1.2 Increasing Security of the Solaris^TM System

Solaris^TM Patches

First of all, never forget to install the recommended patches for Solaris^TM, as already explained in Section 1.1. You can also use the Patch Manager tool, available at www.sun.com/download/products.xml?id=3f9d714b. It downloads latest available patches not yet installed in your system.

Disabling Unused Services

It is recommended to have a machine dedicated to a spectrometer, ie this machine should not be used as a mail server, an http server etc. It can be interesting, however, to mount the saved spectra from this machine in another one, a processing machine, through NFS. If you choose this configuration, a lot of default services from Solaris^TM can be disabled, increasing its security. I considere this issue very important, since I have seen many Solaris^TM machines installed and configured to default being cracked.

Such services are started normaly at boot time through two main ways: by scripts at the rc directories, namely /etc/rc2.d and /etc/rc3.d, and/or by the inet daemon. Have a look at the rc directories and disable every script you do not need for your system. Do that just by changing the name of the script, like:
mv /etc/rc2.d/S71ldap.client /etc/rc2.d/disabled-S71ldap.client
or mv /etc/rc3.d/S34dhcp /etc/rc3.d/disabled-S34dhcp

Examples of other services that you can disable are S15nfs.server, S72autoinstall, S72slpd, S88sendmail, S72nfs.client, S74autofs, and S99dtlogin.

The Inet Daemon

The Inet Daemon runs a lot of services at startup, from which only a few are needed. Console machines running Vnmr(J) software to control a spectrometer need to run the TFTP Daemon to boot the spectrometer console. So you need the following line in your /etc/inetd.conf:
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

For autoplaying removable media, the smserverd is necessary. It corresponds to a line like that in /etc/inetd.conf:
100155/1 tli rpc/ticotsord wait root /usr/lib/smedia/rpc.smserverd rpc.smserverd

Also if you want to enable remote hosts to print to printer attached to your Solaris^TM system, you need to run LPD. Other eventually needed inetd services are the sun-dr ones, if your use NFS, and the font server (fs.auto), if you have many remote desktops running X concomitantly from your Solaris^TM server. However they add security risks to the system, and should be wraped or firewalled. Except for those above cited, many (or probably all) inetd services can be commented out in the file /etc/inetd.conf. It is highly recommended to disable fingerd, systat, netstat, and sadmind. Do not use services conecting to port 23, like rlogin, rexec, telnet, rsh, ftp. Comment them out from file /etc/inetd.conf and use ssh, scp, and sftp instead. Feel free to comment out any other inetd services, like in.ftpd, prc.rwalld, rpc.rlogind, rpc.rshd, rpc.rwhod, in.telnetd. But do not forget to give a kill -HUP at the inetd PID or just to type /usr/bin/pkill -HUP inetd after each change to the file /etc/inetd.conf.

Limit Root Access

The root access to the system should be very limited. Do not allow direct login to root from network. It is done by the following line in the file /etc/default/login (this is default option):

CONSOLE=/dev/console

Also go to the file /etc/ssh/sshd_config and make sure you have the options:
Permit root login no
Permit empty password no

Unfortunalely, a spectrometer console must use the su command in order to start and kill Exproc (command su acqproc). For practical reasons just leave execute permissions of su for all users. But if your machine is a processing workstation or does not run VnmrJ^TM, you can also restrict permission to execute su for others. Create,if you do not have, a system admin group, say root, gid=1. Then allow only users from root group to execute su by doing the following:
chown root:root /bin/su
chmod o-r,o-w,o-x,g+x /bin/su

Now add your prefered unprivileged user to the super user group, so that you can later su from it. Your root group in the /etc/group file should look like:

root::0:root,myuser

where myuser is the user you use to login from the network.

It is also a good idea to check sometimes the file /var/adm/sulog, to make sure everything is ok.

Hosts Access Control

You can also restrict the machines and protocols that access your host by editing the /etc/hosts.* files. A simple example is given here of how to restrict access to SSH, and from a few other hosts. Writte the following content to the file /etc/hosts.deny.

sshd:ALL

And the following content to the file /etc/hosts.allow.

sshd: 69.147.83.33    170.225.42.

This configuration will allow only the host 69.147.83.33 and any host from the subnet 170.225.42.0 to access your host through SSH.

Delete Remote Access Files

You do not need to have the following files in your console machine: .rhosts, .netrc, and hosts.equivalent. They provide remote system access, not a good idea.

Prevent Buffer Overflow Attacks

Add the following lines to the file /etc/system:

set noexec_user_stack=1
set noexec_user_stack_log=1

Firewalling

A firewall is afterall still wellcome. Solaris^TM10 has already IPFILTER as default, the one I have being using in Solaris^TM9 as well. Check one of the IPFILTER pages for more info. Here isan example of using IPFILTER for a machine with an interface dedicated to the console, say hme1, and another for the LAN, say hme0. Check your configuration with the command ifconfig -a. In this case, the IPFILTER configuration file should have the following lines:

pass out quick on hme1 proto tcp from any to any port = 23 flags S keep state
pass in  quick on hme1 proto tcp from any to any port = 23 flags S keep state

This would allow the TFTP protocol only between the console and your computer. And if your interface to the network (LAN) is called hme0, then you should not write the above lines for this interface, but rather allow the necessary services (eg SSH, backup) and just leave a ``block all'' line at the end of the file:

block in log first quick on hme0 all
block out log first quick on hme0 all