1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2

2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file “/etc/notrouter” need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter

To prevent dynamic routes updates via the network, move “in.routed” and “in.rdisc” away from “/usr/sbin” directory by perform the following commands :

 mv /usr/sbin/in.routed /export/home/cfgh/base
 mv /usr/sbin/in.rdisc /export/home/cfgh/base

3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :

Setup files and environment:

 touch /etc/init.d/exconfig
 ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
 chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig

Edit file “/etc/init.d/exconfig” and add the following lines:

 #!/bin/sh
  # /etc/init.d/exconfig
  RELEASE=`/usr/bin/uname -r`
  release7 ()
  {
  /usr/sbin/ex -set /dev/ip ip_forwarding 0
  /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
  /usr/sbin/ex -set /dev/ip ip_send_redirects 0
  /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
  /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
  /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
  /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
  /usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
  /usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
  /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
  /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
  /usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
  /usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
  id -a mqm > /dev/null 2>&1
  if [ \$? -eq 0 ]
  then
  /usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
 fi
 }
  release8 ()
 {
  /usr/sbin/ex -set /dev/ip ip6_forwarding 0
  /usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
  /usr/sbin/ex -set /dev/ip ip6_send_redirects 0
  /usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
  /usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
   /usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
 }
 release6 ()
 {
 /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0

/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0 /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1 /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0 }

if [ \$RELEASE = “5.7” ] then

      release7

elif [ \$RELEASE = “5.8” ] || [ \$RELEASE = “5.10” ] || [ \$RELEASE = “5.9” ] then

      release7
      release8

elif [ \$RELEASE = “5.6” ] then

      release6

fi

4. Disable multicast from the server, edit the file “/etc/rc2.d/S72inetsvc” and comment out/remove the following lines : #( #if [ “$_INIT_NET_STRATEGY” = “dhcp” ]; then # mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME #else # mcastif=$_INIT_UTS_NODENAME #fi # #echo “Setting default Ipv4 interface for multicase:” \ # “add net 224.0/4: gateway $mcastif # #/usr/sbin/route -n add -interface “224.0/4” “$mcastif” >/dev/null #)&

For Solaris 10 Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10

5. Denial of Service Prevention System Settings. Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time

6. Prevent “core dump” generated by inetd as it may contain login information. This could be achieved by editing the file ”/etc/rc2.d/S72inetsvc“. Change the line : /usr/sbin/inetd -s & to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t & Note : ulimit -c 0 : set the core file size to 0 byte inetd -s -t : stand-alone server with tracing of all tcp connections

For Solaris 10 Create the script /etc/rc2.d/S72inetsvc-os10 as per below. #cat /etc/rc2.d/S72inetsvc-os10 IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'` /usr/sbin/route -n delete -interface “224.0/4” $IPADDR /usr/sbin/svcadm enable inetd /usr/sbin/inetadm -M tcp_trace=TRUE #chmod 555 /etc/rc2.d/S72inetsvc-os10

7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print

solaris.txt · Last modified: 2009/05/25 00:35 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0 ipv6 ready