Editing SolarisHardening

unfinishedpage: maybe we should replace this with Sun's JASS tool or SANS' YASSP This document outlines the process of hardening servers for SNSMR on the Registry 2000 project. Insecure protocols such as telnet expose a system by allowing passwords to be snooped and sessions hijacked. Solutions such as ssh mitigate these security concerns by providing strong authentication mechanisms and privacy through encryption. All SNSMR servers will have ssh installed. Information offered here is one way to perform the ssh installation and server hardening. There are many valuable web sites talking about security and installation of ssh and this document does not attempt to replace them. * For the Sun blueprint to install and configure ssh see the following link: http://www.sun.com/solutions/blueprints/0701/openSSH.pdf * Also a good generic hardening document is http://secinf.net/unix_security/Hardening_Solaris__Securely_installing_a_firewall_bastion_host.html == Set up the sshd user == Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. When privsep is enabled, during the pre-authentication phase sshd will chroot to "/var/empty" and change its privileges to the "sshd" user and its primary group. sshd is a pseudo-account that should not be used by other daemons, and must be locked and should contain a "nologin" or invalid shell. As root: mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd /var/empty should not contain any files. If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start. == Install ssh keys and sshd start/stop script == Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, runing these commands will overwrite them. As root: ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" === sshd init script === * Copy /etc/init.d/ssh and /etc/init.d/prngd on mgmt1 to the same directory on the new server. * symlink them into rc2.d directory: * set permissions: chown root /etc/init.d/sshd /etc/init.d/prngd chgrp sys /etc/init.d/sshd /etc/init.d/prngd chmod 544 /etc/init.d/sshd /etc/init.d/prngd ln -s /etc/init.d/ssh /etc/rc2.d/S99sshd ln -s /etc/init.d/prngd /etc/rc2.d/S99prngd == Start/Stop the ssh daemon manually == /etc/rc2.d/S98sshd start You can check to see if the daemon is running with the ps command: ps -e | grep sshd == Disable unnecessary services in rc2.d & rc3.d == Move the following files: (Change name of the S file to no-S) cd /etc/rc2.d/ mv S00sunatm no-S00sunatm mv S07dmi no-S07dmi mv S07snmpdx no-S07snmpdx mv S71rpc no-S71rpc mv S72slpd no-S72slpd mv S73nfs.client no-S73nfs.client mv S74autofs no-S74autofs mv S80lp no-S80lp mv S88sendmail no-S88sendmail mv S90wbem no-S90wbem mv S99dtlogin no-S99dtlogin cd /etc/rc3.d/ mv S15nfs.server no-S15nfs.server mv S34dhcp no-S34dhcp mv S50apache no-S50apache mv S76snmpdx no-S76snmpdx mv S77dmi no-S77dmi mv S80mipagent no-S80mipagent == Remove unnecssary crontabs == cd /var/spool/cron/crontabs rm uucp adm sys == inetd.conf changes == Finally, disable unsafe network services (such as ftpd, telnet, etc.) by editting the /etc/inetd.conf file and comment out everything but the following: 300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise- 10000/lib/dr_daemon dr_daemon You have just hardened your server! You may need to reboot the server. On reboot ensure all services comes back up correctly. Try to telnet in (or connect via any non-ssh method). You should only be able to connect via ssh. == Server Tuning == This section contains changes made to tune the servers for better \x85 === Vfstab edit === Edit vfstabwith the following: * Add logging, noatime to / * Add size=100m to swap Vsftab should now resemble the following: #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # #/dev/dsk/c1d0s2 /dev/rdsk/c1d0s2 /usr ufs 1 yes - fd - /dev/fd fd - no - /proc - /proc proc - no - #/dev/dsk/c1t0d0s1 - - swap - no - /dev/md/dsk/d20 - - swap - no - /dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no logging,noatime swap - /tmp tmpfs - yes size=100m == Force Fast Ethernet Full Duplex == Add the following to /etc/system which Forces fast ethernet full duplex. * NEW *********** * ADDED (Date \x96 Initials) * force full duplex set eri:adv_autoneg_cap=0 set eri:adv_100fdx_cap=1 set eri:adv_100hdx_cap=0 set eri:adv_10fdx_cap=0 set eri:adv_10hdx_cap=0 * END NEW * == Add /etc/notrouter == This prevents the machine from being a router if it has two interfaces: touch /etc/notrouter == Change the /etc/default/login file == Copy mgmt1:~admin/etc_master/default/login to /etc/default/login

Summary:

This change is a minor edit.

Username: