Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

Solaris

Installing Solaris 8

Installing Solaris 8 was kind of easy. Nevertheless I am not really satisfied with some things. Here is a list of things I like to change:

in /etc/passwd, change the root's homedir to /root and create that!

here is my .profile (for bash):

set -o vi
source ~/.alias

export PATH=/usr/sbin:/usr/local/bin:/usr/ccs/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/lib

disable autohome if you don't need it: /etc/auto_home, change the + into a -

if you are used to use /home, you might want to do an umount /home; rmdir /home; ln -s /export/home /home

Install OpenSSH

After having installed the packages necessary, follow: Instructions to get OpenSSH running

Switch off all the services in /etc/inetd.conf (see also under Solaris7 further down)

Go into /etc/rcX.d and disable everything you don't need! (nfs, sendmail, snmp, lpsched, ...)

I disabled:

touch /etc/notrouter

Installing Solaris 7

Wow. I never thought that solaris was that insecure after installing it normally. Here some tips what to do (some are not security realted but might help as well): After installing Solaris 2.7 on my SPARC 20, I had to do the following:

touch /etc/norouter

vi /etc/resolv.conf

nameserver A.B.C.D

vi /etc/nsswitch.conf

hosts: files dns

vi /etc/defaultrouter

vi /etc/profile

ulimit -Sc 0

set sys:coredumpsize=0

vi /etc/inetd.conf

:g!/#/s/^/#

On we go with disabling a LOT of services:

ncad

ncadlogd

asppp

nfs.client

ldap.client

rpc

mpstat

autofs

You can also delete some files in /etc:

auto_home

auto_master

Check the things running in the crontab. They are listed in /var/spool/cron/crontabs

Oh, and run inetd with the flags: -s -t which do start logging.

Syslog

For solaris there is the possibility to have an ID in the syslog which looks something like: [ID xxxx:x] This is sometimes not what you want and you can disable it either via /kernel/dev/log.conf, set msgid=0, but then you have to reboot the machine. You could also do the following:

echo log_msgid/W0 | adb -kw

Setting Kernel Parameters

Some other nifty things you can do with ndd. This program lets you read and set parameters for your system. Try the following:

ndd /dev/tcp \?

Then you could try to:

ndd /dev/tcp tcp_ip_abort_interval

And you will read out the value for this variable. You can also set these variables, but know what you are doing:

ndd -set tcp_ip_abort_interval 360000

Preventing ARP spoofing

In order to prevent ARP poisoning and ARP spoofing, you can set the following:

ndd -set /dev/arp arp_cleanup_interval time

TCP/IP settings

ndd -set /dev/ip ip_ire_flush_interval time

You can also increase your queue size for unestablished connections:

ndd -set /dev/tcp tcp_conn_req_max_q0 2048

To increase the established TCP connection queue, the command is:

ndd -set /dev/tcp tcp_conn_req_max_q size

TCP connection hash size.

ndd -set /dev/tcp tcp_conn_hash_size

ndd -set /dev/tcp tcp_fin_wait_2_flush_interval

A little explanation to the above is probalby in place: Let's see what happens, when a TCP connection is closed. We look at the example of a webserver: The webserver sends a FIN to indicate that its end of the connection has been closed. When the browser sends the ACK, the connection goes over to the FIN_WAIT_2 state. After that, the browser is going to close its end of the connection and sends a FIN to the webserver. The webserver ACKnowledges and the server enters the TIME_WAIT state. During this state, the kernel datastructures remain assigned. This is done because there might be some packets lingering around on the network which would belong to this connection. After the time_wait period is over, the ressources are freed. If you have a tcpListenDrop value which is nonzero, this indicates that the kernel took too long to search through the time_wait-datastructure to find free ressources and the TCP connection request is dropped. So the TCP connection hash size controls the size of this queue.

The /etc/default/inetinit has some more capabilites for tuning. Set for example the following two parameters for better speed. It just increases the TCP trasmit and receive buffers:

TCP_XMIT_HIWAT=65535
TCP_RECV_HIWAT=65535

Make sure that you add the following to /etc/init.d/inetinit, else this won't work!

# Get value of TCP_XMIT_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_XMIT_HIWAT ]; then
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat $TCP_XMIT_HIWAT
fi
# Get value of TCP_RECV_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_RECV_HIWAT ]; then
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat $TCP_RECV_HIWAT
fi

Also add the following:

TCP_STRONG_ISS=2

Reference: Solaris x86 firewall using IP Filter, which also handles IPSec with Solaris!

More on ndd you can find at: http://www.sean.de/Solaris/tune.html ON this page you can find out about how to optimize your TCP/IP stack!

Some more:

ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

ndd -set /dev/ip ip_respond_to_mask_broadcast 0

Preventing Buffer Overflows

Some of the above values can be controlled with the /etc/system file. Unfortunately changes in this file need a reboot of the machine! Especially the following ones:

set no_exec_user_stack=1
set no_exec_user_stack_log=1

These two prevent the stack from being executable. This is a very nice way to prevent Bufferoverflow attacks!
Also make sure to do a chmod 644 on /etc/system.

