Solaris system security reinforcement table Ps : Because there are a lot of Solaris security reinforcement table veteran, and his next According to the information summarized in the table Solaris system reinforcement, it is inevitable there will be appropriate (the service) and mistakes and shortcomings, you look at the wing (originally word document, issued after the line had been thrown into a format) Thank you for this article with the help of Y and ghoststone Solaris system security reinforcement table Wang Yu -- First, security, 1, from the safety of the more enterprise 2, the demand for managers : Do not trust anyone 3, layered protective layer security protection strategy : if some fail 4, minimum services 5, intend to do for the worst case Second, physical security 1, Room Records out of the list, consider installing cameras 2, it was replaced PROM review can be compared to records hostid 3, each system should not OpenBoot password, password unpredictable program 4, remove the CD-ROM system installed 5, will be placed outside the venue of the media version of media storage room Third, account number and password Strategy 1, a super user PATH (as defined in /.profile) installed : PATH = /usr/bin:/sbin:/usr/sbin LD_LIBRARY_PATH PATH or any user should not contain China. " " 2, password documents, document imaging, document group /etc/passwd Must all users can read and write root users may -rw-r-r- /etc/shadow Readable only by root -r-------- /etc/group Must all users can read and write root users may -rw-r-r-- 3, password security Solaris mandatory password at least six, but the super-user password changes from this restriction Forced a test account password changes every 30 days #passwd N 30 test Forced entry test account in the next revision of the password #passwd-F test Laws prohibiting account password test #passwd N 2 x 1 test Account blockade test ban download #passwd L test 4, group password Use newgrp "Forty group>; order changed As the sysadmin group admintool enforceable, it is necessary to protect and increase the group password process : Delete unwanted members (if members of sysadmin belong to change from time to time and no password) #passwd "User>; (usually blockade account) Extraction /etc/shadow were inserted into the user's password string in the password field /etc/group which sysadmin User account blockade 5, password changes strategy /etc/default/passwd Documents MAXWEEKS=4 password changes at least once every four weeks MINWEEKS=1 up every week to change a password WARNWEEKS=3 password changes after the third week will receive information about password changes PASSLENGTH=6 user password length of at least six characters 6, the restrictions on the use of su (sysadmin group allowed to order implementation su) #chgrp Sysadmin /bin/su #chmod O-rwx /bin/su 7, su record /etc/default/su Documents SULOG=/var/adm/sulog SYSLOG=YES CONSOLE=/dev/console PATH=/usr/bin : SUPATH=/usr/sbin:/usr/bin 8, prohibit root Remote Login /etc/default/login Installed CONSOLE=/dev/null In addition root /etc/ftpusers Lane. SSH increase in the configuration file : = no permitRootLogin (Solaris 9 carrying SSH, the default root landing on the prohibition of Solaris 9, /etc/ftpusers no longer use FTP configuration file in /etc/ftpd/ below. If there /etc/ftpusers ftpd start. It will be moved to /etc/ftpd/ 2) 4 reinforcement system 1, to set up passwords OpenBoot Installed in the Solaris code # eeprom security-password Ok password in the password installed OpenBoot In Solaris installed security level (command) # eeprom security-mode=command In OpenBoot installed security level (command) ok setenv command security-mode In OpenBoot installed security level (full) ok setenv full security-mode 2, account must be abolished Those who are not must be removed or locked in the account, for example sys\uucp\nuucp\listen etc., the simple solution would be to place NP jurisdictions /etc/shadow the password characters. (L username passwd is a simpler way) 3, File System /etc Catalog group, or other document should not be written by users Find /etc/ type f -perm -g+w -print (search group could write a document) Find /etc/ type f -perm -o+w -print (search other users can write) R go-w /etc chmod (change any erroneous Group / write authority to other users) /var/adm/utmp /var/adm/utmpx Document and the authority should be 644 4, X-Windows manual lock (when the manager left the computer) Chinese face on the lock icon CDE OpenWindows-mouse Right Key -Utilities-Lock Screen 5, the Access /etc Using chmod-R gw /etc /etc order to remove the written authority of the user group. 6, open data packets transmitted #ndd-Set /dev/ip ip_forwarding 1 (in the implementation of the system as a router) Closed transmitting data packets #ndd /dev/ip Ip_forwarding 0-set (which recommended that such an order adding /etc/init.d/inetinit) Neglected to reposition data packets (otherwise have been the hidden cause DOS) #ndd-Set /dev/ip ip_ignore_redirects 1 (adding /etc/init.d/inetinit) Not to transmit data packets to reposition #ndd-Set /dev/ip ip_send_redirects 0 (adding /etc/init.d/inetinit) Prohibit transmitting directional radio (if not prohibit bridge link) #ndd-Set /dev/ip ip_forward_directed_broadcasts 0 (adding /etc/init.d/inetinit) Prohibition transponders installed in a data source routing of data packets #ndd-Set /dev/ip ip_forward_src_routed 0 (adding /etc/init.d/inetinit) 7, the use of IP closed transmitted /etc/notrouter /etc/notrouter Founding documents and restart the computer (if the intruder could visit the root catalog orders reopening IP transponders can be used ndd) The allocation /etc/inet/hosts 127.0.0.1 Localhost (all of which have a) 192.168.0.13 Loghost (Syslog use) 192.168.0.109 wy_solaris (IP mainframe and mainframe) /etc/defaultrouter Acquiescence contain the name or IP Router If the use of the tacit consent of the router, the router /etc/inet/hosts document must contain the name, since the installation of routing table, the system will not be operating any directory service (DNS, NIS or NIS+) 8, cron (/var/spool/cron/crontabs/ task in the general conduct /etc/default/cron) Day-of-month month day-of-week command minute hour format : (A space between each with a comma between the two figures, or figures for each satellite) Allocation : Check order crontab-l (1) the user to enter only readable catalog (2) crontab-l "; Mycronfile (3) editors mycronfile (4) crontab "mycronfile Do not use crontab-e orders under /tmp because it will be time for all users to create a copy of the crontab Visit cron system /etc/cron.d/cron.allow (Allowed) /etc/cron.d/cron.deny (Allowed) Cron.allow exist, a certain user is not allowed to visit this cron system users Cron.deny there, a certain users, allowing users of this system visit cron Lane set up in /etc/default/cron "CRONLOG=yes" moves to record corn PATH should not contain "/tmp" and "-". " The words " At (task in /var/spool/cron/atjobs) /etc/cron.d/at.allow And /etc/cron.d/at.deny exactly the same document and cron 9, static routing increase Format : route add net net-address subnet-mask router hops For example : 1 10.14.48.2 route add net 10.15.0.0 255.255.0.0 (To reach the 10.15.xx network, as well as the need to route data packets sent for 10.14.48.2, a jump from the 10.15.xx point. This order will start to document /etc/rc2.d/S72inetsvc) Increased dynamic routing (rise to security problems) /etc/rc2.d/S72inetsvc Increase and is in the command line Operation in.routed or in.rdisc Diagnostic tools snoop can sniff, only root can use the UNIX machine can not be deleted from the snoop 10, the umask the wrong root /etc/profile Revised document, as the 077 or 027 umask 11, Stack set up protective buffer overflow attacks In /etc/system Lane, add the following sentence to prohibit the buffer overflow : Echo "set noexec_user_stack=1" ";>; /etc/system Echo "set noexec_user_stack_log=1" ";>; /etc/system (9 of Solaris, we can attribute to a single procedure set Stack is not enforceable, the premise is that the source code of the program, such as : # cc /usr/lib/ld/map.noexstk myprogram.c M) 12, so sourec IP routing and forwarding (Yuen Road) void Sourec Inetinit reside in IP routing and forwarding (Yuen Road) void (if there is more than one