|
|
— |
solaris [2009/05/25 00:35] (current) |
| 1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2 |
| |
| 2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter |
| |
| To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands : |
| mv /usr/sbin/in.routed /export/home/cfgh/base |
| mv /usr/sbin/in.rdisc /export/home/cfgh/base |
| |
| 3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values : |
| |
| Setup files and environment: |
| touch /etc/init.d/exconfig |
| ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig |
| chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig |
| |
| Edit file "/etc/init.d/exconfig" and add the following lines: |
| #!/bin/sh |
| # /etc/init.d/exconfig |
| RELEASE=`/usr/bin/uname -r` |
| release7 () |
| { |
| /usr/sbin/ex -set /dev/ip ip_forwarding 0 |
| /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1 |
| /usr/sbin/ex -set /dev/ip ip_send_redirects 0 |
| /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1 |
| /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0 |
| /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0 |
| /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0 |
| /usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096 |
| /usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000 |
| /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0 |
| /usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0 |
| /usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0 |
| /usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000 |
| id -a mqm > /dev/null 2>&1 |
| if [ \$? -eq 0 ] |
| then |
| /usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000 |
| fi |
| } |
| release8 () |
| { |
| /usr/sbin/ex -set /dev/ip ip6_forwarding 0 |
| /usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1 |
| /usr/sbin/ex -set /dev/ip ip6_send_redirects 0 |
| /usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1 |
| /usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0 |
| /usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000 |
| } |
| release6 () |
| { |
| /usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0 |
| /usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0 |
| /usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1 |
| /usr/sbin/ex -set /dev/ip ip_ignore_redirect 1 |
| /usr/sbin/ex -set /dev/ip ip_forward_src_routed 0 |
| } |
| |
| if [ \$RELEASE = "5.7" ] |
| then |
| release7 |
| elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ] |
| then |
| release7 |
| release8 |
| elif [ \$RELEASE = "5.6" ] |
| then |
| release6 |
| fi |
| |
| 4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines : |
| #( |
| #if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then |
| # mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME |
| #else |
| # mcastif=$_INIT_UTS_NODENAME |
| #fi |
| # |
| #echo "Setting default Ipv4 interface for multicase:" \ |
| # "add net 224.0/4: gateway $mcastif |
| # |
| #/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null |
| #)& |
| |
| For Solaris 10 |
| Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10 |
| |
| 5. Denial of Service Prevention System Settings. |
| Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time |
| |
| 6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line : |
| /usr/sbin/inetd -s & |
| to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t & |
| Note : |
| ulimit -c 0 : set the core file size to 0 byte |
| inetd -s -t : stand-alone server with tracing of all tcp connections |
| |
| For Solaris 10 |
| Create the script /etc/rc2.d/S72inetsvc-os10 as per below. |
| #cat /etc/rc2.d/S72inetsvc-os10 |
| IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'` |
| /usr/sbin/route -n delete -interface "224.0/4" $IPADDR |
| /usr/sbin/svcadm enable inetd |
| /usr/sbin/inetadm -M tcp_trace=TRUE |
| #chmod 555 /etc/rc2.d/S72inetsvc-os10 |
| |
| 7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print |