dev/vgXX/lvYY (对每个逻辑卷)
    /usr/sbin/pvdisplay -v /dev/dsk/c#t#d0 (对每个LVM 磁盘)
    cat /etc/fstab
    fax = cat /etc/fstab

    2. 使用SAM Backup and Recovery、fbackup或其它任何支持的方法,确认进行了可靠的系统完全备份。在每一次大的系统修改之后,使用COPYUTIL 可能会很有帮助。这是从支持介质上完成的。


    3. 在非根卷组中额外复制下面的文件:

    /etc/lvmconf/ (整个目录)
    /etc/rc.config.d/ (整个目录)


    1. 如果可能,对除vg00之外的其它卷组执行vgexport(1M)。确保使用了映射文件的选项。

    例: vgexport -v -m vg00.map /dev/vg01

    2. 在根磁盘上重新安装,指定vg00需要的所有逻辑卷和磁盘。一定要记住这些磁盘的设备文件可以重新映射。根据需要扩展所有的文件系统。

    3.用备份恢复根卷组中除下表中的文件之外的所有文件(通常为 vg00):

    所有的非vg00 安装点

    4. 从磁带恢复映射文件,如果没有映射文件则跳过这一步。

    5. 对其它卷组执行vgimport,指定适当的映射文件。记住要一次指定所有的磁盘设备文件。

    例: vgimport -v -m vg02.map /dev/vg02 /dev/dsk/c1t4d0

    6. 编辑 /etc/fstab,以正确地反映所有的文件系统。

    7. 对于任何其它系统配置的“恢复“,请参考第1步中收集的信息。

    8. 如果没有映射文件,则重命名 /dev/vgxx/lvoly,将文件名rlvoly 为它们最初的名字(例如 /dev/vg01/foo and rfoo)

    本文出自: http://www.hp.com.cn (2001-05-29 20:10:00)
    操作系统 - HP-UX
    版本 - 10.20
    硬件系统 - HP9000
    系列 - K220

    HP-UX 常用的维护命令

    1) tail 和 head
    # tail filename
    # tail -f filename; 使tail不断执行,当文件被写入时显示文件的新行。
    #head filename
    2) date 和 cal
    # cal 2000
    # cal 1 2000
    3) find
    # find / -print | wc -l 显示系统中所有文件和目录的数目。
    # find / -user $LOGNAME -print 显示系统中该用户所有文件和目录。
    # find / -size 100 -print 显示文件大小为100 blocks。
    # find / -size -100 -print 显示文件大小小于100 blocks 。
    # find / -size +100 -print 显示文件大小大于100 blocks 。
    # find / -name core -exec rm {} \;查找并删除core文件。
    # find . -exec chown $LOGNAME {} \; 修改一个目录下的所有文件的用户所属。
    # find .-type d -exec chmod 770 {} \;修改一个目录下的所有目录的权限。
    4) stty
    # stty -a;查看当前注册终端的通信参数。
    # stty -ixon;设置ixon为off。
    #stty ixon;设置ixon为on。
    # stty sane;当终端发生混乱时,通常可以产生有益的效果。
    5) tset
    tset -s -Q -m ':?hp'
    6) cron
    # crontab filename ; 创建一个 cron
    # crontab -r ; 把cron从crontab去掉
    7) ioscan
    #ioscan -fn (用这个命令,我们可以看到所有的设备及其设备文件等信息。)
    #ioscan -fnCdisk
    Class I H/W Path Driver S/W State H/W Type Description
    disk 6 4.8.0 sdisk CLAIMED DEVICE SEAGATE ST34371W
    /dev/dsk/c0t8d0 /dev/rdsk/c0t8d0
    disk 7 4.11.0 sdisk CLAIMED DEVICE SEAGATE ST34371W
    /dev/dsk/c0t11d0 /dev/rdsk/c0t11d0
    disk 5 16/5.2.0 sdisk CLAIMED DEVICE TOSHIBA CD-ROM XM-5401TA
    /dev/dsk/c3t2d0 /dev/rdsk/c3t2d0
    其中描述为" TOSHIBA CD-ROM XM-5401TA"的设备
    8) bdf
    Filesystem kbytes used avail %used Mounted on
    /dev/vg00/lvol1 67733 35561 25398 58% /
    /dev/vg01/lvol1 20480 11675 8247 59% /home
    %used: 已使用空间占本文件系统全部空间比率。
    Mounted on: 安装目录
    注: %used达到90%以上时,应考虑做必要的文件清理工作
    9) lanscan
    用 lanscan 命令查看主机中的网卡。例如:
    # lanscan
    Hardware Station Crd Hdw Net-Interface NM MAC HP-DLPI DLPI
    Path Address In# State NamePPA ID Type Support Mjr#
    10/4/8 0x00108318E6E8 0 UP lan0 snap0 1 ETHER Yes 119
    10/12/6 0x0060B0C44462 1 UP lan1 snap1 2 ETHER Yes 119
    硬件地址分别是 10/4/8、10/4/12(Hardware Path)
    网卡名是 lan0、lan1(Net-Interface Name列)
    各网卡的NMID是 1、2(NMID列)
    各网卡的工作状态是 UP、DOWN、UP (Hdw state列)
    各网卡的MAC地址是Station Address所对应的列。
    一个网卡要能够正常工作,首先它的工作状态(Net-Interface name)必须是UP。
    用 ifconfig 命令查看网卡对应的IP地址。例如:
    # ifconfig lan0
    lan0: flags=863
    inet netmask fffff800 broadcast
    10) ifconfig
    # ifconfig lan0
    lan0: flags=863
    inet netmask fffff800 broadcast
    11) 更改主机IP地址
    1. 首先使用"lanscan"和"ifconfig"命令查出该网卡的设备名
    2. 使用vi命令编辑/etc/rc.config.d/netconf文件。找到
    3. 使用vi 命令编辑/etc/hosts文件,改变对应主机名的IP地址
    4. 注意:不要在CDE环境中,直接改变IP地址,应退出CDE环境,完成修改过程。