network adapter so). /etc/init.d/inetinit Increase shown in the following provision : Ndd-set /dev/ip ip_forward_directed_broadcasts 0 Ndd-set /dev/ip ip_forward_src_routed 0 Ndd-set /dev/ip ip_forwarding 0 13, No. forecast prevent attacks TCP sequence (ip deception) /etc/default/inetinit Increase in the generation following its initialization sequence TCP sequence set up to prevent attacks on its forecast (ip cheat) : TCP_STRONG_ISS=2 14, (if any FTP) Do not use anonymous ftp /etc/inet/inetd.conf The ftpd (records) Ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -dl Never use root identity using ftp (password is not encrypted) /etc/ftpusers Increase in the super-users (the account here prohibit the use ftp link) FTP services exposed sensitive information system Editor /etc/default/ftpd document, if a document does not exist on the new one, the paper added the following : BANNER=XXXX (XXXX information which can be changed to any version), this version shielding information. 15, the closure of NFS services 16, Telnet with SSH alternative service 17, limit. Rhosts,. Netrc documents and the use /etc/hosts.equiv Restrictions. Rhosts,. Netrc /etc/hosts.equiv documents and use. R series of orders to use these documents to access the system. These documents should be locked up for the first of their building and then amend its attributes can be zero. Apart from the root so users would not be able to create or modify them by other users. /usr/bin/touch /.rhosts /.netrc /etc/hosts.equiv /usr/bin/chmod 0 /.rhosts /.netrc /etc/hosts.equiv . Rhosts paper documents can be used as a typical backdoor in a user's existing catalog. Rhosts document so that any user can password to the user through the rlogin not posted to the status system. Now find the overall operation of the order. Rhosts documents # Find -name. " Rhosts "-print 18, so that multi-channel broadcasting (multicasting) void To enable multi-channel broadcasting (multicasting) were invalid please /etc/init.d/inetsvc swap notes "route add 224.0.0.0" around a few lines. 19, closed the service snmp Document and /etc/rc3.d/S76snmpdx change /etc/rc2.d/K07snmpdx 20, X-Windows unsafe, we can use ssh to encrypt 21, strengthen network access control Editor /etc/inet.d/inetsvc in inetd add-t option Similar orders /usr/sbin/inetd s-t Inetd not stop running The use of the use of s-t operation #/usr/sbin/inetd 22, Network Access Control Principles : to eliminate unnecessary network access, network access needs in the surrounding curriculum vitae Access Control Solaris network services (/etc/inet/services) [LEAVES OF 13 SPECIES OF LAURACEAE */ Notes have not been able to close the service] #ident "@ (#) Services 1.27 00/11/06 SMI" LEAVES OF 13 SPECIES OF LAURACEAE SVr4.0 1.8 */ # # # Copyright (c) 1999-2000 by Sun Microsystems, Inc. # All rights reserved. # # Network services, Internet style # Tcpmux 1/tcp LEAVES OF 13 SPECIES OF LAURACEAE must */ Echo 7/tcp Echo 7/udp Discard 9/tcp sink null Discard 9/udp sink null Systat 11/tcp users Daytime 13/tcp Daytime 13/udp Netstat 15/tcp Chargen 19/tcp ttytst source Chargen 19/udp ttytst source Ftp-data 20/tcp LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ Ftp 21/tcp LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ Ssh 22/tcp LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ Telnet 23/tcp LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ SMTP mail LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ 25/tcp Time 37/tcp timserver Timserver time 37/udp Name 42/udp nameserver Whois 43/tcp nicname # usually to sri-nic Domain, according to the service options */ 53/udp LEAVES OF 13 SPECIES OF LAURACEAE Domain, according to the service options */ 53/tcp LEAVES OF 13 SPECIES OF LAURACEAE Bootps 67/udp # BOOTP/DHCP server # BOOTP/DHCP client bootpc 68/udp Hostnames 101/tcp hostname # usually to sri-nic Pop2 109/tcp pop-2 # Post Office Protocol-7202 Pop3 110/tcp # Post Office Protocol-Version 3 Sunrpc 111/udp rpcbind Sunrpc 111/tcp rpcbind Imap 143/tcp imap2 # Internet Mail Access Protocol v2 Ldap 389/tcp # Lightweight Directory Access Protocol Ldap 389/udp # Lightweight Directory Access