Unix Services (Solaris 9)


 
Thread Tools Search this Thread
Special Forums Cybersecurity Unix Services (Solaris 9)
# 1  
Old 10-07-2005
Question Unix Services (Solaris 9)

Our systems group is asking if it would be Ok to turn off certain services due to potention security risks. The following are being contemplated.

Service
chargen
daytime
discard
dtspcd
echo
exec
finger
fs
gssd
in.comsat
kcms_server
ktkt_warnd
login
name
rpc.cmsd
rpc.metad
rpc.metamedd
rpc.metamhd
rpc.rusersd
rpc.ttdbserverd
rquotad
sadmind
shell
sprayd
sun-dr
talk
walld

Are there any compelling reasons to "not" turn any of these off?

Note: If I posted this in the wrong forum, I apologize (let me know which and I can repost).

Thanks, in advance, for your help.
# 2  
Old 10-07-2005
Each service needs to be looked at individual for each server - one server may need some of the services while another does not. Solaris Security Guide - one of many you can find with a search on the Internet. Suggest you also look on some of the many SUN sites.

Example - some of the services you want to turn off are
rpc.metad
rpc.metamedd
rpc.metamhd

These are needed if you are using DiskSuite - if you aren't using it to mirror/stripe disks, then yes, you could turn it off.

Others, like finger and sprayd you could turn off with probably no issue as they are not really needed on servers (as far as I have ever seen).

Understand that these services should be turned off in /etc/inetd.conf (for the most part) and not removed/commented from /etc/services.

Here is an example of inetd.conf from one of the servers I work on - I did not add the services that are turned on, just the ones that are commented out - long list!

Code:
cat /etc/inetd.conf
#ident "@(#)inetd.conf 1.45 02/11/05 SMI" /afs /aolnet /bin /bookmarks /dead.letter /dev /devices /esm /etc /export /fs /home /homes /kernel /lib /log /lost+found /mnt /noautoshutdown /noclogin0 /opt /platform /proc /prod /reconfigure /sbin /shared /tmp /usr /uunet /uunet.orig /var /wall SVr4.0 1.5 */
#
# Copyright 1989-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# IPv6 and inetd.conf
# By specifying a <proto> value of tcp6 or udp6 for a service, inetd will
# pass the given daemon an AF_INET6 socket. The following daemons have
# been modified to be able to accept AF_INET6 sockets
#
# ftp telnet shell login exec tftp finger printer
#
# and service connection requests coming from either IPv4 or IPv6-based
# transports. Such modified services do not normally require separate
# configuration lines for tcp or udp. For documentation on how to do this
# for other services, see the Solaris System Administration Guide.
#
# You must verify that a service supports IPv6 before specifying <proto> as
# tcp6 or udp6. Also, all inetd built-in commands (time, echo, discard,
# daytime, chargen) require the specification of <proto> as tcp6 or udp6
#
# The remote shell server (shell) and the remote execution server
# (exec) must have an entry for both the "tcp" and "tcp6" <proto> values.
#
# Ftp and telnet are standard Internet services.
#
#ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
#telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
#name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
#login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
#exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
#exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
#comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
#talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
#uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
#time stream tcp6 nowait root internal
#time dgram udp6 wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
#echo stream tcp6 nowait root internal
#echo dgram udp6 wait root internal
#discard stream tcp6 nowait root internal
#discard dgram udp6 wait root internal
#daytime stream tcp6 nowait root internal
#daytime dgram udp6 wait root internal
#chargen stream tcp6 nowait root internal
#chargen dgram udp6 wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> # <pathname> <args>
#
# <endpoint-type> can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
# <proto> can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for <proto> is:
# *|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
#rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
#rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
#sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
#walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
#rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
#100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
#100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerberos V5 Warning Message Daemon
#
#100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
#
# Print Protocol Adaptor - BSD listener
#
#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
#100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
#
# AMI Daemon
#
#100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#
# OCF (Smart card) Daemon
#
#100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
#dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
#100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
#sun-dr stream tcp wait root /usr/lib/dcs dcs
#sun-dr stream tcp6 wait root /usr/lib/dcs dcs
#300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon dr_daemon

# 3  
Old 10-07-2005
MySQL Thanks for the help

Will pass the info along
# 4  
Old 10-07-2005
Quote:
Originally Posted by BCarlson
Our systems group is asking if it would be Ok to turn off certain services due to potention security risks. The following are being contemplated.