    3. /etc/group
    4. /etc/profile
    5. /etc/inittab
    内部初始化之后,系统将启动/etc/init这个deamon进程,使/etc/init进程取得引导序列的控制权。而init进程从文件/etc/inittab(init table,初始化表)取得指示,该文件 的内容控制所有init状态,同时也控制那些已消亡进程的再生。
    6. /etc/fstab
    7. /etc/lvmtab
    # strings /etc/lvmtab;查看系统VG和磁盘信息。
    8. /etc/rc.config.d/netconf
    9. /stand/system


    1.1 HP-UX系统安装
    主机名: CRCT1(上)
    此主机名可通过hostname或uname –a 命令查看。

    1.2 创建用户帐号
    1.3.1 配置镜像磁盘
    Mirror Disk是HP-UX的一套软件包,当系统中安装有两个系统盘时,可以利用该软件的功能来做操作系统的镜像备份,以下是做镜像磁盘的步骤。
    1、 执行lvlnboot -v命令检查系统中的启动设备
    #lvlnboot -v
    2、 创建第二块系统盘
    #pvcreate -B /dev/rdsk/c2t6d0
    3、 扩展vg00,添加第二块硬盘
    #vgextend /dev/vg00 /dev/dsk/c2t6d0
    4、 为第二块磁盘创建boot引导信息
    #mkboot /dev/dsk/c2t6d0
    5、 扩展vg00中各逻辑卷,添加镜像磁盘
    lvextend -m /dev/vg00/lvol2 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol3 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol4 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol5 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol6 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol7 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol8 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol9 /dev/dsk/c2t6d0
    lvextend -m /dev/vg00/lvol10 /dev/dsk/c2t6d0
    6、 为第二块磁盘创建boot引导信息
    #mkboot -a "hpux(;0)/stand/vmunix" /dev/dsk/c2t6d0
    7、 执行如下操作后重新启动系统
    #lvlnboot -b /dev/vg00/lvol1
    #lvlnboot -b /dev/vg00/lvol2
    #lvlnboot -b /dev/vg00/lvol3
    #lvlnboot -d /dev/vg00 /dev/dsk/c2t6d0
    #lvlnboot -R
    #shutdown -h -y 0
    8、 在启动Main Menu出现时,从第二块磁盘启动
    Main Menu:>sea
    P0 0/0/2/0.6 intscsia.6 Random access medias
    P1 0/0/2/1.6 intscsia.6 Random access medias
    P0 0/4/0/0.0 Random access medias
    P3 0/10/0/0.1 Random access medias
    P4 1/10/0/0.5 Sequene access medias
    Main Menu:>bo p1
    9、 系统启动以后执行如下操作
    #lvlnboot -v
    ;Disks and Filesam Systems(CRCT1)
    ;Disk Devices
    ;Disk Array;Actions  ;bindMaitainece
    ;Disks and File Systems(CRCT1)sam
    ;Volumes Groups
    ;Actions ;Create
    1.4.1 配置磁带机
    1、 添加磁带机驱动程序tape
    2、 连接核心并重新启动系统
    3、 使用磁带机设备
    tar cvf /dev/rmt/0m /etc/*
    1.4.2 配置磁带库
    1、 添加磁带库驱动程序shrgr
    2、 连接核心并重新启动系统
    3、 查看磁带库设备
    ll /dev/ac/*
    ;IP Address on network;Network Configrationsam devices
    1.5.2 手工配置网卡
    1.5.3 添加启动静态路由
    1、 生成文件/sbin/init.d/route
    #more /sbin/init.d/route
    route add default
    2、 生成连接文件
    ln -s /sbin/init.d/route /sbin/rc2.d/S750route
    3、 查看路由信息
    netstat -r
    1.5.4 配置bootp远程启动协议
    1、 搜索系统中的网卡
    #ifconfig lan0
    2、 备份原始文件
    #cp /etc/bootptab /etc/bootptab.bak
    3、 编辑/etc/bootptab文件
    #/usr/bin/vi /etc/bootptab
    add a similar entry for each system to be served by this bootp serverr
    4、 当CRCT1启动时按空格键中断其启动过程
    进入Main Menu状态,键入bo lan.
    interact with IPL (Y,N,or Cancel)?N



    中国惠普公司 客户服务部

    一、系统备份与恢复常用命令 --------------------------------------2

    1. fbackup / frecover ---------------------------------------------2

    2. tar -----------------------------------------------------------------6

    3. sam ---------------------------------------------------------------7

    4. copyutil ----------------------------------------------------------8

    5. make_recovery -------------------------------------------------9

    二、系统备份与恢复方法与策略 ------------------------------------13

    1. 系统备份的策略 ----------------------------------------------12

    2. 系统恢复的策略 ----------------------------------------------15

    三 、附录


    1. fbackup & frecover

    1.1系统备份命令: fbackup

    1) fbackup的常用方式一:

    [1] 进入单用户:

    # shutdown -y 0
    # /etc/mount -a

    [2] 系统全备份

    # fbackup –f /dev/rmt/0m -0iv / -I /tmp/sysbk.index

    -f : 设备文件名 ( such as DDS tape driver)
    -i : 要包含的目录
    -e: 不包含的目录
    - I: 备份内容检索目录
    - v: 备份内容详细列表
    - 0 : 零级备份

    # fbackup –f /dev/rmt/0m -i / -e /home

    备份除了目录 /home的所有目录

    [3] 说明

    1) 该命令方式对系统当前”mounted “ 的文件系统进行备份
    2) 备份级别说明

    备份级别有0~9 个级别,如果当前系统采用零级备份,当下一次采用5 级

    2) fbackup的常用方式二:

    〖1〗# mkdir -p /tmp/fbackupfiles/index
    # mkdir -p /tmp/fbackupfiles/log

    〖2〗# touch /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’`


    # shutdown –y 0
    # /etc/mount -a


    # fbackup –0vi / -f /dev/rmt/0m \
    -I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
    2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`





    # shutdown –y 0
    # /etc/mount -a


    # fbackup –0uv / -f /dev/rmt/0m \
    -g /tmp/fbackupfiles/mygraph \
    -I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
    2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`


    a. 文件 mygraph: 包含需要备份的目录,格式如下:

    i /users/data
    i /home/app
    e /oracle/sql

    b. 参数 u :

    当备份系统成功时,系统将更新 /var/adm/fbackupfiles/dates.

