Version 1.4
1/5/2004

Securing a Solaris Server - Minimizing Network Services

  1. Introduction
  2. History of this Web Page
  3. Overview
  4. Network Topology
  5. System Hardware Configuration
  6. Initial Installation
  7. Minimizing Solaris
  8. Minimizing Network Services
  9. Remove the Solaris Installation Leftovers
  10. Install Necessary Third Party Packages
  11. Close the Doors
  12. Obscure the Tracks
  13. Post the Warnings
  14. Perform System Backups
  15. Watch for Changes
  16. Sources of Tools
  17. Bibliography

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

8. Minimizing Network Services

The primary source for this information is a web page by Lance Spitzner (3).

Most network services are offered by inetd. The file /etc/inetd.conf lists the services that inetd is to offer, and what programs to execute when a connection is made to the service. If a line has a '#' as the first character, it will be treated as a comment, and any information that might be there about a service will be ignored.

Each service in the inetd.conf file should be individually analyzed to determine if it is necessary for the system to function properly. In most cases, the answer will be no. If a service is determined to be unnecessary, the line should be commented out, by inserting a '#' as the first character of the line. If you don't know what the service does, try to comment it out, and see is everything still works. NOTE: After the inetd.conf file is changed, the inetd program needs to be instructed to reread the file, by using the kill command to send it a SIGHUP (e.g. kill -1 PID).

Some of the services in the inetd.conf file are offered for both IPv4 and IPv6. The protocol type of tcp6 identifies these services. If it is necessary to leave a service in for IPv4, but disable it for IPv6, the protocol should be changed from tcp6 to tcp. If the server is not running IPv6, then none of the services should be have a protocol of tcp6.

The most commonly used inetd services are telnet and FTP. If secure shell is used, these services can usually be disabled.

Among the least secure services offered by inetd are the R commands. These are rlogin, rexec, rcp and rsh. If at all possible, these services should be disabled in the inetd.conf file.

If the inetd.conf file gets to the point where all of the lines are commented out, then there is no longer any reason to run the inetd daemon. If this occurs, comment out the line that starts inetd, found in the /etc/rc2.d/S72inetsvc file (NOTE: number may not be 72; please check first with ls /etc/rc2.d/S*inetsvc).

Not all network services are offered by inetd. Sometimes, it is either necessary, or faster, to execute a daemon directly, and allow it to wait for connections. Here are the most common of those daemons:

Apache
Apache is an open-source web server, which is provided on the Solaris installation CDROMs. The version provided has only a minimal set of modules, which is not adequate for most web servers. If you are not running a web server, this software should not be installed.

There are modules available for Apache that enable almost any imaginable web functionality. In many cases, to use a module you will have to build Apache from source.

If you choose to run Apache, installed from source, I suggest that you install Apache from the Solaris installation CDROMs, save the startup scripts (/etc/rc2.d/*[Aa]pache*), and remove the package. These startup scripts should work well, as long as Apache is installed in the same location, and are simple to update if Apache is installed in an alternate location.

Automountd
The automountd daemon is used to automatically mount NFS file-systems when they are needed, and unmount them when they become unneeded. This helps to free up kernel resources, and keep the mount table small.

This might be useful on a desktop system, but it has no place on a server. When using NFS on a server (hopefully, this isn't too often), the delay for mounting a new file-system is not good, and could cause response problems.

Kerberos Authentication
Kerberos is a protocol for authenticating users. There are both advantages and disadvantages of using Kerberos, as compared to other readily available authentication protocols.

There exists a Kerberos daemon, which only needs to run on the Key Distribution Center (KDC). This daemon performs the tasks of saving user pass phrases, and distributing Kerberos Tickets. It also interfaces with remote Kerberos administration tools. Installation of a KDC, and configuration of Kerberos, is beyond the scope of this web page. For a description of how this is done, please either read the manual pages, or read the Addison-Wesley book Kerberos - A Network Authentication System (4).

Also, there are Kerberized clients (they use Kerberos tickets for authorization) listed in the inetd.conf file. These clients include ktelnetd, kftpd, krlogin, krlogin, krsh and krcp. Additionally, there exist other Kerberized clients for login, IMAP, POP, and many other authenticated access methods. When using Kerberos, these clients should not be commented out of the inetd.conf file (except, possibly, on the KDC).

LDAP
If it was necessary to install the LDAP package to get a third party package to build, it is normally a good idea to disable the LDAP daemon. To disable the LDAP daemon, enter the following command (NOTE: number may not be 71; please check first with ls /etc/rc2.d/S*ldap.client):
mv /etc/rc2.d/S71ldap.client /etc/rc2.d/_S71ldap.client

LPD
The LPD (Line Printer Daemon) is only needed on a system that functions as a print server. Other systems should only have the printer queuing commands (lp, lpc, lpq, lpr and lprm). To disable LPD, remove the SUNWpsr package.

Also, there is a reference to in.lpd in the /etc/inetd.conf file. To disable LPD, this would also have to be disabled.

LPRng
LPRng is a third-party software package, covered by the GPL, which is sometimes used to replace the LPD system. It has several features that make it potentially more useful than the LPD system.

When a default install is performed, several files are added to the /etc/rc2.d directory, for the purpose of starting the print daemon. If the system is not functioning as the print server, then the startup of the print daemon should be disabled.

