Firewall Wizards mailing list archives
Re: Solaris Configuration List
From: Roger Marquis <marquis () roble com>
Date: Mon, 17 Jan 2000 21:24:23 -0800 (PST)
Brad Van Orden <Brad.VanOrden () netisi com> wrote:
Does anyone know of a checklist for preparing a solaris computer to be a firewall? Thanks!
Here's an outline for Solaris 2.6 that we used several months ago. It's somewhat out of date but good reading all the same. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ ------------------------------------------------------------------- Solaris Firewall Example Installation & Configuration Roble Systems, Inc. 1998 ------------------------------------------------------------------- Table of Contents 0) Disclaimer 1) Compile system information 2) Install OS from Solaris CD 3) Configure the system 4) Enable encryption and authentication 5) Test and retest 6) Additional software -------------------------------------------------------------------- 0) Disclaimer NOTE: This procedure details one way, of many, to configure a secure firewall platform based on Sun Solaris. It will be too restrictive for most other uses. It may even be to restrictive for your firewall. No warranty is made as to the accuracy or reliability of this document. Use at your own risk. 1) Compile system information 1.1 hostname = _______________________________ 1.2 IP addresses = ___________________________ 1.3 defaultrouter = __________________________ (if any) 1.4 timeserver = _____________________________ (if any) 1.5 date = ___________________________________ 1.6 root password = __________________________ 1.7 part of a subnet = _______________________ (typically = no) 1.8 timezone = _______________________________ (i.e., US/Pacific) 1.9 naming service = _________________________ (typically = other) 2) Install OS from Solaris CD 2.1 select the "core system" software cluster 2.2 customize by adding the following packages: a) "automated security enhancement tools" b) "interprocess communication" c) "network time protocol" d) "source Compatibility" (usr) e) "static utilities" f) "sunOS 4.x binary compatibility" g) "system accounting" e) "system & network administration" h) "volume management" (root & usr) i) "xcu4 utilities" 2.3 manually layout the disks (partition - manual layout - customize) root = 1.9GB+ swap = 500MB+ if there is a /var partition (not recommended on single disk systems) use the remainder of the disk NOTE: * swap size is application dependent * root partitions larger than 2GB are not supported on older hardware 2.4 select "install & reboot" 2.5 install the current recommended patch cluster from Sun's Sunsolve website at: http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access 3) Configure the system 3.1 edit configuration files vi /etc/hosts (define loghosts, mailhost, timehost) vi /etc/hostname.* (substitute IP addresses for hostnames) vi /etc/vfstab (comment out /tmp swapfs if not needed) vi /etc/resolv.conf (domainname and 2 nameservers) vi /etc/nsswitch.conf (hosts: files dns) vi /etc/power.conf (comment autoshutdown) vi /etc/defaultrouter (IP address of default router, disables RIP) vi /etc/ntp.conf (IF using xntp for time synchronization) vi /etc/default/{su,login} (CONSOLE=/dev/console) vi /etc/mail/sendmail.cf (Mprog, PrivacyOptions, MaxDaemonChildren MaxMessageSize, SuperSafe, ...) 3.2 create account files vi /.cshrc /.profile /.kshrc /.bashrc /.exrc more /etc/skel/cshrc 3.3 install sysadmin utilities (http://sunfreeware.com/) RCS: mkdir ~admin/RCS ; ln -s ~admin/RCS /etc cd /etc ; ci -l inetd.conf host* ftpusers, ... bash, gzip, less, lsof, rsync, sudo, tar, tcsh, top, zip, ... 