    4) fbackup的常用方式四:


    [1] 登录在本地系统时

    # remsh backup_sysname ” fbackup –f DDS_sysname: /dev/rmt/0m -0vi / ”

    [2] 登录在远程系统时

    # fbackup –f backup_sysname: /dev/rmt/0m –0vi /

    5) fbackup的常用方式五:

    压缩方式备份( 不建议使用、影响系统性能)

    [1] 压缩方式备份

    # fbackup –0vi /dir -f - | compress | dd of=/dev/rmt/0m obs=10k

    “-” : 指向标准输出

    [2] 查看备份内容

    # dd if=/dev/rmt/0m ibs=10k | uncompress | frecover –I - -f -

    1.2 系统恢复命令: frecover

    1) 恢复磁带机上所有内容:

    [1] 进入单用户:

    # shutdown -y 0
    # /etc/mount -a

    [2] 恢复数据

    # frecover –rf /dev/rmt/0m


    -f: 设备文件名
    -r: 恢复磁带上的所有数据
    -I: 将磁带上文件索引存到指定的文件中

    # frecover –I /tmp/index.txt -f /dev/rmt/0m

    2) 恢复某一目录:

    # frecover -xi /directory

    # frecover –x -i /dir1 -i /dir2

    # frecover -xoi /dir

    -o: 覆盖/dir下已有的、相同名称的文件

    # frecover -xvXi /dir

    -X: 按磁带上目录恢复数据

    # cd /tmp/local; frecover –xvYi /dir

    -Y: 按磁带上文件名恢复数据


    # cd /tmp/local
    # frecover –xvF -i /home/filename

    [恢复结果] /tmp/local/filename 不是 /home/filename

    3) 从远程磁带机上恢复数据到本地:

    # frecover –xi /dir –f remote_name : /dev/rmt/0m

    4) 从本地磁带机上恢复数据到远地系统:

    # remsh remote_name ”frecover –xi /dir -f local_name:

    2.tar 命令

    2.2.1 对系统全备份

    # tar cvf /dev/rmt/0m /

    2.2.2 备份某目录

    # tar cvf /dev/rmt/0m /tmp

    2.2.3 改变文件的备份路径

    # tar cvf /dev/rmt/0m -C /tmp .

    [Note] : 路径 /tmp 在磁带上的备份路径变为 ./

    # cd /tmp
    # tar cvf /dev/rmt/0m ./*

    2.2.4 恢复数据

    # tar xvf /dev/rmt/0m (磁带上所有数据)

    # tar xvf /dev/rmt/0m /tmp ( 恢复目录 /tmp )

    2.2.5 查看磁带上的数据

    # tar tvf /dev/rmt/0m

    3. SAM

    1) 备份数据

    # sam

    ----> Select “ Backup and Recovery “
    ---- >Select “ Interactive Backup and Recovery “
    ---- >Select “ Backup Device “
    ---- > Select “ Backup Files Interactively “ ( From [ Action ] menus )
    ----- > Select Backup Scope
    ----- > Select Local File Systems Only ( no NFS )
    ----- > Select “ OK “

    2) 检查备份的数据

    [1] 检查文件 /var/sam/log/br_log

    Notes: if Exit code=2, there is problem on backup procedure.

    [2] 查看磁带上有那些文件

    # frecover –rNsv –f /dev/rmt/0m

    4. Copyutil

    1) 如何启动 “ Copyutil “

    [1] 从CD boot , 进入ISL

    BOOT_ADMIN>boot scsi.n.m ( path of CDROM drive----such as scsi.4.0)

    [2] ISL>ode copyutil

    Type help for command information

    [3] ISL_CMD>copyutil

    please wait while scan device bussess…

    TY Indx Path Product ID Bus Size Rev

    D 0 16/5.6.0 SEAGATEST31230N disk drive SCSI 1.0 GB HPM4
    D 1 16/5.5.0 SEAGATEST31230N disk drive SCSI 1.0 GB HPM4
    T 2 16/5.0.0 HPC1504[X]/HPC1521B DDS tape SCSI n/a 1009

    2) 备份系统硬盘上的所有数据


    Enter the disk index ([q]/?): 0
    Enter the Tape index ([q]/?): 2

    Use data compression? (y/[n])? Y

    When backup finished, system will show: DONE!

    COPYUTIL> exit

    3) 恢复数据到指定的系统硬盘上

    COPYUTIL> restore

    Enter the Tape index ([q]/?): 2
    Enter the disk index ([q]/?): 0

    Use data compression? (y/[n])? Y

    After system display: Restored Successful, that means restore is finished!

    COPYUTIL> exit

    4) 注意:

    当用copyutil备份Root Disk到相应的磁带时,该磁带可以作为bootable 磁带使用

    5 make_recovery

    1) 安装 “Ignite-UX application”

    [1] 从 “ HP-UX Application CD-ROM “ 上安装

    1) # swinstall
    2) “Mark” [A. 1.53 HP-UX Installation Utility( Ignite-ux for 10.20)]
    3) “Analysis”
    4) “Install”

    [2] 从 WebSite 下载并安装:

    1) http://www.software.hp.com/
    Select : “ Network & System administration ”
    Download: “ ignite-ux_10.20.tar”(10.20 为 OS 版本)

    2) 从硬盘上安装:

    # cd /tmp
    # tar xvf /dev/rmt/0m ./ignite-ux_10.20.tar
    # swinstall –s /tmp/ignite-ux_10.20.tar

    3) 从磁带上安装:

    # dd if=/tmp/ignite-ux_10.20.tar of=/dev/rmt/0m bk=2
    # swinstall –s /dev/rmt/0m

    [4] make_recovery:

    /opt/ignite/bin make_recovery [ -AprvC] [-d destination] [-b boot_destination]

