Securing a Solaris Server - Minimizing Network Services
Most network services are offered by inetd. The file /etc/inetd.conf lists the services that inetd is to offer, and what programs to execute when a connection is made to the service. If a line has a '#' as the first character, it will be treated as a comment, and any information that might be there about a service will be ignored.
Each service in the inetd.conf file should be individually analyzed to determine if it is necessary for the system to function properly. In most cases, the answer will be no. If a service is determined to be unnecessary, the line should be commented out, by inserting a '#' as the first character of the line. If you don't know what the service does, try to comment it out, and see is everything still works. NOTE: After the inetd.conf file is changed, the inetd program needs to be instructed to reread the file, by using the kill command to send it a SIGHUP (e.g. kill -1 PID).
Some of the services in the inetd.conf file are offered for both IPv4 and IPv6. The protocol type of tcp6 identifies these services. If it is necessary to leave a service in for IPv4, but disable it for IPv6, the protocol should be changed from tcp6 to tcp. If the server is not running IPv6, then none of the services should be have a protocol of tcp6.
The most commonly used inetd services are telnet and FTP. If secure shell is used, these services can usually be disabled.
Among the least secure services offered by inetd are the R commands. These are rlogin, rexec, rcp and rsh. If at all possible, these services should be disabled in the inetd.conf file.
If the inetd.conf file gets to the point where all of the lines are commented out, then there is no longer any reason to run the inetd daemon. If this occurs, comment out the line that starts inetd, found in the /etc/rc2.d/S72inetsvc file (NOTE: number may not be 72; please check first with ls /etc/rc2.d/S*inetsvc).
Not all network services are offered by inetd. Sometimes, it is either necessary, or faster, to execute a daemon directly, and allow it to wait for connections. Here are the most common of those daemons:
There are modules available for Apache that enable almost any imaginable web functionality. In many cases, to use a module you will have to build Apache from source.
If you choose to run Apache, installed from source, I suggest that you install Apache from the Solaris installation CDROMs, save the startup scripts (/etc/rc2.d/*[Aa]pache*), and remove the package. These startup scripts should work well, as long as Apache is installed in the same location, and are simple to update if Apache is installed in an alternate location.
This might be useful on a desktop system, but it has no place on a server. When using NFS on a server (hopefully, this isn't too often), the delay for mounting a new file-system is not good, and could cause response problems.
There exists a Kerberos daemon, which only needs to run on the Key Distribution Center (KDC). This daemon performs the tasks of saving user pass phrases, and distributing Kerberos Tickets. It also interfaces with remote Kerberos administration tools. Installation of a KDC, and configuration of Kerberos, is beyond the scope of this web page. For a description of how this is done, please either read the manual pages, or read the Addison-Wesley book Kerberos - A Network Authentication System (4).
Also, there are Kerberized clients (they use Kerberos tickets for authorization) listed in the inetd.conf file. These clients include ktelnetd, kftpd, krlogin, krlogin, krsh and krcp. Additionally, there exist other Kerberized clients for login, IMAP, POP, and many other authenticated access methods. When using Kerberos, these clients should not be commented out of the inetd.conf file (except, possibly, on the KDC).
mv /etc/rc2.d/S71ldap.client /etc/rc2.d/_S71ldap.client
Also, there is a reference to in.lpd in the /etc/inetd.conf file. To disable LPD, this would also have to be disabled.
When a default install is performed, several files are added to the /etc/rc2.d directory, for the purpose of starting the print daemon. If the system is not functioning as the print server, then the startup of the print daemon should be disabled.
To disable startup of the LPRng print daemon, enter the following commands (NOTE: numbers man not be 60 and 80; please check first with ls /etc/rc2.d/s*lprng):
mv /etc/rc2.d/S60lprng /etc/rc2.d/_S60lprng mv /etc/rc2.d/S80lprng /etc/rc2.d/_S80lprng
mv /etc/rc2.d/S73nfs.client /etc/rc2.d/_S73nfs.client mv /etc/rc3.d/S15nfs.server /etc/rc3.d/_S15nfs.server
The O'Reilly book Managing NFS and NIS (5) has information on properly configuring servers and clients to use NIS+.
The routed daemon is not normally needed, unless a system has multiple network interfaces.
The rpcbind daemon is needed for NFS, NIS and parts of X11, among others. If you aren't running any of these, you may wish to try disabling RPC. To disable RPC, enter the following command (NOTE: number may not be 71; please check first with ls /etc/rc2.d/S*rpc):
mv /etc/rc2.d/S71rpc /etc/rc2.d/_S71rpc
When disabling the rpcbind daemon, it is a good idea to make sure that the necessary network services function properly both before and after the change. NOTE: The system should be booted immediately prior to any such testing being done.
If you find that the rpcbind daemon is necessary for proper system functionality, it is possible to use TCP-Wrappers with rpcbind, to limit the hosts that can access the RPC information. For more information on this, please see the documentation that comes with the TCP-Wrappers package.
If the server doesn't need to receive mail (it's not one of the mail servers), then the -bd flag should be removed from the execution line. The file where this resides is /etc/rc2.d/S*sendmail. NOTE: With sendmail 8.12 and above, this change will cause locally initiated messages to not be deliverable.
An alternative to removing the -bd flag would be to not start the sendmail daemon, and to run sendmail -q from cron every hour.
If you're running the Solaris 8 sendmail, the configuration file /etc/default/sendmail can be used to disable the receipt of external mail. This file is not included in the initial Solaris 8 release, but it is in one of the update releases, and it is also in the latest patch cluster.
Regardless of the state of the sendmail daemon on a system, it is critical that the configuration file (usually /etc/mail/sendmail.cf) be properly configured.
SSH requires that a daemon be running to accept connections. Due to the computational overhead of computing a key pair at startup, this daemon can not be started be inetd.
Although the socket that syslogd listens on is a potential security threat, the risks are more than offset by the ability to log information to another system in a timely manner. This ability may provide additional information, in the event of a compromise. For that reason, syslogd should always be used, and, whenever possible, it should be configured to send security related information to another system (i.e. a secured, dedicated log server).
It should be noted that the Solaris 8 syslogd daemon will create a UDP socket for use in sending log information to the remote host, and that the socket will be closed and reopened on a new port every few days. This could cause false positives on a network scan, and on some intrusion detection systems.
If the system will not be receiving messages from another system, then the syslogd daemon should be started with the -t flag. This will cause it to not listen on the UDP socket.
Also, the /etc/rmmount.conf file should be set up to mount file-systems with the -o nosuid flag set. This flag would be placed on the mount line for the file-system.
If you have any comments or suggestions, please E-mail firstname.lastname@example.org
© 2004 - Ashford Computer Consulting Service