Securing Solaris (HELP ME)Step by Step?????????

Securing Solaris (HELP ME)Step by Step?????????

Post by Ross » Tue, 03 Apr 2001 10:03:33



Does anyone know of online detailed step by step instructions for securing a
new solaris box?  Mostly what I find is vague instructions.  I have
inherited the responsiblility of securing a 10 UNIX servers.  I am a C
programmer not a UNIX admin.  Help is appreciated.
 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by chad Opplige » Tue, 03 Apr 2001 10:30:53



> Does anyone know of online detailed step by step instructions for securing a
> new solaris box?  Mostly what I find is vague instructions.  I have
> inherited the responsiblility of securing a 10 UNIX servers.  I am a C
> programmer not a UNIX admin.  Help is appreciated.

You might consider "Solaris Security" by Peter H. Gregory ISBN 0-13-096053-5
This is a good book to start with.  You might also want to look at Big Admin on
Sun.  They have some good information.
http://www.sun.com/bigadmin/faq/indexSec.html

Chad
--
Chad Oppliger - System Administrator
Lockheed Martin Technical Operations
CSSA, CSNA


 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Dennis Clark » Tue, 03 Apr 2001 10:55:16


Step by Step?!

I hate to say the ugly truth, but in general, for all intents and purposes
you're out of luck.  The people that do know how to secure a Solaris box are not
going to tell you for free.  They certainly are not going to post it on a web
site for free.  That's the hard truth.

To get you started :

Reduce the number of services that are listening to ports on the systems.

The file you need to look at is /etc/inet/inetd.conf, simply comment out the
lines for services that you know you don't want or need.  Be careful of rpc
services if you need to run scripts for backup that rsh from system to system.

By default, a system will listen for connections on a LOT of ports, thus :

$ netstat -a

UDP
   Local Address         Remote Address     State
-------------------- -------------------- -------
      *.route                               Idle
      *.*                                   Unbound
      *.sunrpc                              Idle
      *.*                                   Unbound
      *.32771                               Idle
      *.name                                Idle
      *.biff                                Idle
      *.talk                                Idle
      *.time                                Idle
      *.echo                                Idle
      *.discard                             Idle
      *.daytime                             Idle
      *.chargen                             Idle
      *.32772                               Idle
      *.32773                               Idle
      *.32774                               Idle
      *.32775                               Idle
      *.32776                               Idle
      *.32777                               Idle
      *.32778                               Idle
      *.syslog                              Idle
      *.177                                 Idle
      *.34913                               Idle
      *.*                                   Unbound
      *.34945                               Idle
      *.34947                               Idle
      *.34949                               Idle
      *.34952                               Idle
      *.34954                               Idle
      *.34956                               Idle
      *.34960                               Idle
      *.34965                               Idle
      *.34967                               Idle
      *.34969                               Idle
      *.34972                               Idle
      *.34974                               Idle
      *.34976                               Idle
      *.34980                               Idle
      *.*                                   Unbound      

TCP
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
-------------------- -------------------- ----- ------ ----- ------ -------
      *.*                  *.*                0      0     0      0 IDLE
      *.sunrpc             *.*                0      0     0      0 LISTEN
      *.*                  *.*                0      0     0      0 IDLE
      *.ftp                *.*                0      0     0      0 LISTEN
      *.telnet             *.*                0      0     0      0 LISTEN
      *.shell              *.*                0      0     0      0 LISTEN
      *.login              *.*                0      0     0      0 LISTEN
      *.exec               *.*                0      0     0      0 LISTEN
      *.uucp               *.*                0      0     0      0 LISTEN
      *.finger             *.*                0      0     0      0 LISTEN
      *.time               *.*                0      0     0      0 LISTEN
      *.echo               *.*                0      0     0      0 LISTEN
      *.discard            *.*                0      0     0      0 LISTEN
      *.daytime            *.*                0      0     0      0 LISTEN
      *.chargen            *.*                0      0     0      0 LISTEN
      *.32771              *.*                0      0     0      0 LISTEN
      *.32772              *.*                0      0     0      0 LISTEN
      *.32773              *.*                0      0     0      0 LISTEN
      *.fs                 *.*                0      0     0      0 LISTEN
      *.32774              *.*                0      0     0      0 LISTEN
      *.printer            *.*                0      0     0      0 LISTEN
      *.dtspc              *.*                0      0     0      0 LISTEN
      *.32776              *.*                0      0     0      0 LISTEN
      *.6000               *.*                0      0     0      0 LISTEN
      *.32803              *.*                0      0     0      0 LISTEN
localhost.32805      localhost.32772      32768      0 32768      0 ESTABLISHED
localhost.32772      localhost.32805      32768      0 32768      0 ESTABLISHED
      *.*                  *.*                0      0     0      0 IDLE
      *.32828              *.*                0      0     0      0 LISTEN
      *.32829              *.*                0      0     0      0 LISTEN
      *.32832              *.*                0      0     0      0 LISTEN
      *.32834              *.*                0      0     0      0 LISTEN
      *.32837              *.*                0      0     0      0 LISTEN
      *.32840              *.*                0      0     0      0 LISTEN
      *.32843              *.*                0      0     0      0 LISTEN
      *.32845              *.*                0      0     0      0 LISTEN
      *.32848              *.*                0      0     0      0 LISTEN
      *.telnet             *.*                0      0  8576      0 BOUND
yay.telnet           spare.3760            7480      1  8760      0 ESTABLISHED
      *.*                  *.*                0      0     0      0 IDLE
Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
f64078c8 stream-ord f62ed7a0 00000000 /tmp/.X11-unix/X0
f64079e0 stream-ord 00000000 00000000