    -A : 指定要备份整个Root disk / Volume Group

    -p : 预览备份过程,并不创建 Bootable DDS Tape

    a. 确认 /var/opt/ignite/recovery/mkrec.append 文件

    b. 创建 /var/opt/ignite/recovery/arch.include 文件

    -r : 使用 –p 选项后,可以用该选项创建 Bootable DDS Tape

    a. 该选项可以识别 /var/opt/ignite/recovery/arch.include 文件

    -v : 用于显示备份过程的提示信息

    -d : 指定DDS 的设备文件名 ( default: /dev/rmt/0mn )

    -b : 指定系统备份过程中,用到的临时文件 ( default: /var/tmp/uxinstlf.recovery )
    该文件大小为 32M, 对系统进行make_recovery 时,要注意 /var 文件系统
    的大小,当 /var 文件系统大小不足时,可用如下命令对系统进行备份:

    # make_recovery –A -C -b /tmp/uxinstlf.recovery

    -C : 创建反映系统当前状态的文件: /var/opt/ignite/recovery/makrec.last

    如果该文件存在,那么可以用 check_recovery 命令

    [5] 注意:

    用make_recovery备份的磁带是bootable 磁带,用它可以安装OS。

    2) 备份系统Root Disk

    [1] 创建 “ 最小”OS 的 bootable DDS tape (default 设备文件: /dev/rmt/0mn )

    # make_recovery

    [2] 创建 “ 最小”OS 的 bootable DDS tape (设备文件: /dev/rmt/c0t1d1BESTn )

    # make_recovery –d /dev/rmt/c0t1d1BESTn

    [3] 先预览,再创建 bootable DDS tape

    # make_recovery -p
    # vi /var/opt/ignite/recovery/arch.include
    # make_recovery -r

    [4] 复制 整个 Root Disk

    # make_recovery -A

    [5] 复制 整个 Root Disk, 且生成反映系统当前状态的文件:
    ( /var/opt/ignite/recovery/makrec.last )

    # make_recovery -C -A

    [6] 实例分析 :

    (1) 系统文件系统:

    Filesystem kbytes used avail %used Mounted on

    /dev/vg01/osdepot 2621440 2530838 84872 97% /osdepot
    /dev/vg01/lvol1 480341 58696 373610 14% /var
    /dev/vg01/lvol7 378965 297521 43547 87% /usr
    /dev/vg01/lvol6 588643 245540 284238 46% /opt
    /dev/vg00/lvol3 107669 38577 58325 40% /
    /dev/vg00/lvol1 67733 12409 48550 20% /stand
    /dev/vg00/lvol4 30597 19 27518 0% /tmp
    /dev/vg00/lvol5 19861 1416 16458 8% /home


    [a] make_recovery:

    vg00: /stand, /sbin, /dev, /etc, /tmp, /home

    vg01: parts of /opt and /var (see Core-OS list)
    /usr/bin, /usr/lib
    /usr/obam, /usr/sam,
    /usr/share, /usr/ccs,
    /usr/conf, /usr/lbin,
    /usr/contrib, /usr/local,

    [b] make_recovery -A:

    vg00: 备份Root Volume Group 上的所有数据

    vg01: 备份non-Root volume Group 上的所有数据

    只有当/usr 位于non-root volume group时,
    该 non-root volume group 上的所有数据也将

    3) 复磁带上的所有数据

    (1) 非交互式恢复系统

    [1] 在磁带机中,插入系统恢复带

    [2] Boot 系统

    [3] 中断Boot 流程,进入 Boot_admin> 提示下

    [4] Boot_admin> bo 8/16.0.0

    8/16.0.0: 磁带机的 hardware path

    [5] 选取 “ non-interactive ”

    [6] 等待系统恢复完毕

    (2) 交互式恢复系统

    [1] 在磁带机中,插入系统恢复带

    [2] Boot 系统

    [3] 中断Boot 流程,进入 Boot_admin> 提示下

    [4] Boot_admin> bo 8/16.0.0

    8/16.0.0: 磁带机的 hardware path

    [5] 不选取 “ non-interactive ”

    [6] 选取

    a. [ Install HP-UX ]

    b. [ Advanced Installation ]

    c. 配置或改变如下选项:

    disks, file systems,
    hostname, IP ddress,
    timezone, root password,
    DNS server, and gateway
    [7] 选取 [install continue… ],直到系统恢复完毕

    二 系统备份 / 恢复方法及策略

    2.1 系统备份的策略

    〖1〗HP-UX Core-OS:

    /, /opt, /var,/tmp, /usr, /home, /stand 通常这些文件系统


    (1) fbackup :

    # fbackup –0vi / -f /dev/rmt/0m \
    -I /tmp/fbackupfiles/index/full.`date ’+%y%m%d.%H:%M’` \
    2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’

    详见 ( fbackup的常用方式二)

    (2) make_recovery :

    # make_recovery –C -A -b /tmp/oslif.rec

    详见 ( make_recovery)



    (1) 系统Swap 信息

    #swapinfo –t

    (2) 系统文件系统信息


    (3) 系统的 I / O 信息

    # ioscan –fnCdisk

    (4) /etc/fstab

    (5) 系统逻辑卷配置文件

    /etc/lvmconf/vg00.conf 、vg01.conf、vg02.conf

    vgcfgbackup / vgcfgrestore 生成和恢复

    (6) 利用HP的Tools 收集和备份系统的配置信息

    这些Tools 包括:LVMcollect.10


    (1) tar

    # tar cvf /dev/rmt/0m ./vg00.conf ./vg01.conf

    (2) fbackup

    # fbackup –f /dev/rmt/0m –i /etc/lvmconf/vg01.conf

    〖3〗系统其它逻辑卷 ( 如:vg01 、vg02)


    (1) fbackup :

    # fbackup –0uv / -f /dev/rmt/0m \
    -g /tmp/fbackupfiles/mygraph \
    -I /tmp/fbackupfiles/index/full.`date ‘+%y%m%d.%H:%M’` \
    2 > /tmp/fbackupfiles/log/ full.`date ’+%y%m%d.%H:%M’`