3.4 disable unneeded startup scripts mv rcS.d/S50devfsadm rcS.d/s50devfsadm cd /etc/rc2.d mv S92volmgt s92volmgt #mv S88sendmail s88sendmail mv S74autofs s74autofs mv S73nfs.client s73nfs.client mv S99dtlogin s99dtlogin mv S85power s85power mv S47asppp s47asppp mv S70uucp s70uucp mv S80lp s80lp ... cd /etc/rc3.d mv S15nfs.server s15nfs.server mv S76snmpdx s76snmpdx mv S77dmi s77dmi ... 3.5 configure logging vi /etc/syslog.conf (convert all spaces to tabs) syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console *.alert;auth.debug;kern.err;daemon.err;user.none operator kern.notice /var/log/kern.messages daemon.debug /var/log/daemon.messages user.debug /var/log/user.messages cron.emerg /var/log/cron.messages auth.info /var/log/auth.messages news.debug /var/log/news.messages mail.info /var/log/mail.messages uucp.notice /var/log/uucp.messages lpr.debug /var/log/lpr.messages local0.info /var/log/local0.messages local1.debug /var/log/local1.messages local2.debug /var/log/local2.messages local3.debug /var/log/local3.messages local4.debug /var/log/local4.messages local5.debug /var/log/local5.messages local6.debug /var/log/local6.messages local7.debug /var/log/local7.messages debug @loghost2 create the logfiles under /var/log (touch) kill -1 <syslog pid> touch /var/adm/loginlog chmod o-w /var/{log,adm}/* /var/log/sysidconfig.log 3.5 enable aset /usr/aset/aset -p -l med 3.6 schedule periodic administrative tasks crontab -e 22 * * * * /var/admin/cron/hourly 22 22 * * * /var/admin/cron/daily 2 22 * * 0 /var/admin/cron/weekly 2 2 1 * * /var/admin/cron/monthly 3.7 cleanup non-root crontabs cd /var/spool/cron/crontabs rm -f uucp sys adm lp chmod go-rwx . * ls -l sed 's/:.*$//' /etc/passwd | grep -v root > /etc/cron.d/at.deny (or rm at.deny) sed 's/:.*$//' /etc/passwd | grep -v root > /etc/cron.d/cron.deny (or rm cron.deny) 3.8 email aliases forward root & postmaster to real user forward system accounts to /dev/null rebuild: /usr/lib/sendmail -bi 3.9 delete extraneous files rm -f /usr/sbin/{eeprom} /dev/openprom /devices/pseudo/openeepr@0:openprom ls -l /usr/sbin/{eeprom} /dev/openprom /devices/pseudo/openeepr@0:openprom rm -rf /var/spool/uucp* /etc/uucp ls -l /var/spool/uucp* /etc/uucp rm -rf /tftp* /.dt* /.Xauthority /.wastebasket /xfn /net /export /mnt /core ls -l /tftp* /.dt* /.Xauthority /.wastebasket /xfn /net /export /mnt /core rm -f /var/adm/spellhist ln -s /dev/null /var/adm/spellhist ln -s /dev/null /core (?) 3.10 disable incoming ftp sed 's/:.*$//' /etc/passwd > /etc/ftpusers 3.11 disable 'cron' logging (to avoid full disk bug) vi /etc/default/cron (CRONLOG=NO) 3.12 create login banners echo "------ Unauthorized Access Prohibited ------" > /etc/issue echo "" >> /etc/motd echo " ------ Unauthorized Access Prohibited ------" >> /etc/motd echo "" >> /etc/motd 3.13 disable kernel routing echo "" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forwarding 0" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forward_src_routed 0" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forward_directed_broadcasts 0" >> /etc/rc2.d/S69inet vi /etc/default/inetinit (TCP_STRONGS_ISS=2) touch /etc/notrouter touch /etc/defaultrouter 3.14 restrict standard and rpc services vi /etc/inetd.conf comment out everything (:1,$s/^/#/) uncomment as needed kill -1 <inetd_pid> echo "rpcbind : ALL" > /etc/hosts.deny (modified rpcbind) 3.15 check the password files vipw add /bin/false shell to system accounts (change root shell to /bin/csh if /usr is on /) (add "admin" user (admin:x:0:1:Super-User:/var/admin:/bin/csh)) (add "operator" and "suoperator" accounts as needed) pwck check /etc/passwd for errors awk -F: '{print $2}' /etc/shadow check /etc/shadow