A system that is quieter will look like so :

$ netstat -a

UDP
   Local Address      State
-------------------- -------
      *.syslog        Idle
      *.*             Unbound

TCP
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
-------------------- -------------------- ----- ------ ----- ------ -------
      *.*                  *.*                0      0     0      0 IDLE
      *.ssl                *.*                0      0     0      0 LISTEN
      *.*                  *.*                0      0     0      0 IDLE

Which requires that you shut off most of those default services.  Is this a
secure system?  NO!

Just because a system is quiet on most ports is nothing.  If we put that system
on a DMZ behind a CheckPoint FireWall then you're in better shape but still not
perfect.

What do you mean by secure?  Do you know?  

My company builds firewalls that are ready to run out of the box and we are not
simply going to give away the talent required to build a secure system, a true
stealth mode firewall.  But that's probably not what you're looking for is it?

What are you looking for here?  Did your management simply dump this on you with
a smile and a "good luck"?   You should print this out and go to you're manager
and tell them that people charge $300/hr for the sort of service they want you
to do ( and learn ) for nothing.

Dennis

ps: Sorry about the rant but hey, you can fire an email at me and I'll help you
if I can, just don't expect the world on a platter.

Ross wrote:

> Does anyone know of online detailed step by step instructions for securing a
> new solaris box?  Mostly what I find is vague instructions.  I have
> inherited the responsiblility of securing a 10 UNIX servers.  I am a C
> programmer not a UNIX admin.  Help is appreciated.

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Mark E. Graha » Tue, 03 Apr 2001 11:26:37



>Step by Step?!

>I hate to say the ugly truth, but in general, for all intents and purposes
>you're out of luck.  The people that do know how to secure a Solaris box
are not
>going to tell you for free.  They certainly are not going to post it on a
web
>site for free.  That's the hard truth.

>To get you started :

>Reduce the number of services that are listening to ports on the systems.

>The file you need to look at is /etc/inet/inetd.conf, simply comment out
the
>lines for services that you know you don't want or need.  Be careful of rpc
>services if you need to run scripts for backup that rsh from system to

system.
<snip>

- Show quoted text -

>What are you looking for here?  Did your management simply dump this on you
with
>a smile and a "good luck"?   You should print this out and go to you're
manager
>and tell them that people charge $300/hr for the sort of service they want
you
>to do ( and learn ) for nothing.

>Dennis

>ps: Sorry about the rant but hey, you can fire an email at me and I'll help
you
>if I can, just don't expect the world on a platter.


>> Does anyone know of online detailed step by step instructions for
securing a
>> new solaris box?  Mostly what I find is vague instructions.  I have
>> inherited the responsiblility of securing a 10 UNIX servers.  I am a C
>> programmer not a UNIX admin.  Help is appreciated.

$300/hr? Sounds like a good thing to learn, then you can charge $300/hr.
 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Akop Pogosia » Tue, 03 Apr 2001 14:01:55



> Does anyone know of online detailed step by step instructions for securing a
> new solaris box?  Mostly what I find is vague instructions.  I have
> inherited the responsiblility of securing a 10 UNIX servers.  I am a C
> programmer not a UNIX admin.  Help is appreciated.

Take a look at Sun's own articles about Solaris security at

http://www.sun.com/blueprints

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by RK » Tue, 03 Apr 2001 22:30:01



Quote:

> Step by Step?!

> I hate to say the ugly truth, but in general, for all intents and purposes
> you're out of luck.  The people that do know how to secure a Solaris box
are not
> going to tell you for free.

Yes, they will.  Go to Sun's website and download a set of scripts called
JASS.  It's free.  The scripts, when run, will lock your system up as tight
as a *ing bastion host.  In fact, you may not want to run ALL the
scripts.  Do a backup before you run the things, just in case they make
changes you don't want.
 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by RK » Tue, 03 Apr 2001 22:30:23




> > Does anyone know of online detailed step by step instructions for
securing a
> > new solaris box?  Mostly what I find is vague instructions.  I have
> > inherited the responsiblility of securing a 10 UNIX servers.  I am a C
> > programmer not a UNIX admin.  Help is appreciated.

