Eric's Tech Notes: securing-solaris

Some steps towards securing Solaris 10:

To list services:

	# inetadm

• Tell Solaris not to listen on port 25:

  	# svccfg -s svc:/network/smtp:sendmail setprop config/local_only = true
  	# svcadm refresh svc:/network/smtp:sendmail
  

• Disable vulnerable services:

  	# inetadm -d ftp
  	# inetadm -d telnet
  	# inetadm -d finger
  

• Disable Berkeley r* services:

  	# inetadm -d rlogin
  	# inetadm -d rstat
  	# inetadm -d rusers
  	# inetadm -d svc:/network/shell:default
  

• Disable NFS quota reporting stuff:

  	# inetadm -d rquota
  

• Disable the "submission" mail protocol, edit /etc/mail/sendmail.cf and comment out:

  	O DaemonPortOptions=Port=587, Name=MSA, M=E
  

• Write an ipf firewall script (/etc/ipf/ipf.conf):

  	# ipf.conf that passes everything:
  
  	pass in quick on bge0 all
  	pass out quick on bge0 all
  	pass in quick on lo0 all
  	pass out quick on lo0 all
  

  ---

  	# ipf.com to do simple firewalling for unix server:
  
  	# Block any packets which are too short to be real
  	block in log quick all with short
  	#
  	# drop and log any IP packets with options set in them.
  	block in log all with ipopts
  	#
  	# Allow all traffic on loopback interface
  	pass in quick on lo0 all
  	pass out quick on lo0 all
  	#
  	# Public Network.   Block everything not explicity allowed.
  	block in  on bge0 all
  	block out on bge0 all
  	#
  	# Allow pings out.
  	pass out quick on bge0 proto icmp all keep state
  	#
  	# Allow all ICMP:
  	pass in quick on bge0 proto icmp from 0/0 to 0/0
  	#
  	# Allow outbound state related packets.
  	pass out quick on bge0 proto tcp/udp from any to any keep state
  	#
  	# allow ssh from 192.168.1.0/24 only:
  	pass in log quick on bge0 from 192.168.1.0/24 to 192.168.1.77/32 port = 22
  	#
  	# allow Oracle access from 192.168.2.0/24 only:
  	pass in log quick on bge0 from 192.168.2.0/24 to 192.168.1.77/32 port = 1521
  	#
  	# allow Web access from 192.168.1.0/24 only:
  	pass in log quick on bge0 from 192.168.1.0/24 to 192.168.1.77/32 port = 80
  

• Activate the ipf firewall on the desired interfaces by un-commenting them from /etc/ipf/pfil.ap:

  	#ce     -1      0       pfil
  	bge     -1      0       pfil
  	#be     -1      0       pfil
  

• Enable ipf firewall:

  	# svcadm enable network/ipfilter
  

• Install the freeware program "sudo". If you want sysadmins to be able to get root access without a password, add the following lines to /etc/sudoers:

  	root    ALL=(ALL) ALL
  	bob     ALL=(ALL) NOPASSWD: ALL
  

  Admins can then access a "root" shell by logging in as themselves and typing:

  	$ sudo bash
  	Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
  	#
  

• Disable "root" SSH logins, edit "PermitRootLogin" in /etc/ssh/sshd_config.

  	PermitRootLogin no
  

Find an error or omission? Sorry about that! Please e-mail Eric at eric@ericshalov.com and let him know!

All of Eric's Tech Notes are provided on an as-is basis, and may contain errors or omissions. No statement is made as to thier suitability for any particular purpose, and no warranty is given. Use at your own risk! All trademarks are the property of their respective owners.
No duplication of the above information is permitted without prior written permission of the author(s).
©Copyright 2007 Eric Shalov. All Rights Reserved.

Last modified Monday, 17th August, 2009 @ 10:55pm