    (2) tar

    # tar cvf /dev/rmt/0m /oracle/app /home/oracle



    2.2 系统恢复的策略

    〖1〗用fbackup / tar 对系统进行备份时

    1) Install Core-OS

    2) 恢复vg00 / vg01 / vg02 的备份内容

    # frecover –o –r –f /dev/rmt/0m

    〖 2 〗用make_recovery 对系统进行备份时

    1) 用磁带boot system, 恢复vg00

    详见 make_recovery 的恢复方法

    2) 恢复其它逻辑卷

    # frecover -o –r -f /dev/rmt/0m

    HP-UX 11.0 Installation Checklist

    Securing UNIX GCUX Practical Assignment
    Version 1.6b

    HP-UX 11.0 Installation Checklist
    By Della Schmidt

    HP-UX 11.0 Installation Checklist

    This document is to be used as a guide to help create a secure HP-UX 11.0 Internet ready server. Since this is to be a secure install it is advisable that the server remain off the network/internet until it has been completely configured. You will need to have some way to transfer files so the system will need either a tape drive or a cdrom physically attached. It is also advisable not to have a C compiler installed on the system. (While this won’t stop a determined hacker it will make it just a little bit harder for them.) Since the machine will not have a compiler you will need to do the compiles on a different machine and transfer the binaries between them.

    HP-UX Minimal OS Installation

    To cold-install HP-UX 11.0, you must have the following:
    A supported HP 9000 server or workstation (see Appendix A)
    64 MB memory, minimum
    128 MB swap space, minimum
    2GB root disk volume, minimum

    You will need the following CD’s ready:
    HP-UX 11.0 Install/Update/Recovery CD, March 2001 or later.
    Core OS Options CD (for technical servers and workstations).
    Support Plus CD, March 2001 or later (for hardware/critical patch bundle, diagnostics and iCOD product), is needed.
    HP-UX 11.0 Application Software CDs

    1. ____ Make sure all peripherals are turned on.
    2. ____ Turn on the server or recycle the power.
    3. ____ Load the Install and Core OS CDROM into the CD-ROM driver.
    4. ____ Interrupt the autoboot process, by pressing any key during the 10 second interval that is given. This is so the system can be
    booted from the Core OS CDROM.
    5. ____ Once autoboot was been interrupted you should now see the autoboot menu.
    6. ____ Boot from the device that contains the Core OS CDROM. Usually the alternative boot path is the CDROM drive.
    But to verify that you can type search and view all defined boot devices.
    bo alt OR bo
    7. ____ You should now be asked: Interact with IPL (Y or N) ?> Type n.
    8. ____ The install kernel will take 3-5 minutes to install.
    9. ____When that has completed a screen will appear asking for the keyboard language of the console. Respond with the correct number
    and press ENTER.
    10. ____ The Welcome to Ignite-UX screen will be displayed.
    11. ____ Tab to Install HP-UX field and press Enter.
    12. ____ From the User Interface and Media Options screen, verify that these choices are selected:
    Source Location Options: Media-only installation – installing from the local CD drive.

    User Interface Options: Guided Installation – provides an install wizard with limited choices.
    13. ____Now proceed through each screen to configure your system:
    Basic Configuration: Commercial Servers – this will install HP-UX 11.0 Core OS software, required ACE patches, general recommended core (XSWGR1100), latest hardware-enablement and critical (HWCR) patches, diagnostic products and COD Client Product for HP-UX 11.0

    Software Selection: Select needed mass-storage and networking I/O driver products.

    Languages: Click the Languages button to view CDE-languages bundles to be loaded. Global is set by default when installing on workstations, resulting in all available CDE-language bundles being installed. Global (Non-CDE) is set when installing on servers to indicate that a generic, CDE-language bundle will be installed.

    14. ____ Review any messages that Ignite-UX encountered. Resolve any errors before continuing with the installation.
    15. ____ Select: Finish
    16. ____ The system will now configure the disk(s) and load a minimum set of commands and libraries. Software Distributor will
    download all the products and patches from the CD.
    17. ____ As prompted, replace the HP-UX 11.0 Install/Update/Recovery CD with the requested CD from the media box.
    18. ____ The system will automatically reboot after all software has been loaded.
    19. ____ Set_parms will run and asked you to set
    root password
    time zone,
    IP address
    other network parameters.

    Updating Applications

    After installing HP-UX 11.0, install other needed applications
    1. ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
    2. ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/

    HP-UX Patches Installation

    To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:
    Search Technical Knowledge Base
    Security Bulletin Archive
    You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:
    support information digests

    Modification of the Boot Process

    Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.

    1. ____ Review /etc/rc.log to determine which processes are started on boot
    2. ____ Rename NFS-related links
    /usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core
    /usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client
    /usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server
    3. ____ Rename RPC link
    /usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd
    4. ____ Rename Sendmail links
    /usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail
    5. ____ If this is machine not going to be a DNS server, rename DNS link
    /usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named
    6. ____ Rename everything in /sbin/rc3.d
    /usr/bin/cd /sbin/rc3.d
    for file in S*
    mv $file .NO$file

    Create a script to ensure that the startup scripts run with a proper umask [14]

    1. ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
    2. ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
    3. ____ Add umask.sh to startup script directories by running the following script
    /usr/bin/umask 022
    for d in /sbin/rc?.d
    /usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh

    Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley “r” programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)

    1. ____ Disable inetd – Preferred method
    /usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd
    /usr/bin/rm /etc/inetd.conf

    2. ____ inetd enabled – but with all unnecessary disabled
    /usr/bin/vi /etc/inetd.conf
    comment out (place # at the beginning of a line) all unnecessary services
    /usr/bin/kill –HUP inetd

    Network Tuning

    Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can use ndd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.

