Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Hardening Solaris
Operating Systems Solaris Hardening Solaris Post 302218414 by rcmrulzz on Friday 25th of July 2008 04:46:07 AM
Old 07-25-2008
Hardening Solaris
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanksSmilie
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Any leads to hardening UNIX

Hi! I am trying to get info/best practices/how-to harden unix, especially solaris! Appreciate any leads please..................... (3 Replies)
Discussion started by: sdharmap
3 Replies

2. Solaris

Hardening Solaris 10

So I've just done my first install of Solaris. I installed it on an x86 system and am now in the processing of figuring out what I need to do to 'harden' it. I've got the Security kit downloaded (jass) but I am not sure what to do with the .tar file. I can't seem to find any easy steps to... (6 Replies)
Discussion started by: flood
6 Replies

3. UNIX for Dummies Questions & Answers

sysctl help needed.(Server Hardening).

As per Hardening guide for the server. ICMP Broadcast Response: The kernel parameter icmp_echo_ignore_broadcasts must match to 1 However when i check the value of icmp_echo_ignore_broadcasts it thrown an error as unkonwn key. # sysctl icmp_echo_ignore_broadcasts error:... (2 Replies)
Discussion started by: pinga123
2 Replies

4. Solaris

Solaris Hardening - SunJass

Hi guys, Is there any script or program which i can use to verify that my hardening setting is all correct ? Recently i am given a task to make sure my Sun servers are all harden properly though sunjass was already introduced. I need to generate a report to convince my manager that the settings... (0 Replies)
Discussion started by: ahlude
0 Replies

5. SuSE

Hardening Suse11 sp1

Currently we are hardening our Solaris server using the Sun provided Jass Security tool kit. How Can I implement the same security level on SUSE11 SP1? Are there any tools similar/equivalent to Jass for SUSE11 SP1? Tanks and Regards (1 Reply)
Discussion started by: vcfko
1 Replies

6. UNIX for Advanced & Expert Users

SuSe Linux Hardening

We've got a FTP server that's open to the public network and its running on Suse SUSE Linux Enterprise Server 11 (x86_64) SP2 Now, since it's an FTP server I can't disable that service, but how else do I harden this server from attacks from outside? I am thinking of disabling the firewall and... (3 Replies)
Discussion started by: hedkandi
3 Replies

7. Solaris

Need jass hardening documentation

Hi, Where I could find information about "Jass hardening" for Solaris10? Because, I change the /opt/SUNWjass/Files/etc/syslog.conf file. But yet I don't know if I must restart the jass (and how?) or I must to copy /opt/SUNWjass/Files/etc/syslog.conf to /etc/syslog.conf? Thanks for your... (2 Replies)
Discussion started by: hiddenshadow
2 Replies

8. Cybersecurity

C-ICAP Hardening

Does anyone have any experience hardening the c-icap.conf file? Here is the default config file, it has a lot of options; sorry about how long it is. I have removed some entries that were not needed as well, but it is still so long :D. Any help is much appreciated as I have never dealt with ICAP. ... (0 Replies)
Discussion started by: savigabi
0 Replies

9. Linux

Password hardening using pam

Hi We have a requirement to vary the minimum password criteria by the group to which a user belongs. For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14... (1 Reply)
Discussion started by: gregsih
1 Replies

10. HP-UX

Security hardening for standard HP-UX users

Hi, The standard accounts that are created during the HP-UX installation, eg, bin,adm,daemon,uucp,lp,hpdb and nobody have their own shell. Will there be any impact if we change these user's shell to /bin/false? Like processes get interrupted, files cannot be generated, etc. Regards (3 Replies)
Discussion started by: anaigini45
3 Replies

LEARN ABOUT ULTRIX

sockd

SOCKD(8)						      System Manager's Manual							  SOCKD(8)

NAME

       sockd - Internet firewall secure socket server (proxy server)

SYNOPSIS

       sockd [ -ver | -i | -I ]

DESCRIPTION

       sockd   is an internet secure socket server, often referred to as a proxy server. It was designed primarily to provide hosts within a fire-
       wall access to resources outside of the firewall.

       Normally, hosts inside a firewall has no IP-accessibility to the network outside of the firewall. This reduces the risk of  being  intruded
       by  unauthorized  people from the Internet. Unfortunately, without IP-accessibility users on the inside hosts can no longer use many of the
       important tools such as telnet, ftp, xgopher, Mosaic, etc. to access the tremendous resources available in the Internet.