for errors 3.16 tighten permissions and other misc holes (per ISS & CERT) find /opt/SUNWrtvc -perm 777 -exec chmod go-w {} \; -ls chmod 660 /devices/sbus@1f,0/espdma@e,8400000/esp@e,8800000/st@4* chmod 550 /usr/lib/fs/ufs/ufsrestore chmod 555 /usr/openwin/bin/ff.core #chmod 550 /bin/su chmod 000 /etc/default/sys-suspend /usr/openwin/bin/sys-suspend vi /usr/openwin/lib/speckeysd.map chgrp sysadmin `which admintool`; chmod o-rwx `which admintool` chmod -R ugo+r /usr/openwin 4) Enable encryption and authentication 4.1 install ssh ftp://ftp.cs.hut.fi/pub/ssh/ ftp://sunsite.unc.edu/pub/packages/security/ssh/ ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/ vi /etc/services (ssh 22/tcp) vi sshd_config (see below) kill -1 `ps auxww|grep inetd|grep -v grep|awk '{print $2}'` telnet localhost 22 If there's no inetd: use a startup script (/etc/rc2.d/S81sshd) else add to inetd.conf 5) Test, test, test, retest 5.1 local ps auxww (ps -ef) ; showrev -p ; prtconf ; ... 5.2 remote strobe ; portscan ; rpcinfo -p ; ... 6) Additional Software 6.1 compile secure rpcbind (if something uses rpc) Download from ftp://ftp.win.tue.nl/pub/security/rpcbind_2.tar.gz make; cp /usr/sbin/rpcbind /usr/sbin/rpcbind.ori; cp rpcbind /usr/sbin/rpcbind; reboot vi /etc/hosts.deny (and /etc/hosts.allow) for access control 6.2 periodic cron scripts (/var/admin/cron/ or /etc/periodic/) hourly: ping remote hosts test/set emailbox permissions check daemons (syslog, sendmail, named, fwm, ssh) rotate any log files larger than 1.5MB daily: check disk utilization check sendmail queue synchronize time (ntpdate, rdate) weekly (report emailed): disk utilization check/report (password file, SYN queue, hosts.{allow,deny}, ftp access, sendmail queue, wtmp/wtmpx size) ASET report Solaris patches run tripwire and mail separate report monthly (report emailed): rotate and archive log files 6.3 ssh /etc/sshd*config: PermitRootLogin no IgnoreRhosts yes StrictModes yes QuietMode no FascistLogging no PrintMotd no KeepAlive no SyslogFacility LOCAL3 RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no AllowHosts ... 6.4 skey Download from ftp://ftp.win.tue.nl/pub/security/logdaemon...tar.gz compile the skeysh to allow logins to the root account comment the section in skeysh/skeysh.c: "ROOT LOGIN REFUSED" (create an skey account (with or without a password) for ssh) 6.5 Firewall-1 1) install under /opt/SUNWfw apply any patches 2) add the following to /.cshrc if ( -d /opt/SUNWfw ) then setenv FWDIR /opt/SUNWfw setenv PATH ${PATH}:${FWDIR}/bin setenv MANPATH ${MANPATH}:${FWDIR}/man endif 3) vi /etc/rc3.d/S95firewall1 add $FWDIR/bin/fwm 4) vi /opt/SUNWfw/bin/fwstart comment out snmp startup (if not needed) 5) add mgmt users fwm -a 6) add mgmt hosts vi $FWDIR/conf/gui-clients (not $FWDIR/conf/masters) 7) clean license file (as required) cd $FWDIR/conf mv fw.license fw.license.ori mv fw.LICENSE fw.LICENSE.ori ../bin/fw putlic ... 8) disable SNMP; Security Policy, Properties, ... 9) reboot & check /etc/rcS.d/S30rootuser.sh 6.6 one time passwords (root account only?) skey/logdaemon /usr/sbin/skeysh, skey account; keyinit+key 6.7 heavy duty filesystem and integrity checking iss s3, (axent), tripwire, ... 6.8 if inetd services are enabled tcp_wrappers (for logging and authentication) tcpdchk 6.9 sendmail spam filters, RBL, DUL, ORBS -------------------------------------------------------------------- see also http://www.netwizards.net/~varmav/tips-tools/solaris.shtml
Current thread:
- RE: Solaris Configuration List jussi . jaakonaho (Jan 17)
- <Possible follow-ups>
- re: Solaris Configuration List Cliff Watts (Jan 17)
- Re: Solaris Configuration List Roger Marquis (Jan 18)