Differences

This shows you the differences between two versions of the page.

--- solaris [2009/05/25 00:35]
+++ solaris [2009/05/25 00:35] (current)
@@ Line 1: / Line 1: @@
+. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2.  For instance, TCP_STRONG_ISS=2
+. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present.  If the file is missing, issue the following command to create one : touch /etc/notrouter
+To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
+   mv /usr/sbin/in.routed /export/home/cfgh/base
+   mv /usr/sbin/in.rdisc /export/home/cfgh/base
+. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :
+Setup files and environment:
+   touch /etc/init.d/exconfig
+   ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
+   chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig
+Edit file "/etc/init.d/exconfig" and add the following lines:
+   #!/bin/sh
+    # /etc/init.d/exconfig
+    RELEASE=`/usr/bin/uname -r`
+    release7 ()
+    {
+    /usr/sbin/ex -set /dev/ip ip_forwarding 0
+    /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
+    /usr/sbin/ex -set /dev/ip ip_send_redirects 0
+    /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
+    /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
+    /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
+    /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
+    /usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
+    /usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
+    /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
+    /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
+    /usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
+    /usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
+    id -a mqm > /dev/null 2>&1
+    if [ \$? -eq 0 ]
+    then
+    /usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
+   fi
+   }
+    release8 ()
+   {
+    /usr/sbin/ex -set /dev/ip ip6_forwarding 0
+    /usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
+    /usr/sbin/ex -set /dev/ip ip6_send_redirects 0
+    /usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
+    /usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
+     /usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
+   }
+   release6 ()
+   {
+   /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
+ /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
+/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
+/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
+/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
+}
+if [ \$RELEASE = "5.7" ]
+then
+        release7
+elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
+then
+        release7
+        release8
+elif [ \$RELEASE = "5.6" ]
+then
+        release6
+fi
+. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
+#(
+#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
+#   mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
+#else
+#   mcastif=$_INIT_UTS_NODENAME
+#fi
+#
+#echo "Setting default Ipv4 interface for multicase:" \
+#  "add net 224.0/4: gateway $mcastif
+#
+#/usr/sbin/route -n add -interface "224.0/4" "$mcastif"  >/dev/null
+#)&
+For Solaris 10
+Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10
+. Denial of Service Prevention System Settings.
+Services that  must be disabled on  all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time
+. Prevent "core dump" generated by inetd as it may contain login information.  This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
+/usr/sbin/inetd -s &
+to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
+Note :
+ulimit -c 0 : set the core file size to 0 byte
+inetd -s -t : stand-alone server with tracing of all tcp connections
+For Solaris 10
+Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
+#cat /etc/rc2.d/S72inetsvc-os10
+IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
+/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
+/usr/sbin/svcadm enable inetd
+/usr/sbin/inetadm -M tcp_trace=TRUE
+#chmod 555 /etc/rc2.d/S72inetsvc-os10
+. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print