1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2
2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file “/etc/notrouter” need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter
To prevent dynamic routes updates via the network, move “in.routed” and “in.rdisc” away from “/usr/sbin” directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base mv /usr/sbin/in.rdisc /export/home/cfgh/base
3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :
Setup files and environment:
touch /etc/init.d/exconfig ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig
Edit file “/etc/init.d/exconfig” and add the following lines:
#!/bin/sh # /etc/init.d/exconfig RELEASE=`/usr/bin/uname -r` release7 () { /usr/sbin/ex -set /dev/ip ip_forwarding 0 /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1 /usr/sbin/ex -set /dev/ip ip_send_redirects 0 /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0 /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0 /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0 /usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096 /usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000 /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0 /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0 /usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0 /usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000 id -a mqm > /dev/null 2>&1 if [ \$? -eq 0 ] then /usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000 fi } release8 () { /usr/sbin/ex -set /dev/ip ip6_forwarding 0 /usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1 /usr/sbin/ex -set /dev/ip ip6_send_redirects 0 /usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1 /usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0 /usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000 } release6 () { /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0 /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1 /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0 }
if [ \$RELEASE = “5.7” ] then
release7
elif [ \$RELEASE = “5.8” ] || [ \$RELEASE = “5.10” ] || [ \$RELEASE = “5.9” ] then
release7 release8
elif [ \$RELEASE = “5.6” ] then
release6
fi
4. Disable multicast from the server, edit the file “/etc/rc2.d/S72inetsvc” and comment out/remove the following lines : #( #if [ “$_INIT_NET_STRATEGY” = “dhcp” ]; then # mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME #else # mcastif=$_INIT_UTS_NODENAME #fi # #echo “Setting default Ipv4 interface for multicase:” \ # “add net 224.0/4: gateway $mcastif # #/usr/sbin/route -n add -interface “224.0/4” “$mcastif” >/dev/null #)&
For Solaris 10 Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10
5. Denial of Service Prevention System Settings. Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time
6. Prevent “core dump” generated by inetd as it may contain login information. This could be achieved by editing the file ”/etc/rc2.d/S72inetsvc“. Change the line : /usr/sbin/inetd -s & to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t & Note : ulimit -c 0 : set the core file size to 0 byte inetd -s -t : stand-alone server with tracing of all tcp connections
For Solaris 10 Create the script /etc/rc2.d/S72inetsvc-os10 as per below. #cat /etc/rc2.d/S72inetsvc-os10 IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'` /usr/sbin/route -n delete -interface “224.0/4” $IPADDR /usr/sbin/svcadm enable inetd /usr/sbin/inetadm -M tcp_trace=TRUE #chmod 555 /etc/rc2.d/S72inetsvc-os10
7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print