    1. ____/usr/bin/vi /etc/rc.config.d/nddconf
    2. ____ Add following entries:
    3. ____ ndd –c for the changes to take effect

    File System Configuration

    Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.
    1. ____ /usr/bin/vi /etc/fstab
    2. ____ Add ro option to /opt and /usr
    3. ____ Add nosuid to /stand, /var, /home

    /usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.
    1. ____ find /usr/local –type d –exec chmod 755 {} \;

    Remove write group permissions for /etc/.
    1. ____ chmod –R g-w /etc

    Remaining Network Services

    If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.
    1. ____ /usr/bin/touch /etc/resolv.conf
    2. ____ /usr/bin/echo “domain ” > /etc/resolv.conf
    3. ____ /usr/bin/echo “nameserver ” >> /etc/resolv.conf
    4. ____ /usr/bin/chown root:root /etc/resolv.conf
    5. ____ /usr/bin/chmod 644 /etc/resolv.conf
    6. ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
    7. ____ /usr/bin/vi /etc/nsswitch.files
    modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns
    8. ____ /usr/bin/chown root:root /etc/nsswitch.conf
    9. ____ /usr/bin/chmod 644 /etc/nsswitch.conf

    Convert to a Trusted System

    HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:
    Select “Auditing and Security”
    Select “System Security Policy”
    Select “YES”

     
     
     You need to convert to a Trusted System before proceeding. The 
     conversion process does the following things: 
     
     1. Creates a protected database on the system for storing security 
     information. 
     2. Moves user passwords in "/etc/passwd" to this database. 
     3. Replaces all password fields in "/etc/passwd" with "*". 
     
     For more details, refer to the "System Security" chapter of the 
     "System Administration Tasks" manual. 
     
     Do you want to convert to a Trusted System now? 
     [ Yes ] [[No ]] 

    You will then see a message telling you that you’re converting to a trusted system...
    Next you will receive a “Successfully converted to a trusted system” message. Press OK continue.

    Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.

     
     
     Use this screen to set system policies for user accounts. Policies 
     apply to all users unless user-specific policies are set. 
      
     If you choose more than one of the following options, users will 
     choose which one of these options they prefer at login time.  
       
     Password Selection Options:  
      [ ] System Generates Pronounceable  
      [ ] System Generates Character  
      [ ] System Generates Letters Only  
      [X] User Specifies  
       
      User-Specified Password Attributes:  
      [X] Use Restriction Rules  
      [ ] Allow Null Passwords  
      
     Maximum Password Length: 8 
     [ OK ] [ Cancel ] [ Help ] 

     
     
     Use this screen to set system password aging policies. Policies
     apply to all users unless other user-specific policies are set. 
     
     Password Aging: [ Enabled ->] 
     
     Time Between Password Changes (days): 20 
     
     Password Expiration Time (days): 90 
     
     Password Expiration Warning Time (days): 14 
     
     Password Life Time (days): 180 
     [ OK ] [ Cancel ] [ Help ] 

     
     
     Use this screen to set system policies for user accounts.
      Policies apply to all users unless user-specific policies
     are set. 
     
      
     Lock Inactive Accounts:  
      < > Enabled  
      <*> Disabled  
       
       
      
     
     Unsuccessful Login Tries Allowed: 6 
     
     [X] Require Login Upon Boot to Single-User State 
     [ OK ] [ Cancel ] [ Help ] 

     
     
     Use this screen to set system policies for 
     terminals. Policies apply to all terminals 
     unless terminal-specific policies are set. 
     
     Unsuccessful Login Tries Allowed: 10 
     
     Delay Between Login Tries (sec.): 2 
     
     Login Timeout Value (sec.): 0 
     [ OK ] [ Cancel ] [ Help ] 

    * Network Information Service (NIS) is not supported on a trusted system.

    System And Process Auditing

    Now that the system has been converted to a trusted system and your security policies have been set. It’s time to turn on auditing.
    Select “Auditing and Security”
    Select “Audited Events”
    Select “Actions”
    Select “Turn Auditing On”

     
    File List View Options Actions Help 
      Turn Auditing ON  
    Auditing Turned: OFF    
      Set Audit Monitor and Log Parameters...  
     View Audit Log... 
    Audited Events  Unconvert the System  18 selected
     ======================================= 
     Audit  (nothing selected)  
     Event Type Success  
     
     admin Yes Yes acct, adjtime, audctl, audswitch, clock_ ^ 
     close No No close, ksem_close, mq_close, munmap 
     create No No creat, mkdir, mknod, msgget, pipe, semge 
     delete No No ksem_unlink, mq_unlink, msgctl, rmdir, s 
     ipcclose No No fdetach, shutdown 
     ipccreat No No bind, socket, socket2, socketpair, socke 
     ipcdgram No No 
     ipcopen No No accept, connect, fattach 
     login Yes Yes 
     modaccess No No chdir, chroot, fchdir, link, lockf, lock v 
    < > 
     
    Next you need to select which events you want to audit. At the very minimum you should audit
    admin - Logs all administrative and privileged events.
    login - Logs all logins and logouts
    modaccess - Logs all access modifications other than DAC
    moddac - Logs all modifications of object’s discretionary access controls

    Setup a cron job to collect system diagnostic messages.
    1. ____ /usr/bin/crontab –e
    2. ____ Insert the following 2 lines
    # log kernel diagnostic messages every 10 minutes
    05,15,25,35,45,55 * * * * /usr/sbin/dmesg - >>/var/adm/messages

    User Access Control

    Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.

    Restrict root login to just the console. User must use su to login as root.
    1. ____ /usr/bin/touch /etc/securetty
    2. ____ /usr/bin/echo console > /etc/securetty
    3. ____ /usr/bin/chmod 400 /etc/securetty

    Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords
    1. ____ /usr/bin/touch /etc/default/security
    2. ____ /usr/bin/echo “PASSWORD_HISTORY_DEPTH=10” > /etc/default/security
    3. ____ /usr/bin/chown bin:bin /etc/default/security
    4. ____ /usr/bin/chmod 444 /etc/default/security

    Lock all “pseudo-accounts”, including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.
    1. ____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
    2. ____ Lock accounts using /usr/bin/passwd –l
    3. ____ Remove any files in /var/spool/cron/crontabs except for root
    4. ____ Remove any files in /var/spool/cron/atjobs except for root

    Ensure that root is the only login that has access to run crontab and at commands
    1. ____ /usr/bin/echo root > /var/admin/cron/cron.allow
    2. ____ /usr/bin/echo root > /var/adm/cron/at.allow
    3. ____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
    4. ____ /usr/bin/chmod 400 /var/adm/cron/at.allow
    5. ____ /usr/bin/rm /var/adm/cron/cron.deny
    6. ____ /usr/bin/rm /var/adm/cron/at.deny

    Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.
    1. ____ /usr/bin/touch /etc/ftpd/ftpusers
    2. ____ /usr/bin/chown root:root /etc/ftpd/ftpusers
    3. ____ /usr/binchmod 600 /etc/ftpd/ftpusers
    4. ____ Add administrative logins to /etc/ftpd/ftpusers
    for names in root, daemon, bin, sys and adm
    echo $names >> /etc/ftpd/ftpusers

    Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.
    1. ____ /usr/bin/find / \( -name .rhosts –o –name .netrc –o -name hosts.equiv \) -exec ls -ldb {} \; -exec more {} \;

    If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.
    1. ____/usr/bin/vi /etc/inetd.conf
    2. ____ Add –l and –umask –22 to ftpd
    ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022

    Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.
    1. ____ /usr/bin/vi /etc/profile
    2. ____ insert umask 022
    3. ____ insert TMOUT=1800 (TMOUT is in seconds)

    Statutory Warnings

    Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.

