|
|
|
|||||||
| Home | Forums | Register | Rules & FAQ | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| Security Anything involving computer security goes here. |
Other UNIX.COM Threads You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Services for Unix | dawningtech | Windows & DOS: Issues & Discussions | 0 | 05-22-2008 10:21 AM |
| Problem in connecting TCP services between 2 Solaris Servers | neel.gurjar | SUN Solaris | 35 | 07-08-2007 02:41 PM |
| services, solaris 10 | earlysame55 | UNIX for Advanced & Expert Users | 4 | 07-04-2007 01:05 PM |
| How to set up legacy services right on Solaris 10 | duke0001 | SUN Solaris | 15 | 01-05-2007 09:45 AM |
| Services On Unix | jmasters | UNIX for Dummies Questions & Answers | 1 | 05-23-2001 11:33 AM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Search this Thread | Display Modes |
10-07-2005
|
|||
|
|||
Unix Services (Solaris 9)
Our systems group is asking if it would be Ok to turn off certain services due to potention security risks. The following are being contemplated.
Service chargen daytime discard dtspcd echo exec finger fs gssd in.comsat kcms_server ktkt_warnd login name rpc.cmsd rpc.metad rpc.metamedd rpc.metamhd rpc.rusersd rpc.ttdbserverd rquotad sadmind shell sprayd sun-dr talk walld Are there any compelling reasons to "not" turn any of these off? Note: If I posted this in the wrong forum, I apologize (let me know which and I can repost). Thanks, in advance, for your help. 
|
| Forum Sponsor | ||
|
|
|
10-07-2005
|
||||
|
||||
|
Each service needs to be looked at individual for each server - one server may need some of the services while another does not. Solaris Security Guide - one of many you can find with a search on the Internet. Suggest you also look on some of the many SUN sites.
Example - some of the services you want to turn off are rpc.metad rpc.metamedd rpc.metamhd These are needed if you are using DiskSuite - if you aren't using it to mirror/stripe disks, then yes, you could turn it off. Others, like finger and sprayd you could turn off with probably no issue as they are not really needed on servers (as far as I have ever seen). Understand that these services should be turned off in /etc/inetd.conf (for the most part) and not removed/commented from /etc/services. Here is an example of inetd.conf from one of the servers I work on - I did not add the services that are turned on, just the ones that are commented out - long list! Code:
cat /etc/inetd.conf
#ident "@(#)inetd.conf 1.45 02/11/05 SMI" /afs /aolnet /bin /bookmarks /dead.letter /dev /devices /esm /etc /export /fs /home /homes /kernel /lib /log /lost+found /mnt /noautoshutdown /noclogin0 /opt /platform /proc /prod /reconfigure /sbin /shared /tmp /usr /uunet /uunet.orig /var /wall SVr4.0 1.5 */
#
# Copyright 1989-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# IPv6 and inetd.conf
# By specifying a <proto> value of tcp6 or udp6 for a service, inetd will
# pass the given daemon an AF_INET6 socket. The following daemons have
# been modified to be able to accept AF_INET6 sockets
#
# ftp telnet shell login exec tftp finger printer
#
# and service connection requests coming from either IPv4 or IPv6-based
# transports. Such modified services do not normally require separate
# configuration lines for tcp or udp. For documentation on how to do this
# for other services, see the Solaris System Administration Guide.
#
# You must verify that a service supports IPv6 before specifying <proto> as
# tcp6 or udp6. Also, all inetd built-in commands (time, echo, discard,
# daytime, chargen) require the specification of <proto> as tcp6 or udp6
#
# The remote shell server (shell) and the remote execution server
# (exec) must have an entry for both the "tcp" and "tcp6" <proto> values.
#
# Ftp and telnet are standard Internet services.
#
#ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
#telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
#name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
#login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
#exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
#exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
#comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
#talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
#uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
#time stream tcp6 nowait root internal
#time dgram udp6 wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
#echo stream tcp6 nowait root internal
#echo dgram udp6 wait root internal
#discard stream tcp6 nowait root internal
#discard dgram udp6 wait root internal
#daytime stream tcp6 nowait root internal
#daytime dgram udp6 wait root internal
#chargen stream tcp6 nowait root internal
#chargen dgram udp6 wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> # <pathname> <args>
#
# <endpoint-type> can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
# <proto> can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for <proto> is:
# *|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
#rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
#rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
#sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
#walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
#rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
#100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
#100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerberos V5 Warning Message Daemon
#
#100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
#
# Print Protocol Adaptor - BSD listener
#
#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
#100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
#
# AMI Daemon
#
#100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#
# OCF (Smart card) Daemon
#
#100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
#dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
#100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
#sun-dr stream tcp wait root /usr/lib/dcs dcs
#sun-dr stream tcp6 wait root /usr/lib/dcs dcs
#300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon dr_daemon
|
|
10-07-2005
|
||||
|
||||
|
Quote:
|
Thanks for the help
Linear Mode
