[rescue] Solaris security

David Passmore rescue at sunhelp.org
Sun Jul 29 11:12:09 CDT 2001 

On Fri, Jul 27, 2001 at 05:50:32PM -0400, Mike Nicewonger wrote:
> 
> I am thinking of putting an Ultra 1 up for some tasks connected directly to the
> Internet. I was wondering about the security of Solaris. I know it needs to be
> patched and all that, turn off un-needed stuff etc. Any other big glaring holes
> in it or is it a fairly secure enough OS?

Beyond the normal 'turn things off', here's what I have had good experience
with:

* If you run ANY inetd service, ACL it with TCP wrappers, period. Even if
you offer shell access to a few dozen friends, go through the effort of
compiling their IP ranges and putting them in there.

* If you run SSH, compile in TCP wrapper support and ACL it too. Contrary to
the delusions of many sysadmins, SSH is not invulnerable.

* If you must run NFS or any RPC-dependent service, run Wietse Venema's
rpcbind which can be ACL'ed with TCP wrappers. The stock rpcbind has
vulnerabilities which are unpublished and for which patches do not exist.

* Log all connection attempts with TCP wrappers. Scan through it at least
once a week. It will surprise you.

* If you run more than a few machines, use a centralized key management
system like Kerberos, SecureID, etc. It will be worth your while if you have
a rogue employee or friend with a bone to pick to revoke their access to
your network with one command. Both of these can be used in conjunction with
SSH.

* If possible, run your network services (web, etc) in a chroot'ed
environment, so if they are compromised, they cannot leverage it to get root
access on the box. If you have machines which must trust each other in some
way (say, to do an automated nightly scp of files) make /damn sure/ this
happens in a chroot'ed environment.

* Use a command like strobe or nmap to look at the open ports on your
machine after you have locked it down. Make sure you know what each and
every one of those open ports is. 

Remember, there are and will always be exploits that only the bad guys know
about. The best way to secure your box is to make sure that folks with
malicious intent have to go through the most difficult possible path to
connect to a port on your hardware. If you have friends you allow shells on
your machine, go through the effort of helping them secure their boxes too.

BTW, tools like TCP wrappers and rpcbind can be found at:

ftp://ftp.porcupine.org/pub/security/index.html

Oh, and make plenty of backups. There's nothing more frustrating than having
to rebuild a machine from scratch after it's been compromised.

Don't rely on a firewall or filtering software. Well-meaning, authorized
users tend to punch nasty holes in them when they find them inconvenient.
These tools are crutches and provide a false sense of security.

David

More information about the rescue mailing list