[rescue] Solaris security

[David Cantrell]

David Passmore <dpassmor at sneakers.org> wrote:

> * If you run SSH, compile in TCP wrapper support and ACL it too. Contrary to
> the delusions of many sysadmins, SSH is not invulnerable.

Unfortunately for me, one of the main reasons I run sshd is so that I can
access my box from anywhere in the world.  Therefore TCP wrappers aren't
really an option.  I realise it ain't invulnerable, but it is at least
bullet-proof :-).

> * If possible, run your network services (web, etc) in a chroot'ed
> environment, so if they are compromised, they cannot leverage it to get root
> access on the box. If you have machines which must trust each other in some
> way (say, to do an automated nightly scp of files) make /damn sure/ this
> happens in a chroot'ed environment.

chroot isn't invulnerable either of course - although every little bit
helps.

> Don't rely on a firewall or filtering software. Well-meaning, authorized
> users tend to punch nasty holes in them when they find them inconvenient.

Even without such users, still don't rely on a firewall or packet filtering.
Don't rely on any single technological measure.

-- 
David Cantrell | david at cantrell.org.uk | http://www.cantrell.org.uk/david

Do not be afraid of cooking, as your ingredients will know and misbehave
   -- Fergus Henderson