Protocol Mail Message Submission submission 587/tcp # See submission 587/udp RFC # 2476 Ldaps 636/tcp # LDAP protocol over TLS/SSL (was sldap) Ldaps 636/udp # LDAP protocol over TLS/SSL (was sldap) # # Host specific functions # Tftp 69/udp Rje 77/tcp Finger 79/tcp Link 87/tcp ttylink Supdup 95/tcp Iso-tsap 102/tcp X400 103/tcp # ISO Mail X400-snd 104/tcp Csnet-ns 105/tcp Pop-2 109/tcp # Post Office Uucp-path 117/tcp Nntp 119/tcp usenet # Network News Transfer Npt 123/tcp # Network Time Protocol Npt 123/udp # Network Time Protocol Netbios-ns 137/tcp # NETBIOS Name Service Netbios-ns 137/udp # NETBIOS Name Service Netbios-dgm 138/tcp # NETBIOS Datagram Service Netbios-dgm 138/udp # NETBIOS Datagram Service Netbios-ssn 139/tcp # NETBIOS Session Service Netbios-ssn 139/udp # NETBIOS Session Service NeWS 144/tcp news # Window System Slp 427/tcp slp # Service Location Protocol, 7202 Slp 427/udp slp # Service Location Protocol, 7202 Mobile-mobile-ip 434/udp mobile-ip # Cvc_hostd 442/tcp # Network Console # # UNIX specific services # These are NOT officially assigned # # Exec 512/tcp Login 513/tcp Shell 514/tcp cmd # no passwords used Printer spooler # line printer spooler 515/tcp # Experimental courier 530/tcp rpc Uucp 540/tcp uucpd # uucp encryption Biff 512/udp comsat Who 513/udp whod Syslog 514/udp LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ Talk 517/udp 520/udp router routed route Ripng 521/udp Klogin 543/tcp # Kerberos authenticated rlogin Kshell 544/tcp # Kerberos authenticated remote shell cmd New-rwho 550/udp # experimental new-who # Experimental rmonitor 560/udp rmonitord # Experimental monitor 561/udp Pcserver 600/tcp # ECD Integrated PC board srvr Sun-dr 665/tcp # Remote Dynamic Reconfiguration Kerberos-adm 749/tcp # Kerberos V5 Administration Kerberos-adm 749/udp # Kerberos V5 Administration Kerberos 750/udp kdc # Kerberos key server Kerberos 750/tcp kdc # Kerberos key server Krb5_prop 754/tcp # Kerberos V5 KDC propogation Ufsd ufsd # UFS-aware server 1008/tcp Ufsd ufsd 1008/udp Cvc 1495/tcp # Network Console Ingreslock 1524/tcp Www-ldap-gw 1760/tcp # HTTP gateway to LDAP Www-ldap-gw 1760/udp # HTTP gateway to LDAP Listen and System V listener port 2766/tcp # Nfsd 2049/udp nfs # NFS server encryption (clts) Nfsd 2049/tcp nfs # NFS server encryption (cots) Eklogin 2105/tcp # Kerberos encrypted rlogin Lockd 4045/udp # NFS lock daemon/manager Lockd 4045/tcp Dtspc 6112/tcp # CDE subprocess control, according to the service options */ LEAVES OF 13 SPECIES OF LAURACEAE Fs 7100/tcp # Font server LEAVES OF 13 SPECIES OF LAURACEAE according to the service options */ Means of implementation : /etc/inet/services Before the corresponding increase in the "#" Zhushidiao /etc/inet/inetd.conf Corresponding entries were Zhushidiao services Find and restart the inetd process #ps -ef | Grep inetd (the process is) #kill -HUP "Process issue"; Stop service is not defined in the above table Methods : document name (using mv orders can be re-S X) Stop the corresponding process Service : Service processes Sendmail handbook /etc/rc2.d/S88sendmail DNS /etc/rc2.d/S72inetsvc which in.named a Zhushidiao in.named Named.xfer NFS /etc/rc3.d/S15nfs.server Zhushidiao the long Nfsd /etc/dfs/dfstab Automounter /etc/rc2.d/S74autofs Delete /etc/auto_* Npt /etc/rc2.d/S74xntpd Xntpd Syslog /etc/rc2.d/S74syslog Syslogd Print /etc/rc2.d/S80lp lpshut 23, so that more secure Sendmail Berkeley to use the latest version of the handbook (see section 3), Lane /etc/aliases deleted from the authority as the 644 /etc/aliases decode will switch off expn and vrfy orders. Will O PrivacyOptions=authwarning Changed O PrivacyOptions=goaway Sendmail support checks written certification Devtools/Site devtools/Site/README reference in the document created under the following documents : site.config.m4 APPENDDEF (`conf_sendmail_ENVDEF '`-DSASL') APPENDDEF (`conf_sendmail_LIBS '`-lsasl') Sendmail translated into support for SASL. Translation : sh Build cd sendmail; implementation handbook. Cf/cf to catalog and copy of sendmail.mc generic-linux.mc in sendmail.mc add the following : Define (`confSMTP_LOGIN_MSG '`$m Server') dnl