How to I secure a Solaris 10 server?

Some steps towards securing Solaris 10:

  • To list services:
            # inetadm
    
  • Tell Solaris not to listen on port 25:
            # svccfg -s svc:/network/smtp:sendmail setprop config/local_only = true
            # svcadm refresh svc:/network/smtp:sendmail
    
  • Disable vulnerable services:
            # inetadm -d ftp
            # inetadm -d telnet
            # inetadm -d finger
    
  • Disable Berkeley r* services:
            # inetadm -d rlogin
            # inetadm -d rstat
            # inetadm -d rusers
            # inetadm -d svc:/network/shell:default
    
  • Disable NFS quota reporting stuff:
            # inetadm -d rquota
    
  • Disable the “submission” mail protocol, edit /etc/mail/sendmail.cf and
    comment out:

            O DaemonPortOptions=Port=587, Name=MSA, M=E
    
  • Write an ipf firewall script (/etc/ipf/ipf.conf):

            # ipf.conf that passes everything:
    
            pass in quick on bge0 all
            pass out quick on bge0 all
            pass in quick on lo0 all
            pass out quick on lo0 all
    

            # ipf.com to do simple firewalling for unix server:
    
            # Block any packets which are too short to be real
            block in log quick all with short
            #
            # drop and log any IP packets with options set in them.
            block in log all with ipopts
            #
            # Allow all traffic on loopback interface
            pass in quick on lo0 all
            pass out quick on lo0 all
            #
            # Public Network.   Block everything not explicity allowed.
            block in  on bge0 all
            block out on bge0 all
            #
            # Allow pings out.
            pass out quick on bge0 proto icmp all keep state
            #
            # Allow all ICMP:
            pass in quick on bge0 proto icmp from 0/0 to 0/0
            #
            # Allow outbound state related packets.
            pass out quick on bge0 proto tcp/udp from any to any keep state
            #
            # allow ssh from 192.168.1.0/24 only:
            pass in log quick on bge0 from 192.168.1.0/24 to 192.168.1.77/32 port = 22
            #
            # allow Oracle access from 192.168.2.0/24 only:
            pass in log quick on bge0 from 192.168.2.0/24 to 192.168.1.77/32 port = 1521
            #
            # allow Web access from 192.168.1.0/24 only:
            pass in log quick on bge0 from 192.168.1.0/24 to 192.168.1.77/32 port = 80
    
  • Activate the ipf firewall on the desired interfaces by un-commenting them
    from /etc/ipf/pfil.ap:

            #ce     -1      0       pfil
            bge     -1      0       pfil
            #be     -1      0       pfil
    

  • Enable ipf firewall:
            # svcadm enable network/ipfilter
    
  • Install the freeware program “sudo”. If you want sysadmins to be able to
    get root access without a password, add the following lines to /etc/sudoers:

            root    ALL=(ALL) ALL
            bob     ALL=(ALL) NOPASSWD: ALL
    

    Admins can then access a “root” shell by logging in as themselves and
    typing:

            $ sudo bash
            Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
            #
    
  • Disable “root” SSH logins, edit “PermitRootLogin” in /etc/ssh/sshd_config.
            PermitRootLogin no
    
Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *