unfinishedpage: maybe we should replace this with Sun's JASS tool or SANS' YASSP
This document outlines the process of hardening servers for SNSMR on the Registry 2000 project.
Insecure protocols such as telnet expose a system by allowing passwords to be snooped and sessions hijacked. Solutions such as ssh mitigate these security concerns by providing strong authentication mechanisms and privacy through encryption. All SNSMR servers will have ssh installed.
Information offered here is one way to perform the ssh installation and server hardening. There are many valuable web sites talking about security and installation of ssh and this document does not attempt to replace them.
Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. When privsep is enabled, during the pre-authentication phase sshd will chroot to "/var/empty" and change its privileges to the "sshd" user and its primary group. sshd is a pseudo-account that should not be used by other daemons, and must be locked and should contain a "nologin" or invalid shell.
As root: mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start.
Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, runing these commands will overwrite them.
As root: ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
/etc/rc2.d/S98sshd start
You can check to see if the daemon is running with the ps command: ps -e | grep sshd
Move the following files: (Change name of the S file to no-S) cd /etc/rc2.d/ mv S00sunatm no-S00sunatm mv S07dmi no-S07dmi mv S07snmpdx no-S07snmpdx mv S71rpc no-S71rpc mv S72slpd no-S72slpd mv S73nfs.client no-S73nfs.client mv S74autofs no-S74autofs mv S80lp no-S80lp mv S88sendmail no-S88sendmail mv S90wbem no-S90wbem mv S99dtlogin no-S99dtlogin
cd /etc/rc3.d/ mv S15nfs.server no-S15nfs.server mv S34dhcp no-S34dhcp mv S50apache no-S50apache mv S76snmpdx no-S76snmpdx mv S77dmi no-S77dmi mv S80mipagent no-S80mipagent
cd /var/spool/cron/crontabs rm uucp adm sys
Finally, disable unsafe network services (such as ftpd, telnet, etc.) by editting the /etc/inetd.conf file and comment out everything but the following: 300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise- 10000/lib/dr_daemon dr_daemon
You have just hardened your server! You may need to reboot the server. On reboot ensure all services comes back up correctly. Try to telnet in (or connect via any non-ssh method). You should only be able to connect via ssh.
This section contains changes made to tune the servers for better \x85
Edit vfstabwith the following:
Add the following to /etc/system which Forces fast ethernet full duplex.
* NEW *********** * ADDED (Date \x96 Initials) * force full duplex set eri:adv_autoneg_cap=0 set eri:adv_100fdx_cap=1 set eri:adv_100hdx_cap=0 set eri:adv_10fdx_cap=0 set eri:adv_10hdx_cap=0 * END NEW *
This prevents the machine from being a router if it has two interfaces: touch /etc/notrouter
Copy mgmt1:~admin/etc_master/default/login to /etc/default/login