To disable startup of the LPRng print daemon, enter the following commands (NOTE: numbers man not be 60 and 80; please check first with ls /etc/rc2.d/s*lprng):

mv /etc/rc2.d/S60lprng /etc/rc2.d/_S60lprng
mv /etc/rc2.d/S80lprng /etc/rc2.d/_S80lprng
	

NFS
If the server is on an unprotected network, or if there are users on the network that shouldn't see all the data in the server, then NFS should not be used. To disable NFS, enter the following commands (NOTE: numbers may not be 73 and 15; please check first with ls /etc/rc2.d/S*nfs.client and ls /etc/rc3.d/S*nfs.server):
mv /etc/rc2.d/S73nfs.client /etc/rc2.d/_S73nfs.client
mv /etc/rc3.d/S15nfs.server /etc/rc3.d/_S15nfs.server

NIS
SUN has created a powerful tool called NIS. This tool is very helpful for central configuration control of large groups of systems. Unfortunately, the design did not consider that passwords could be easily broken. Since DES encrypted passwords can no longer be considered to be secure, I strongly suggest that NIS not be used. To disable NIS, remove the SUNWnisu and SUNWnisr packages.

NIS+
This is a follow-on to NIS. It improves on the power, flexibility and security of NIS. If all (or almost all) of the UNIX systems on your network can use this protocol, it might be worthwhile using. Please note that the servers for NIS+ need to be carefully configured to be properly secure.

The O'Reilly book Managing NFS and NIS (5) has information on properly configuring servers and clients to use NIS+.

NTP
NTP is a package that can be used to synchronize the time on systems. Keeping times in sync is very useful, as it makes the log entries easier to interpret. It is also important when NFS is being used.

Routed
The routed daemon is used to determine where network traffic should go when it leaves a host. If there exists a /etc/defaultrouter file, then the IP address contained in that file would be used as the default route, and the routed daemon will not be started.

The routed daemon is not normally needed, unless a system has multiple network interfaces.

RPC
RPC is a service that allows remote (and local) programs to request that an action be performed. The rpcbind daemon allows remote users to determine what RPC services are being offered. This could allow a potential intruder to scan for hosts with a vulnerable service.

The rpcbind daemon is needed for NFS, NIS and parts of X11, among others. If you aren't running any of these, you may wish to try disabling RPC. To disable RPC, enter the following command (NOTE: number may not be 71; please check first with ls /etc/rc2.d/S*rpc):

mv /etc/rc2.d/S71rpc /etc/rc2.d/_S71rpc

When disabling the rpcbind daemon, it is a good idea to make sure that the necessary network services function properly both before and after the change. NOTE: The system should be booted immediately prior to any such testing being done.

If you find that the rpcbind daemon is necessary for proper system functionality, it is possible to use TCP-Wrappers with rpcbind, to limit the hosts that can access the RPC information. For more information on this, please see the documentation that comes with the TCP-Wrappers package.

Sendmail
Most servers have an occasional need to send mail. Although it is not necessary to have sendmail running to send mail, it is often a good idea, as sendmail also scans the mail queues, trying to send out mail that was not able to be sent previously.

If the server doesn't need to receive mail (it's not one of the mail servers), then the -bd flag should be removed from the execution line. The file where this resides is /etc/rc2.d/S*sendmail. NOTE: With sendmail 8.12 and above, this change will cause locally initiated messages to not be deliverable.

An alternative to removing the -bd flag would be to not start the sendmail daemon, and to run sendmail -q from cron every hour.

If you're running the Solaris 8 sendmail, the configuration file /etc/default/sendmail can be used to disable the receipt of external mail. This file is not included in the initial Solaris 8 release, but it is in one of the update releases, and it is also in the latest patch cluster.

Regardless of the state of the sendmail daemon on a system, it is critical that the configuration file (usually /etc/mail/sendmail.cf) be properly configured.

SSH
SSH is a secure replacement for telnet and FTP. SSH uses fully encrypted sessions, and allows forwarding of connections (i.e. X-11 or FTP forwarding). SSH is discussed more in the section Install Necessary Third Party Packages.

SSH requires that a daemon be running to accept connections. Due to the computational overhead of computing a key pair at startup, this daemon can not be started be inetd.

Syslogd
The syslogd service serves as a way to combine log messages from several sources into a few centrally located log files. It also allows log messages to be sent to another system.

Although the socket that syslogd listens on is a potential security threat, the risks are more than offset by the ability to log information to another system in a timely manner. This ability may provide additional information, in the event of a compromise. For that reason, syslogd should always be used, and, whenever possible, it should be configured to send security related information to another system (i.e. a secured, dedicated log server).

It should be noted that the Solaris 8 syslogd daemon will create a UDP socket for use in sending log information to the remote host, and that the socket will be closed and reopened on a new port every few days. This could cause false positives on a network scan, and on some intrusion detection systems.

If the system will not be receiving messages from another system, then the syslogd daemon should be started with the -t flag. This will cause it to not listen on the UDP socket.

Vold
The vold daemon is used to automatically mount removable media (CDROM, Floppy, Optical, JAZ and ZIP). This simplifies the process of mounting removable media, but creates a potential security issue, if an unauthorized person gains access to the system. Also, this daemon, although potentially useful, is not necessary. My advice is to not use it. To disable vold, remove the SUNWvolg, SUNWvolr and SUNWvolu packages.

Also, the /etc/rmmount.conf file should be set up to mount file-systems with the -o nosuid flag set. This flag would be placed on the mount line for the file-system.

Prev Index Next

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service