More Hardening

Login

In /etc/default/login set the following values:

CONSOLE=/dev/console SLEEPTIME=4 RETRIES=2 SYSLOG_FAILED_LOGINS=2

The first line enforces that root can only login on the console. sleeptime makes the logon program wait for 4 seconds before it displays that the logon was incorrect. The next time is self-explaining and the last line sais that after 2 failes logins a syslog-message is written.

The next file to look at is /etc/default/login where you have to make sure that PASSREQ=YES
is set! Then look at /etc/default/passwd. Here the following should be set:

PASSLENGTH=8 MAXWEEKS=...

Solaris-Specific things

To check some of your system's performance parameters, try:

netstat -k

If you download packages for Solaris, you normally install them with:

pkgadd -d PACKAGE

In solaris you find two different ps commands. They are:

/usr/bin/ps

/usr/ucb/ps

The difference is that one implements the BSD options, the other follows the AT&T conventions.

logins -p

Add KEYBOARD_ABORT=disable

Modules

/usr/sbin/modinfo

/usr/sbin/modload <module>

/usr/sbin/modunload -i <module id>

nm -x /dev/ksyms | grep OBJ | more

/usr/sbin/sysdef

Still to be validated:


- /etc/.netrc - ls() { /usr/bin/ls -a -b $* ; } - group-passwords (add a password-field to /etc/group) TRY   requires then to use newgrp to change to that group (e.g. add thesu-program to this group...) - /etc/default/su:   SULOG=/var/adm/sulog - touch /var/adm/loginlog; chown root:sys; chmod 600; - /etc/init.d/inetsvc: add /usr/sbin/inetd -s -t & - inetd:   /usr/sbin/in.ftpd in.ftpd -dl


 - eeporm oem-banner?true - eeprom oem-banner "This system is property of ..." - install quotas on your solaris-webserver (see instructions) - Patches:http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches - run pwck and grpck !!! on all machines at home! - touch /etc/default/{ftpd|telnetd}   echo BANNER='""' > /etc/default/ftpd - /etc/init.d/inetinit   ndd -set /dev/ip ip_forwarding 0        ip_forward_directed_broadcast 0      ip_ignore_redirect 1      ip_forward_src_routed 0      TCP_STRONG_ISS=2 (prevent ISS guessing) - /etc/system   set noexec_user_stack=1   set noexec_user_stack_log=1



modlist = ndd -set $device $parameter !!
#
# retransmission timeouts		Sol8
#
# tcp_rexmit_interval_initial	3000
# tcp_rexmit_interval_min	200	 400
# tcp_ip_abort_interval		480000
# tcp_ip_abort_cinterval	180000
# tcp_rexmit_interval_max	60000
#
modlist /dev/tcp tcp_rexmit_interval_initial 3000 # 500 for laboratories
modlist /dev/tcp tcp_rexmit_interval_min 2000     # 200 for laboratories
modlist /dev/tcp tcp_ip_abort_interval 600000     # 10 min before drop
modlist /dev/tcp tcp_ip_abort_cinterval 60000     # 60 sec to estab. conn.
modlist /dev/tcp tcp_rexmit_interval_max 60000    # free nw resources quickly

	modlist /dev/tcp tcp_slow_start_initial 2    # Solaris 8 uses 4
	modlist /dev/tcp tcp_slow_start_after_idle 2 # Solaris 8 uses 4

modlist /dev/ip ip_ire_pathmtu_interval 600000
modlist /dev/tcp tcp_keepalive_interval 3600000
modlist /dev/tcp tcp_fin_wait_2_flush_interval 67500
 modlist /dev/tcp tcp_time_wait_interval 60000 # 2MSL value

modlist /dev/ip ip_icmp_err_interval 0
modlist /dev/ip ip_forward_src_routed 0
modlist /dev/tcp tcp_smallest_anon_port 8192
modlist /dev/udp udp_smallest_anon_port 8192

    # - uncomment, if you don't want to respond to a ping to any of your
    #   broadcast addresses. On one hand, it is rumored to have caused 
    #   panics. On the other hand, it is a valid response, and often 
    #   used to determine the UP hosts on a particular network.
    modlist /dev/ip ip_respond_to_echo_broadcast 0
    test $osver -ge 580 && modlist /dev/ip ip6_respond_to_echo_multicast 0

    # - Enable the 'strong end system' model from RFC 1122
    #   Beware, this might break some interface routing policies in
    #   combination with static routes - disable, if you need such.
    modlist /dev/ip ip_strict_dst_multihoming 1
    test $osver -ge 580 && modlist /dev/ip ip6_strict_dst_multihoming 1

modlist /dev/udp udp_xmit_hiwat 16384 # max. UDP PDU size for sending
modlist /dev/udp udp_recv_hiwat 64000 # queue for UDP

CopyLeft (l) 2003 by Raffael Marty