> Take a look at Sun's own articles about Solaris security at

> http://www.sun.com/blueprints

Do a search on "jass".
 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Med H » Wed, 04 Apr 2001 00:16:28


Hi ross,
You may also have a look at Lance Spitzner's white Paper about
"hardening a solaris box"
 http://www.enteract.com/~lspitz/armoring.html

--------------




>> > Does anyone know of online detailed step by step instructions for
>securing a
>> > new solaris box?  Mostly what I find is vague instructions.  I have
>> > inherited the responsiblility of securing a 10 UNIX servers.  I am a C
>> > programmer not a UNIX admin.  Help is appreciated.

>> Take a look at Sun's own articles about Solaris security at

>> http://www.sun.com/blueprints

>Do a search on "jass".

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Dennis Clark » Wed, 04 Apr 2001 09:15:09



> $300/hr? Sounds like a good thing to learn, then you can charge $300/hr.

What was that?  A flame?  

Seriously ...  grow up.

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Dennis Clark » Wed, 04 Apr 2001 09:16:11


Quote:> Yes, they will.  Go to Sun's website and download a set of scripts called
> JASS.  It's free.  The scripts, when run, will lock your system up as tight
> as a *ing bastion host.  In fact, you may not want to run ALL the
> scripts.  Do a backup before you run the things, just in case they make
> changes you don't want.

You have clearly missed the concept of security.
You also have a very nice vocabulary there.
Very nice.
 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Mark E. Graha » Wed, 04 Apr 2001 12:31:37




>> $300/hr? Sounds like a good thing to learn, then you can charge $300/hr.

>What was that?  A flame?

>Seriously ...  grow up.

Not a flame at all. I'm just observing that if his company wants him to
learn and implement security and security professionals get $300/hr for this
type of service, then by all means take the ball and run with it. Once the
knowledge is there, move on to someone who will pay you what it's worth
instead of sticking with a company that won't do the right thing. In a
nutshell, take advantage of an opportunity if possible.

Maybe you shouldn't be so defensive Dennis. After all, this is normally a
friendly newsgroup.

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by David Loga » Wed, 04 Apr 2001 14:01:31


Hi Ross,

Try http://www.unixinsider.com/common/security-faq.html and
http://www.enteract.com/~lspitz/papers.html - Armouring Solaris

Both of these have most of the info that you want.

Regards


> Does anyone know of online detailed step by step instructions for securing a
> new solaris box?  Mostly what I find is vague instructions.  I have
> inherited the responsiblility of securing a 10 UNIX servers.  I am a C
> programmer not a UNIX admin.  Help is appreciated.

--
_______________________________________________________________

David Logan                                 102 Cameron Street
Broadband e-Lab                             Launceston Tas 7250
                                            Australia
Ph : (03) 6323 2667
Fax: (03) 6323 2666
Mob: (0419) 890 763

 
 
 

Securing Solaris (HELP ME)Step by Step?????????

Post by Dennis Clark » Wed, 04 Apr 2001 23:44:36


Quote:> Not a flame at all. I'm just observing that if his company wants him to
> learn and implement security and security professionals get $300/hr for this
> type of service, then by all means take the ball and run with it. Once the
> knowledge is there, move on to someone who will pay you what it's worth
> instead of sticking with a company that won't do the right thing. In a
> nutshell, take advantage of an opportunity if possible.

> Maybe you shouldn't be so defensive Dennis. After all, this is normally a
> friendly newsgroup.

Good God almighty man!  I've been using this usegroup since '95!  Last time I
checked I had generally been posting relatively useful responses mixed in with
worthless drivel from time to time :)

Personally ... I was in a bad mood when I posted that ...  really :(

Sorry.

Dennis

 
 
 

1. Solaris 9 Step by Step Installation Instructions : open for comment

This is phase one of a fairly obvious site branch about Solaris 9.

Please have a look at the content and let me know how phase one follows along.

If anyone puts their Solaris 9 CDROMs through the installation process
then I'd like to hear where I made a mistake.

        http://www.livewire.ca/sol9/step0.html

I'll be changing the look and continuing the process tomorrow and the next
day.

Dennis Clarke

  just trying to do my part for the newbie community out there ... :)

2. How do I allow one system to remote mount to another system?

3. Solaris 9 installation Step by Step

4. Wrong fre inodes count. Help!!!

5. veritas step by step. on solaris

6. linux for a laptop

7. Seeking step by step help with Postgres and Php in Redhat6.0

8. Process Address space

9. Help: Step by step Token Ring for 2.0.27 (RedHat)

10. 1 step forward, 5 steps back - newbie HD problems - please help!

11. Step-by-Step Apache install HELP?

12. Step by step mouse install --HELP--

13. HELP! Step by step of alphastation 200