Handbook welcome change information Define (`confAUTH_MECHANISMS '`LOGIN') dnl Unix accounts Certification Define (`confPRIVACY_FLAGS '`novrfy, noexpn, noverb') dnl ban order Define (`confMAX_DAEMON_CHILDREN '`128') dnl Define (`confCONNECTION_RATE_THROTTLE '`32') dnl (Anti-denial-of-service attacks) 24, the DNS Server to increase security Closed zone conversion option Do not use paper. Named and use /var/bind Closed lame server log messages /var/bind Inside join in Options -- Directory "/var/named"; Forwarders{                 202.106.120.1;         }; Version of "Super InterSoft DNS Server 2.0.4"; Allow-transfer {none;}; }; Logging -- Category "lame-servers" ( "null"; ) }; 25, as the change might affect the normal procedures's services, the proposed changes do not, but check's regular procedures for scheduling, compared it to be revenue neutral. # Find / IM -print -perm 26, so CDE procedures invalid (unless you insist on the use of graphics consoles) [this option] CDE procedures so invalid (unless you insist on the use of graphics consoles) Will be renamed /etc/rc2.d/S99dtlogin Fifth, the use of sun screening tool inspection system installed a patch of the patch The operating system patch tools check the following : - Latest revisions - Recommended patches - Security patches - Year 2000 patches - Other patches relevant to the software environment (Sun website devoted to the patch diagnostic tools) The latest repair loopholes in a timely manner and install patch Solaris system security reinforcement table These are the operating systems reinforcement, the security strategy for service, the use of SSH, log analysis. . Made time to talk about other than my own experience, I hope Fuzheng Solaris system security reinforcement table Yes, encourage, but not MM Solaris system security reinforcement table Ft, you will not be going to the bars Solaris system security reinforcement table Thank you! Solaris system security reinforcement table Yes, very Reference Also, regrettably, works in the IT MM or less ah Solaris system security reinforcement table 8 wrong quite good, plus precision precision Solaris system security reinforcement table Thank you. . Solaris system security reinforcement table Occasions, first, thank you. Solaris system security reinforcement table Ask : "Any user PATH or LD_LIBRARY_PATH which should contain." "" This provision Why? Solaris system security reinforcement table Catalog searches in the workplace to let Shell enforceable documents or bank if he could write a list of users in China Trojan, the implementation would be finished if caretakers Solaris system security reinforcement table Strong! ! ! Solaris system security reinforcement table Good Solaris system security reinforcement table Good article, just useful to me Solaris system security reinforcement table Like to ask the landlord to make reference to the document solaris6,7 do not have some of the security allocation? Solaris system security reinforcement table On the 8 and 9 in which the place has changed a lot of documents, which are located just a link 6, which some said here on out, and some do not 8 and 9 and acquiesce in the installation of many attributes is the need to amend the document because of the tacit consent of attributes has been relatively safe. . . (Here is to write more insurance). The checklist there is not very enforceable, it is necessary to create operational checklist also needs to be revised. . . Solaris system security reinforcement table Hero ah, summed it up so all! Solaris system security reinforcement table Halo If a full written document is positive reinforcement 23,000 norms had 8 Missed a lot Solaris system security reinforcement table Formidable! ! ! This application will not affect the operation of the above? Msk 022 should become better established root of some bars, there should /etc/inetd.conf configuration of the closure of certain services, ask a question, if I rpc process (should be considered a loophole bars) to kill the case, it will affect those? Solaris system security reinforcement table --> HOHO, do not invoke TXF the "Trust No. 1" [ Closed window ]