[Sunhelp] Important Ports on Solaris.

Tubbs, Derric L Derric.Tubbs at West.Boeing.com
Fri Aug 20 14:48:45 CDT 1999 

There are plenty of Solaris/UNIX sysadmin and/or security guides available
on the net that tell what they suggest for this and they are good starting
points and you can fine tune from there.  I agree with the others that you
should avoid telnet and ftp if possible.  And take note of what was said in
one of the previous requests, just because you disable ftp coming in doesn't
mean you'll lose the ability to ftp out to someone else.

> ----------
> From: 	Doug McLaren[SMTP:dougmc at frenzy.com]
> Reply To: 	sunhelp at sunhelp.org
> Sent: 	Friday, August 20, 1999 2:25 PM
> To: 	sunhelp at ohno.mrbill.net
> Subject: 	Re: [Sunhelp] Important Ports on Solaris.
> 
> On Fri, Aug 20, 1999 at 02:04:05PM -0500, Jonathan Eisch wrote:
> 
> | I guess all I need are http, ftp, telnet.  That wasn't to hard.  Are
> | there any more that one would suggest opening up?
> 
> Outbound or inbound?
> 
> If you want to log into the box from the Internet, you'd open up ftp
> and telnet inbound.  *Note that both are bad ideas, you're much better
> off with ssh.*
> 
> Also note that ftp uses more than just one port.  In fact, it uses
> ports that are basically random above 1024.  If it's in PASV mode,
> these connections go in the same direction as the original ftp
> request.  If it's in classic mode, they go in the opposite direction.
> 
> Ultimately, you're making a choice between security and functionality.
> You can set up a firewall that blocks most things and doesn't break
> much, but to get more security you're going to start breaking things.
> 
> Personally, I like to not break things.  So I allow all outbound TCP
> connections (except for a few, like 6000/tcp, just to save me from
> accidents) and block all inbound TCP connections < 1024 except ssh and
> smtp.  For UDP, I allow all packets outbound, but block inbound traffic
> to ports under 1024 unless it's to port 53 (DNS).
> 
> I also block inbound 6000/tcp, 6001/tcp (X) 2049/tcp and 2049/udp
> (nfs).
> 
> I also block TCP traffic to and from doubleclick.net's address and a
> few other sources of banner ads, filtering out many banner ads.  Quite
> nice :)
> 
> I probably forgot a few things, but if you can do something like this
> it'll make a nice start.
> 
> -- 
> Doug McLaren, dougmc at frenzy.com
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>

More information about the SunHELP mailing list