Differences

This shows you the differences between two versions of the page.

Link to this comparison view

solaris [2009/05/25 00:35] (current)
Line 1: Line 1:
 +1. Configure for more random TCP sequence number generation. Check that in(/​etc/​default/​inetinit),​ the TCP_STRONG_ISS is set to 2.  For instance, TCP_STRONG_ISS=2
  
 +2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/​etc/​notrouter"​ need to be present. ​ If the file is missing, issue the following command to create one : touch /​etc/​notrouter
 +
 +To prevent dynamic routes updates via the network, move "​in.routed"​ and "​in.rdisc"​ away from "/​usr/​sbin"​ directory by perform the following commands :
 +   mv /​usr/​sbin/​in.routed /​export/​home/​cfgh/​base
 +   mv /​usr/​sbin/​in.rdisc /​export/​home/​cfgh/​base
 +
 +3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :
 +
 +Setup files and environment:​
 +   touch /​etc/​init.d/​exconfig
 +   ln -s /​etc/​init.d/​exconfig /​etc/​rc2.d/​S70exconfig
 +   chmod 744 /​etc/​init.d/​exconfig /​etc/​rc2.d/​S70exconfig
 +
 +Edit file "/​etc/​init.d/​exconfig"​ and add the following lines:
 +   #​!/​bin/​sh
 +    # /​etc/​init.d/​exconfig
 +    RELEASE=`/​usr/​bin/​uname -r`
 +    release7 ()
 +    {
 +    /​usr/​sbin/​ex -set /dev/ip ip_forwarding 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_strict_dst_multihoming 1
 +    /​usr/​sbin/​ex -set /dev/ip ip_send_redirects 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_ignore_redirect 1
 +    /​usr/​sbin/​ex -set /dev/ip ip_forward_src_routed 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_forward_directed_broadcasts 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_respond_to_echo_broadcast 0
 +    /​usr/​sbin/​ex -set /dev/tcp tcp_conn_req_max_q0 4096
 +    /​usr/​sbin/​ex -set /dev/tcp tcp_ip_abort_cinterval 60000
 +    /​usr/​sbin/​ex -set /dev/ip ip_respond_to_timestamp 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
 +    /​usr/​sbin/​ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
 +    /​usr/​sbin/​ex -set /dev/arp arp_cleanup_interval 60000
 +    id -a mqm > /dev/null 2>&1
 +    if [ \$? -eq 0 ]
 +    then
 +    /​usr/​sbin/​ex -set /dev/tcp tcp_keepalive_interval 600000
 +   fi
 +   }
 +    release8 ()
 +   {
 +    /​usr/​sbin/​ex -set /dev/ip ip6_forwarding 0
 +    /​usr/​sbin/​ex -set /dev/ip ip6_strict_dst_multihoming 1
 +    /​usr/​sbin/​ex -set /dev/ip ip6_send_redirects 0
 +    /​usr/​sbin/​ex -set /dev/ip ip6_ignore_redirect 1
 +    /​usr/​sbin/​ex -set /dev/ip ip6_forward_src_routed 0
 +     /​usr/​sbin/​ex -set /dev/ip ip_ire_arp_interval 60000
 +   }
 +   ​release6 ()
 +   {
 +   /​usr/​sbin/​ex -set /dev/ip ip_respond_to_echo_broadcast 0
 + /​usr/​sbin/​ex -set /dev/ip ip_forward_directed_broadcasts 0
 +/​usr/​sbin/​ex -set /dev/ip ip_strict_dst_multihoming 1
 +/​usr/​sbin/​ex -set /dev/ip ip_ignore_redirect 1
 +/​usr/​sbin/​ex -set /dev/ip ip_forward_src_routed 0
 +}
 +
 +if [ \$RELEASE = "​5.7"​ ]
 +then
 +        release7
 +elif [ \$RELEASE = "​5.8"​ ] || [ \$RELEASE = "​5.10"​ ] || [ \$RELEASE = "​5.9"​ ]
 +then
 +        release7
 +        release8
 +elif [ \$RELEASE = "​5.6"​ ]
 +then
 +        release6
 +fi
 +
 +4. Disable multicast from the server, edit the file "/​etc/​rc2.d/​S72inetsvc"​ and comment out/remove the following lines :
 +#(
 +#if [ "​$_INIT_NET_STRATEGY"​ = "​dhcp"​ ]; then
 +#   ​mcastif=`/​sbin/​dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
 +#else
 +#   ​mcastif=$_INIT_UTS_NODENAME
 +#fi
 +#
 +#echo "​Setting default Ipv4 interface for multicase:"​ \
 +#  "add net 224.0/4: gateway $mcastif
 +#
 +#/​usr/​sbin/​route -n add -interface "​224.0/​4"​ "​$mcastif" ​ >/​dev/​null
 +#)&
 +
 +For Solaris 10
 +Multicast would be disabled using /​etc/​rc2.d/​S72inetsvc-os10
 +
 +5. Denial of Service Prevention System Settings.
 +Services that  must be disabled on  all servers, unless required by business function from /​etc/​services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time
 +
 +6. Prevent "core dump" generated by inetd as it may contain login information. ​ This could be achieved by editing the file "/​etc/​rc2.d/​S72inetsvc"​. Change the line :
 +/​usr/​sbin/​inetd -s &
 +to /​usr/​bin/​ulimit -c 0; /​usr/​sbin/​inetd -s -t &
 +Note : 
 +ulimit -c 0 : set the core file size to 0 byte
 +inetd -s -t : stand-alone server with tracing of all tcp connections
 +
 +For Solaris 10
 +Create the script /​etc/​rc2.d/​S72inetsvc-os10 as per below. ​
 +#cat /​etc/​rc2.d/​S72inetsvc-os10
 +IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '​{print $2}'`
 +/​usr/​sbin/​route -n delete -interface "​224.0/​4"​ $IPADDR
 +/​usr/​sbin/​svcadm enable inetd
 +/​usr/​sbin/​inetadm -M tcp_trace=TRUE
 +#chmod 555 /​etc/​rc2.d/​S72inetsvc-os10
 +
 +7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print
solaris.txt · Last modified: 2009/05/25 00:35 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0 ipv6 ready