Service
chargen
daytime
discard
dtspcd
echo
exec
finger
fs
gssd
in.comsat
kcms_server
ktkt_warnd
login
name
rpc.cmsd
rpc.metad
rpc.metamedd
rpc.metamhd
rpc.rusersd
rpc.ttdbserverd
rquotad
sadmind
shell
sprayd
sun-dr
talk
walld

Are there any compelling reasons to "not" turn any of these off?

Note: If I posted this in the wrong forum, I apologize (let me know which and I can repost).

Thanks, in advance, for your help.
If you are not using the services, I would "turn them off". My servers have all of the services you mentioned in your post "turned off."
# 5  
Old 10-31-2005
vi /etc/inetd.conf

:%s/^/\#/g


Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

NIS/smtp services issue on Solaris 11

Hi, Few services not starting on new build Solaris 11 non-global zone. I uninstalled zone and reinstalled and still same issue, while global zone is working fine. smpt service is going into maintenance mode and /var/svc/log/network-smtp:sendmail.log shows that it tries and then dead ... (0 Replies)
Discussion started by: solaris_1977
0 Replies

2. Solaris

How to configure start up services/processes in Solaris 10?

I normally use "chkconfig" to configure start up services in a particular run level..... But i don't know how to do it in solaris 10.... please help me !!! (2 Replies)
Discussion started by: vamshigvk475
2 Replies

3. Solaris

Solaris 10 Services - Audit and Closure

Hello We have recently been through an audit of our solaris servers. All our solaris servers are running version 10. We have been told to close down all the services and we have closed what we could by using svcadm disable We only wish to let ssh and the ftp service to run. Below is a... (3 Replies)
Discussion started by: sollyshah
3 Replies

4. Solaris

DNS Services on Solaris

We need a DNS Server on DNS 10. What the best product can i buy and install ? Help me, pls. Tks all. (1 Reply)
Discussion started by: quan0509
1 Replies

5. Solaris

Remote services during Solaris installation

I've installed Solaris 10 (05-08) on a SPARC platform During the installation I was prompted with the question below. I selected yes to enable remote services. Does anyone know what services this option enables? - Enabling remote services ---------------------------------------- Would... (6 Replies)
Discussion started by: soliberus
6 Replies

6. Solaris

Problem in connecting TCP services between 2 Solaris Servers

Hi, I have 3 solaris servers. Two servers of differnet network and one gateway. Server1 --> 192.168.0.1 --> Solaris 9 Server2 --> 10.27.40.2 --> Solaris 10 Server3 --> Iface1 --> 192.168.0.5 --> Solaris 10 --> Gateway Iface2 --> 10.27.40.5 Now I am able to ssh... (36 Replies)
Discussion started by: neel.gurjar
36 Replies

7. UNIX for Advanced & Expert Users

services, solaris 10

dear all, i have 2 questions on solaris 10. I noticed telnet/ftp/print services suddenly being stopped on one server. How can i trace this issue and find a resolution. Other issue is i need to enable rsh within the same host. enabled the service rexec and have created the .rhosts and have a + in... (4 Replies)
Discussion started by: earlysame55
4 Replies

8. Solaris

How to set up legacy services right on Solaris 10

I want to add auto startup and shutdown script to Solaris 10's legacy services as they run in Solaris 9 or in Linux. To make this work, I created the crontrol script in /etc/init.d and then link it to /etc/rc0.d and /etc/rc2.d directories. rc0.d is for shutdown and rc2.d is for srat. After I... (15 Replies)
Discussion started by: duke0001
15 Replies
Login or Register to Ask a Question