Securing a Solaris Workstation
Getting Started
By default, Solaris installations contain numerous potential security problems. Many unneeded services are installed and enabled. This document attempts to provide a solid foundation for the beginning administrator. Remember to test these tactics on a non-production server, particularly when applying a patch or installing a new security tool.
Most of the recommendations below are suggested to prevent the system from compromise by automated scripts launched by novice hackers or by rapidly propagating Trojan horse programs. These methods are certainly not exhaustive although they should be seriously considered by anyone concerned with a basic level of security.
The Distributed Computing Initiative provides an outstanding system administration service for Solaris systems. Placing a machine in their care will ensure that the system will be constantly patched and efficiently administered. For more information, please visit their site at http://its.unc.edu/dci/
According to the SANS Top 20 Most Critical Internet Security Vulnerabilities , a system's most insecure phase is its initial configuration after a default installation. It is strongly recommended that the administrator physically disconnect the network cable after installing the operating system as the system can easily be compromised during the early stages of configuration and customization.
Physical Security
The most basic form of system security is, of course, physical security. Ideally, the systems would be located in a controlled access environment (e.g. behind locked doors or in restricted areas.) Apart from that, you can make some changes to the system itself to prevent intruders from tampering with the system at the console.
After powering the system from the "ok" prompt, type:
eeprom security-mode=command
From here, a password can be set that will prevent anyone from booting the system with a CD-ROM or floppy disk. Caveat: if the machine is rebooted remotely, someone will have to physically be at the console to enter the eeprom password.
Security Basics
Choosing a great password is one of the most basic steps to a secure system, though it is one of the most important. Please see our document on choosing good passwords at http://www.unc.edu/security/choosing_passwords.html . Password configuration changes are made in /etc/default/password. At minimum, all passwords should be set to at least 8 characters.
Always log in as another user instead of root and either use su or sudo to execute root commands.
There are several users that get created during the installation of the system that may not be necessary. Users like uucp, nuucp, adm, lp, smtp, and listen can usually be safely deleted from the system. Make sure to delete the groups for these users as well. Remeber that if you delete any users you should also delete their respective crontab files in /var/spool/cron/crontabs.
Keeping the system up to date on patches is also critical to maintaing a well-functioning and secure system. Most patches can be obtained from http://sunsolve.sun.com . After installing Solaris 8, download the file called 8.Recommended.zip to a temporary directory. You will delete the *.zip file after you patch the system.
# unzip 8.Recommended.zip
# cd /directory/tmp
# ./install_cluster -nosave
# init 6 (reboot
Security Tools
There are some common, free tools that provide a substantial amount of system security and are simple to install and configure.
- OpenSSH ( http://www.openssh.org/ ) allows you to securely connect to your system.
- Two tools: PortSentry and Logcheck (both available from http://www.psionic.com/ ) combined provide an effective method to detect and determine the source of attacks and scans. PortSentry will drop unwanted traffic and Logcheck will log the changes.
- Nmap( http://www.insecure.org/nmap/ ) checks for open ports on a host.
- LSOF ( http://freshmeat.net/projects/lsof ) shows the running processes and open files on a host.
- Titan( http://www.fish.com/titan/ ) and YASSP ( http://www.yassp.org/ ) are scripts that automatically secure the system by running through a series of checks.
- TCP Wrappers ( ftp://ftp.porcupine.org/pub/security )
- RPCBind ( ftp://ftp.porcupine.org/pub/security )
- Fix-modes ( ftp://ftp.science.uva.nl/pub/solaris )
Configuring Security Tools
OpenSSH
After installing the most recent version of OpenSSH, change some of the options in the sshd_config file to reflect tighter security. Disable support for SSH protocol 1 and only allow protocol 2. Disallow root from logging in via SSH as well. If you need to become root remotely, first log in as a normal user, then use the "su" command to switch to root.
Change:
Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
to:
Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
Also change:
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
to:
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
Configuring Logging
Logging is another fundamental step to maintaining a secure system. The default Solaris installation lacks some key components that need to be logged.
Uncomment syslog_failed_logins in /etc/default/login and add the following line to /etc/syslog.conf:
auth.info /var/log/authlog
Then create the log file and only give root permission to access it:
touch /var/log/authlog
chown root /var/log/authlog
chmod 600 /var/log/authlog
This will create a log of authentication failures and successes across a wide number of services, including logons and logoffs.
By default, some systems daemons create files that are world accessible and writable. To prevent this, use:
echo 'umask 022' >/etc/init.d/umask.sh
chmod 744 /etc/init.d/umask.sh
for dir in /etc/rc?.d
do
ln -s ../init.d/umask.sh $dir/S00umask.sh
done
Configuring Networking
There are also a few networking tweaks that will substantially increase the system's security.
/etc/default/inetinit should be set to TCP_Strong_ISS=2 to prevent easily guessable TCP sequence numbers.
Create a script file containing the following information:
#!/bin/sh
ndd -set /dev/tcp tcp_sack_permitted 2
ndd -set /dev/tcp tcp_conn_req_max_q0 8192
ndd -set /dev/tcp tcp_ip_abort_cinterval 60000
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forwarding 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/arp arp_cleanup_interval 60000
(These settings will change some of the default TCP/IP behaviors on the system.)
Install the "fix-modes" script which will set the large number of SUID programs installed on the system by default to a more secure level.
Review
Using a combination or all of the techniques described in this document will help you to install and significantly tighten the security on your Solaris system. Keep in mind that the only system that is 100% secure is one that is not plugged into the network. Therefore you should have a reliable back-up system in case your machine does get compromised. Even if your system has been hacked, you can simply reinstall your OS and restore your system to its former state provided that your data is preserved in a safe and trusted archive.
If you would like a vulnerability scan run on your campus machine, the ITS Security office will be happy to send you a report.? Please email us at security@unc.edu for a scan request or for any questions.
Document Overview
Tags: Solaris , securitySubjects: Security , Computer Security
Audience: Everyone
This work is licensed under a Creative Commons Attribution 3.0 United States License.
