FTP, FTP Blockade not Working (SOLVED) and Persistent IPS Flag Eventually Deteriorates Agent State (Unsolved)
I'd like to know how to do I prevent FTP access / Telnet Access on UNIX / AIX servers? Apparently there are some special configurations needed for SCSP prevention to work on UNIX servers as mentioned in the release here :
On UNIX operating systems, the inetd daemon handles the initial network
connection of some services, such as telnet, ftp, and rlogin, before the services
are started. In the IPS policies, you can control the network connections for such
services only by using the inetd pset. You cannot control the network connections
from the service’s own pset. By default, the inbound network rules for the inetd
pset allows connections to the following ports: ftp (21), lp (515), telnet (23),
unix-rexec (512), unix-rlogin (513), unix-rsh (514), and tftp (69).
Update 4/28/2012 - Issue solved.
Solution - We managed to solve this by going into Daemon Options >> Inet Daemon >> Advanced Options >> Network Controls >> Inbound.
We place Telnet and FTP into this hence this work.
Issue 2 (Persistent Red Flag Eventually Deteriorates Agent State to Offline)
We have discovered that a red flag issue happens after IPS is enabled and eventually deteriorates the Agent state to Offline. We have gotten full rights for the system and yet the red flag still appears. This red flag only shows up when we attempt to apply IPS policies to this particular server, whereas IDS policies work fine.
Everytime we reboot the server, the flag goes away. Obviously this is not a solution as we can't expect the customer to reboot everytime a new policy is being deployed. So basically what happens is:
1) Reboot server (No Flag)
2) Apply IPS Policy with the "Disable prevention" option checked (Flag appears)
3) Refresh a couple of times (Flag disappears)
4) Apply IPS policy with the "Disable prevention" option UNchecked (Flag appears)
5) Refresh multiple times (Flag remains)
6) Apply any further IPS policies with or without prevention (Flag remains)
So it seems that we have an issue with Prevention-enabled IPS policies. We have tried the same steps with a different server but it worked perfectly fine (both running on AIX6.1)