Professional Documents
Culture Documents
http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html
CITES
Campus Information Technologies and Educational Services University of Illinois at Urbana-Champaign
CITES
wsg
resources
security
solaris
new system
Solaris 10:
svcadm disable -t sendmail
You can keep those unnecessary services from starting at boot time by renaming the appropriate symlinks in /etc/rc2.d and /etc/rc3.d or by using the svcadm command in Solaris 10. For example, if you want to prevent the sendmail daemon from starting at each boot, you would do the following as root:
Versions of Solaris through 9:
mv /etc/rc2.d/S88sendmail /etc/rc2.d/noS88sendmail
Solaris 10:
svcadm disable sendmail
1 of 3
11/08/2011 10:53 PM
http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html
8. Create the file /etc/ftpusers and add the following default Solaris accounts to the file. This prevents these accounts from ftp-ing into the system.
adm bin daemon listen lp nobody noaccess nobody4 (unless it was deleted) nuucp root smtp sys uucp
with
O SmtpGreetingMessage=
10. Disable access to the sendmail "EXPN" and "VRFY" commands (decreases info that can be obtained by sendmail).
Append to the line in /etc/mail/sendmail.cf that begins with
O PrivacyOptions
these options...
noexpn,novrfy
(Note: numbers 11, 12, 13, 14, 15, 16, 17 are not persistent across reboots - either append to /etc/rc2.d/S69inet or put into their own init script and symlink to an appropriate runlevel)
11. Change default TCP max segment size (helps thwart OS fingerprinting).
/usr/sbin/ndd -set /dev/tcp tcp_mss_def 546
13. Change path MTU discovery interval to 10 mins - use ONLY if path MTU discovery is NOT turned off as in #12.
/usr/sbin/ndd -set /dev/ip ip_ire_pathmtu_interval 600000
20. Help prevent stack based buffer overflow attacks (disable stack code execution) and log such attempts.
Add the following to the /etc/system file (Caution: may break some SPARC V8 ABI programs, esp old compilers)... requires reboot to take effect. This
2 of 3
11/08/2011 10:53 PM
http://www.cites.illinois.edu/wsg/resources/security/new_solaris.html
21. Disable XDMCP connections by creating a /etc/dt/config/Xaccess file containing only "!*" (without quotes). 22. Configure static routing by creating the file /etc/defaultrouter that contains the IP of your machine's gateway.
Last modified October 13 2009 2011 The Board of Trustees at the University of Illinois
3 of 3
11/08/2011 10:53 PM