    This system is the property of the Company ABC. All activities
    on this system are subject to monitoring for illegal or unauthorized activity.
    Anyone using this system expressly consents to such monitoring and is advised
    that if monitoring reveals possible improper or criminal activity, system
    personnel may provide the evidence of such monitoring to authorities.

    1. ____ /usr/bin/touch /etc/issue
    2. ____ /usr/bin/touch /etc/motd.
    3. ____ /usr/bin/chown root:root /etc/issue
    4. ____ /usr/bin/chown root:sys /etc/motd
    5. ____ /usr/bin/chmod 644 /etc/issue
    6. ____ /usr/bin/chmod 644 /etc/motd
    7. ____ copy warning message to /etc/issue and /etc/motd
    8. ____ /usr/bin/vi /etc/inetd.conf *
    9. ____ add –b /etc/issue to the end of the telnetd
    telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

    * This is assuming you’re running inetd. If not, disregard this step.


    Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail for http://www.sendmail.org.
    1. ____ replace the existing /etc/mail/sendmail.cf [14] with the following
    # Minimal client sendmail.cf
    ### Define macros
    # define the mail hub – Put hostname for local site here.
    # define version
    # my name for error messages
    # UNIX initial From header format
    DlFrom $g $d
    # delimiter (operator) characters (old $o macro)
    #From of the sender’s address
    # queue directory
    ### Mailer Delivery Agents
    #Mailer to forward mail to the hub machine
    Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
    #Sendmail requires these, but they are not used
    Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null
    Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null
    ### Rule sets
    R@S+ $ #error $: Missing user
    R$+ $ #hub $@$R $:$1 forward to hub
    R$*<>$* $n handle <> error address
    R$*<$$*>$* $2 basic RFC822 parsing

    Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.
    1. ____ crontab -e
    2. ____ add the following lines
    ## run send mail once an hour
    * 0 0 0 0 /usr/sbin/sendmail –q

    Installation of TCP_WRAPPERS

    1. ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
    2. ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
    3. ____ /usr/bin/cd tcp_wrappers_7.6
    4. ____ /usr/bin/chmod 644 Makefile
    5. ____ /usr/bin/vi Makefile
    6. ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX
    8. ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
    9. ____ Make hp-ux
    10. ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
    11. ____ /usr/bin/mkdir –p –m 755 /usr/local/include
    12. ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
    13. ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from
    cp $file /usr/local/sbin/$file
    chmod 555 /usr/local/sbin/$file
    chown root:daemon /usr/local/sbin/$file
    14. ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
    15. ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
    16. ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
    17. ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
    18. ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
    19. ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a

    Installation of Perl

    1. ____ Download software HP-UX software porting site
    2. ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
    3. ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*

    Installation of ZLIB

    1. ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
    2. ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
    3. ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*

    Installation of OPENSSL

    Installation of OPENSSL needs Perl v5 installed on server.
    1. ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
    2. ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
    3. ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*

    Installation of OPENSSH

    Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.

    1. ____ Download software from
    2. ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
    3. ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*

    Configuration of TCP-WRAPPERS and OPENSSH

    1. ____ for file in /etc/hosts.allow /etc/hosts.deny
    /bin/touch $file
    /bin/chown root:root &file
    /bin/chmod 600 $file
    2. ____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow
    replace net1, net2 with the IP addresses of machines that you want to grant access to
    3. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s “%s:connection attempt from %a” ’ > /etc/hosts.deny
    replace with email address of administrator
    4. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
    5. ____ Modify /etc/rc.config.d/sshd_config [14]
    Port 22
    Protocol 2,1
    PidFile /opt/openssh2/etc/sshd.pid
    HostKey /opt/openssh2/etc/ssh_host_key
    HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key
    ServerKeyBits 1024
    LoginGraceTime 180
    KeyRegenerationInterval 900
    PermitRootLogin no
    IgnoreRhosts yes
    IgnoreUserKnownHosts yes
    StrictModes yes
    X11Forwarding yes
    PrintMotd no
    KeepAlive no
    SyslogFacility AUTH
    LogLevel INFO
    RhostsAuthentication no
    RhostsRSAAuthentication no
    RSAAuthentication yes
    PasswordAuthentication yes
    PermitEmptyPasswords no
    CheckMail nos
    UseLogin no
    6. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
    7. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
    8. ____ Generate server key files
    ____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key
    ____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key
    9. ____ create sshd startup script (See Appendix D for an example)
    10. ____ move script to /sbin/init.d/sshd
    11. ____/usr/bin/chown root:sys /sbin/init.d/sshd
    12. ____/usr/bin/chmod 744 /sbin/init.d/sshd
    13. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
    14. ____ /sbin/init.d/sshd start
    15. ____ /usr/sbin/vi /etc/inetd.conf*
    16. ____ modify ftp daemon to include tcp_wrappers*
    ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022
    17. ____ modify telnet daemon to include tcp_wrappers*
    telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue

    * If this system has been configured not to run inetd then you can disregard these steps.


    This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.

    1. ____ Download 32 bit version of the software from HP-UX Software porting site, http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
    2. ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
    3. ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*

    1. ____ The 64 bit version binaries can be found at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
    2. ____ /usr/contrib/bin/gunzip lsof_4.55.gz
    3. ____ /usr/bin/mv lsof_455 to /opt/lsof/bin


    Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.

    Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found at www.software.hp.com/products/IUX/install_instructions.html.

    Installing Ignite-UX
    1. ____ Downloaded software from www.software.hp.com/products/IUX/download.html
    2. ____ Copy ignite11_11.00.tar to /tmp
    3. ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
    4. ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar \*

    Create a golden image
    5. ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m

    Physical Security

    It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.

    1. ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
    2. ____ If possible the data center should have cameras installed to monitor all activity.
    3. ____ The keyboard should be situated away from any cameras, windows or prying eyes.
    4. ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has
    been interrupted.
    5. ____ Backup tapes should be kept in a secure environment.

    APPENDIX A – HP-UX 11.0 Supported Systems
    Model 32-bit 64-bit
    Series 700: 712, 715/64/80/100/100XC, 725/100 X
    B132L, B132L+, B160L, B180L X
    B1000, B2000 X
    C100, C110, C160L X
    C160, C180, C180XP, C200, C240, C360 X X
    C3000, C3600 X
    J200, J210, J210XC X
    J280, J282, J2240 X X
    J5000, J5600, J6000, J7000 X
    A180, A180C X
    A400, A5xx X
    Dx10, Dx20, Dx30, Dx50, Dx60 X
    Dx70, Dx80, Dx90 X X
    E, F, G, H, I (all) X
    Kx00, Kx10, Kx20 X
    Kx50, Kx60, Kx70, Kx80 X X
    L1000, L2000, L3000 X
    N4000/360, N4000/440, N4000/550 X
    R380, R390 X X
    T500, T520 X
    T6xx X X
    V22xx, V2500, V2600 X
    Enterprise Parallel Servers: EPS22, EPS23, EPS40 X X

    APPENDIX B – Network Parameters [5]

    ip_send_redirects – causes the machine not to emit any ICMP redirect Packets. Under normal operation this probably won’t have significant security implications.

    ip_ire_flush_interval and arp_cleanup_interval – control how long information will live in the system’s ARP cache. The ARP cache maintains a mapping between Ethernet addresses and IP address. The default values are 10 minutes (?????). Lowering these values can help prevent some ARP spoofing attacks but at the cost of more ARP traffic on your local LAN and possibly reduced performance. Think carefully before you change these variables.

    ip_forward_directed_broadcast – caused the machine to not transmit packets which are destined for a broadcast network address. If the machine is being used as a gateway between several networks this can help you from being used as an intermediary network in a “smurf” type network attach. The machine will still respond to broadcast packets directed at any LAN it may be connected to.

    ip_forward_src_routed – prevents the machine from forwading any packets that have the source routing option turned on.

    ip_forwarding – turning off ip_forwarding prevents the machine from accepting and forwarding on packets that are not destined for one of it’s local interface addresses. Such a feature can be used by attackers to bypass other network security measures.

    tcp_ip_abort_cinterval – this is how long the kernel will wait for a TCP connection to be completed (in milliseconds). Tuning this value down can also help your system resist SYN flooding attacks.

    You can use the following commands to view various information concerning Network parameter.
    ndd –h sup – display all the parameters that are supported by HP.
    ndd –h unsup – display all the parameter that are not supported by HP. Becareful modifying these!
    ndd –c - set tunable parameters

    APPENDIX C – Example secure /etc/fstab

    /dev/vg00/lvol3 / hfs defaults 0 1
    /dev/vg00/lvol1 /stand hfs nosuid 0 1
    /dev/vg00/lvol4 /tmp hfs defaults 0 2
    /dev/vg00/lvol5 /home hfs nosuid 0 2
    /dev/vg00/lvol6 /opt hfs ro 0 2
    /dev/vg00/lvol7 /usr hfs ro 0 2
    /dev/vg00/lvol8 /var hfs nosuid 0 2

    APPENDIX D – Sample SSHD Startup Script

    # start up secure shell deaemon - sshd
    export PATH
    case $1 in
    echo "Starting the sshd"
    echo "Stopping the sshd"
    if [ -f /etc/rc.config.d/sshd_config ]
    /opt/openssh2/sbin/sshd -f /etc/rc.config.d/sshd_config
    echo "ERROR: /etc/rc.config.d defaults file MISSING"
    kill `cat /opt/openssh2/etc/sshd.pid`
    echo "usage: $0 {start|stop|start_msg|stop_msg}"
    exit $rval


    1. Poniatowski, Marty. HP-UX 10.x SYSTEM ADMINISTRATION “HOW TO” BOOK. Upper Saddle: Prentice Hall PTR, 1996. 1-383.

    2. Frisch, Aeleen. Essential System Administration Second Edition. Sebastopol: O’Reilly & Associates, Inc, December 1995. 1-758.

    3. Hassell, Bill and Totsch, David. “HP-UX SysAdmin Training Camp”. HPWorld ’99 August 1999.

    4. Farrow, Rik. “HP-UX and Internet Security”. HPWORLD ’98 August 1998.

    5. Brotzman, Lee and Pomeranz. Hal. “UNIX Practicum”. SANS Institute February 2001.

    6. Pomeranz, Hal. “Common Issues and Vulnerabilities in UNIX Security”. SANS Institute February 2001

    7. Bishop, Matt. “UNIX Security Tools and Their Uses”. SANS Institute”. SANS Institute Februray 2001.

    8. Netsysco Infrastructure Services. “Networking for System Administrators”

    9. HP-UX 11.0 Installation and Update Guide March 2001, HP Part Number: 5971-0642. http://www.docs.hp.com/hpux/onlinedocs/5971-0642/5971-0642.html

    10. Installing and Updating HP-UX 11.0 Additional Core Enhancements. November 1999, HP Part Number: B3782-90785

    11. HP-UX System Administration Tasks , First Edition. January 1995, HP Part Number: B2355-90672

    12. Campione, Jeff. “Solaris 8 Installation Checklist”, http://www.sans.org/y2k/practical/Jeff_Campione_GUCX.htm

    13. Rhoads, Jason. “HP-UX Security Guide”, http://www.sabernet.net/papers/hp-ux10.html

    14. The SANS Institute. “Solaris Security Step by Step Version 2”