Sorting out Solaris

Started by ^Sol, March 12, 2002, 02:09:43 AM

Previous topic - Next topic
March 12, 2002, 02:09:43 AM Last Edit: March 12, 2002, 02:15:06 AM by ^Sol
Some of this will apply to other nixes, but from my personal exp, some useful hints:

1) Edit your /etc/init.d/inetsvc and change inetd -s to read inetd -s -t    - this will enable extra TCP logging.

2) Edit inetd.conf and comment out all crap that you don't need.

3) Same for /etc/services.

4) Edit /etc/default/inetinit and change the value of TCP_STRONG_ISS to 2, this will make sequence prediction "hijacks" far less feasible/likely.

5) Edit your syslog.conf file and include   auth.notice and daemon.notice event classes to log out to /var/adm/messages or another file if you wish. If you have inetd with the -t flag then you'll get a LOT more detail in your login history and similar files.

6) touch /var/adm/loginlog   - make it mode 600. This will track failed login attempts (in blocks of 5 - This is a bit of a problem. If someone keeps trying to log in but closes the connection after a 4th failed attempt then they could avoid this "block" logging - TCP wrappers can get around this).

7) edit /etc/default/telnetd to say something like
BANNER="\nMy system blah blah\n\n"
The default banner shows what OS you are running - you don't want to give out any information that may be useful to a potential intruder. Inf fact, you shouldn't even allow telnet in from the net anyhow if you have any sense! Consider installing openSSH (also requires openSSL, zlib and prngd - check out www.sunfreeware.com).

8 ) restart inetd and other inet services with /etc/init.d/inetsvc stop , then /etc/init.d/inetsvc start
when you've done all these changes to bring them into effect.

9) create /etc/hosts.equiv , leave it empty and leave it as mode 000 as root. Create .rhosts files in user directories that are owned by root also and mode 000, and enable the sticky bit too so the user can't delete it. This will make it very difficult for users to get easy access into other machines on your network where that host is trusted,

I also found it's handy to disable that test stuff in inetd.conf such as chargen. Ever tried doing telnet localhost 19 | wall -a  ??? nasty. Or if they can do that and stick it out to a file somewhere that the user has no quota you'll get a full disk pretty quick :D You can leave stuff like rstatd though, that's quite handy.

If you have users on the machine, consider downloading crack to check that no-one has a stupid and easily guessable password.

Will edit if I think of anything else. Just a n00b's Solaris security guide really. Never know - someone might find it handy.




Good points...

From the get go I usually drop inetd all together. Very few times where I use any services in there...

Wilnix
alt email address: wilnix@hackphreak.org

SMF spam blocked by CleanTalk