Thursday, November 22, 2007

7 steps to better Solaris Network Settings

I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.

1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2

2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter

To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base
mv /usr/sbin/in.rdisc /export/home/cfgh/base

3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :

Setup files and environment:
touch /etc/init.d/exconfig
ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig

Edit file "/etc/init.d/exconfig" and add the following lines:
#!/bin/sh
# /etc/init.d/exconfig
RELEASE=`/usr/bin/uname -r`
release7 ()
{
/usr/sbin/ex -set /dev/ip ip_forwarding 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_send_redirects 0
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
id -a mqm > /dev/null 2>&1
if [ \$? -eq 0 ]
then
/usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
fi
}
release8 ()
{
/usr/sbin/ex -set /dev/ip ip6_forwarding 0
/usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip6_send_redirects 0
/usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
}
release6 ()
{
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
}

if [ \$RELEASE = "5.7" ]
then
release7
elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
then
release7
release8
elif [ \$RELEASE = "5.6" ]
then
release6
fi

4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
#(
#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
# mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
#else
# mcastif=$_INIT_UTS_NODENAME
#fi
#
#echo "Setting default Ipv4 interface for multicase:" \
# "add net 224.0/4: gateway $mcastif
#
#/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
#)&

For Solaris 10
Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10

5. Denial of Service Prevention System Settings.
Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time

6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
/usr/sbin/inetd -s &
to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
Note :
ulimit -c 0 : set the core file size to 0 byte
inetd -s -t : stand-alone server with tracing of all tcp connections

For Solaris 10
Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
#cat /etc/rc2.d/S72inetsvc-os10
IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
/usr/sbin/svcadm enable inetd
/usr/sbin/inetadm -M tcp_trace=TRUE
#chmod 555 /etc/rc2.d/S72inetsvc-os10

7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print

The Hacka Man

7 comments:

viagra online said...

It is amazing indeed how technology every day discover new ways to improve things, almost everyday new gadgets, new inventions are put in the market.

BlackBerry Application Development said...

It is really a nice and helpful piece of information. I am glad that you just shared this helpful info with us. Please keep us up to date like this. Thanks for sharing. iPad App Developer

xl pharmacy said...

Very useful data, thanks for sharing it.

Sony LT22i said...

I basically knew about most of this, but never the less, I still thought it had been practical. Excellent post!

Marylou said...

Here, I do not actually think this is likely to have success.

Anonymous said...

buy xanax buy generic xanax no prescription - buy cheap alprazolam no prescription

Anonymous said...

xanax for sale without prescription xanax withdrawal symptoms cold turkey - xanax extended release side effects