CITES :: Securing a Clean Solaris Install - U of I

http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html

CITES
Campus Information Technologies and Educational Services University of Illinois at Urbana-Champaign

CITES

managing your computer

wsg

resources

security

solaris

new system

SECURING A CLEAN SOLARIS INSTALL

This page contains information about how to secure a new Solaris system. 1. Apply Sun Recommended Patches using superglue.
As the root user:
/sbin/mount solaris-patches.cites.uiuc.edu:/services/patches /mnt /mnt/superglue /sbin/umount /mnt

2. Remove unnecessary daemons from /etc/inetd/inetd.conf. 3. Install TCP wrappers.

The latest version can be found at ftp://ftp.porcupine.org/pub/security/.
One of several web pages detailing TCP Wrapper installation can be found at http://www.kempston.net/solaris/tcpwrappers.html.

4. Install a version of rpcbind that can be TCP wrappered.

A secure version of rpcbind can be found at ftp://ftp.porcupine.org/pub/security/index.html. Make sure to add rules for rpcbind to your /etc/hosts.allow file.

5. Remove unnecessary services from /etc/rc.d.

Runlevels 2 and 3 are used for a normal, multiuser startup in Solaris. You can stop a service by invoking the correct script in /etc/init.d, usually with the "stop" argument, or by using the svcadm command in Solaris 10. For example, to stop the sendmail daemon, you would issue the following command as root: Versions of Solaris through 9:
/etc/init.d/sendmail stop

Solaris 10:
svcadm disable -t sendmail

You can keep those unnecessary services from starting at boot time by renaming the appropriate symlinks in /etc/rc2.d and /etc/rc3.d or by using the svcadm command in Solaris 10. For example, if you want to prevent the sendmail daemon from starting at each boot, you would do the following as root:
Versions of Solaris through 9:
mv /etc/rc2.d/S88sendmail /etc/rc2.d/noS88sendmail

Solaris 10:
svcadm disable sendmail

Some services that you may not need include:

ldap.client nfs.client nfs.server sendmail slpd

Note: the services which are absolutely required are:

MOUNTFSYS RMTMPFILES inetsvc standardmounts buildmnttab rootusr sysetup devlinks cron drvconfig syslog inetinit utmpd rpc (if using graphical interface) dtlogin (if using graphical interface)

6. Lock or disable unnecessary accounts.

Make sure that such accounts have "NP" or "*LK*" in their password fields in the /etc/shadow file. You may also wish to assign an invalid shell for these accounts such as /bin/false or /bin/true.
adm bin daemon listen lp nobody nobody4 (remove if you do not have to support SunOS systems) noaccess nuucp

1 of 3

11/08/2011 10:53 PM

CITES :: Securing a Clean Solaris Install - U of I

http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html

smtp sys uucp

7. Disable telnetd/ftpd OS banners if running telnetd and/or ftpd.

Create file /etc/default/telnetd and put the line BANNER="" into it to remove telnetd OS banner. Create similar file called /etc/default/ftpd for ftpd OS banner.

8. Create the file /etc/ftpusers and add the following default Solaris accounts to the file. This prevents these accounts from ftp-ing into the system.
adm bin daemon listen lp nobody noaccess nobody4 (unless it was deleted) nuucp root smtp sys uucp

9. Disable sendmail OS banner (helps thwart OS fingerprinting).

Replace the following line in /etc/mail/sendmail.cf
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

with
O SmtpGreetingMessage=

10. Disable access to the sendmail "EXPN" and "VRFY" commands (decreases info that can be obtained by sendmail).
Append to the line in /etc/mail/sendmail.cf that begins with
O PrivacyOptions

these options...
noexpn,novrfy

(Note: numbers 11, 12, 13, 14, 15, 16, 17 are not persistent across reboots - either append to /etc/rc2.d/S69inet or put into their own init script and symlink to an appropriate runlevel)

11. Change default TCP max segment size (helps thwart OS fingerprinting).
/usr/sbin/ndd -set /dev/tcp tcp_mss_def 546

12. Turn off path MTU discovery.

/usr/sbin/ndd -set /dev/ip ip_path_mtu_discovery 0

13. Change path MTU discovery interval to 10 mins - use ONLY if path MTU discovery is NOT turned off as in #12.
/usr/sbin/ndd -set /dev/ip ip_ire_pathmtu_interval 600000

14. Prevent incoming broadcast packets from entering your network.

/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0

15. Prevent the system from responding to incoming broadcast packets.

/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

16. Drop source routed packets.

/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0

17. Prevent IP spoofing.

/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 0 /usr/sbin/ndd -set /dev/ip ip_ire_arp_interval 60000 /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60

18. Help prevent TCP sequence attack.

Change /etc/default/inetinit TCP_STRONG_ISS from 1 to 2 (TCP_STRONG_ISS=2)

19. Disable IP forwarding (if you can in your environment).

touch /etc/notrouter

20. Help prevent stack based buffer overflow attacks (disable stack code execution) and log such attempts.
Add the following to the /etc/system file (Caution: may break some SPARC V8 ABI programs, esp old compilers)... requires reboot to take effect. This

2 of 3

11/08/2011 10:53 PM

CITES :: Securing a Clean Solaris Install - U of I

http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html

is not needed in Solaris 10.

noexec_user_stack = 1 noexec_user_stack_log = 1

21. Disable XDMCP connections by creating a /etc/dt/config/Xaccess file containing only "!*" (without quotes). 22. Configure static routing by creating the file /etc/defaultrouter that contains the IP of your machine's gateway.

Last modified October 13 2009 2011 The Board of Trustees at the University of Illinois

3 of 3

11/08/2011 10:53 PM