       With sockd installed on a server host, users on the other inside hosts can gain back the lost functionalities  by  using  clients  programs
       designed  to  work  with  sockd proxy server, e.g, rtelnet in place of telnet, rftp in place of ftp, rfinger in place of finger, etc. Since
       these client programs work like their normal counterparts without requiring direct IP-connectivity to  the  Internet,  convenience  to  the
       users  is  accomplished without breaching the security. The server host that runs sockd does have to be open to the Internet, and it there-
       fore requires special attention to make sure that it is secure.

       A configuration file /etc/sockd.fc (or /etc/sockd.conf) is used to control access to sockd and its services. Permission	and  denial  of  a
       service request can be decided based on various combinations of the requesting host, the destination host, the type of service (destination
       port number), as well as the requesting user. (See sockd.conf(5) and sockd.fc(5).)

       If the server host is multi-homed, i.e., having more than one network interface and with its IP_FORWARDING turned off, and the server  sup-
       port  RBIND  operation,	then  it  must	run  a	multi-homed  version  of  sockd,  which  requires  another  control file /etc/sockd.fr (or
       /etc/sockd.route) to decide which interface to use for connection to any given destination host.  See  sockd.route(5)  and  sockd.fr(5).  A
       multi-homed  sockd  can	be run on a single-homed host as well if necessary; you just have to set up /etc/sockd.route to direct all traffic
       through the host's one and only network interface.

       sockd uses syslog with facility daemon and level notice to log its activities and errors. Typical lines look like

	Apr 11 08:51:29 eon sockd[636]: connected -- Connect from don(don)@abc.edu to wxy.com (telnet)
	Apr 11 09:24:59 eon sockd[636]: terminated -- Connect from don(don)@abc.edu to wxy.com (telnet)
	Apr 11 09:24:59 eon sockd[636]: 1048 bytes from abc.edu, 285143 bytes from wxy.com
	Jun 22 18:24:54 eon sockd[884]: refused -- Connect from sam(unknown)@big.com to small.com (ftp)

       In these lines, the first user-id is the one reported by the client program, the second one (within the parentheses) is what is reported by
       identd  on  the	client	host.	These log lines usually appear in file /var/adm/messages though that can be changed by modifying /etc/sys-
       log.conf. (See syslogd(8) and syslog.conf(5).)

       If you allow access to infosystems such as Gopher or WWW, you should be aware that they by nature would tend to get  connections  to  hosts
       all  over the world and would use not only Gopher and WWW ports but possibly also ports for finger, telnet, ftp, nntp, etc. as well as non-
       privileged ports ( > 1023).

       For a stand-alone sockd, /etc/sockd.fc (or /etc/sockd.conf) and /etc/sockd.fr (or /etc/sockd.route), if required, are only read and  parsed
       once  at  the beginning of program execution. If you change the contents of either file and want to make the running sockd use the new con-
       tents, you must send a SIGHUP signal to the running sockd process. Sending a running stand-alone sockd a SIGUSR1 signal causes it to record
       on  the systems's log file the effective contents of configuration and route files that it is currently using.  You can find the process id
       of the stand-alone sockd in /etc/sockd.pid.

       Rather than using plain-text configuration file /etc/sockd.conf and route file /etc/sockd.route, sockd  now  looks  for	the  corresponding
       frozen files /etc/sockd.fc and /etc/sockd.fr first. The plain-text files are used only if the corresponding frozen files are not found. Use
       commands make_sockdfc and make_sockdfr to produce the frosen files. Use commands dump_sockdfc and dump_sockdfr to examine the  contents	of
       frozen  files. (See make_sockdfc(8), make_sockdfr(8), dump_sockdfc(8), and dump_sockdfr(8).) Using frozen configuration and route files can
       save a lot of overhead at start-up of sockd.

OPTIONS

       The options are mutually exclusive and thus may only be used one at a time.

       -ver   With this option, sockd prints its own version number, the version number of the SOCKS protocol, whether it is  SOCKSified,  whether
	      it is a standalone daemon or must be run under inetd, whether it support RBIND, and whether a route file is required.

       -I     Use  identd  (RFC  1413) to verify the requester's user-id. Deny access if connection to client's identd fails or if the result does
	      not match the user-id reported by the client program. Client hosts without a properly installed identd daemon will  not  be  served.
	      User  verification  is  done before and in addition to the normal access control. This can be overridden in the sockd.conf file on a
	      line by line basis.

       -i     Similar to -I but more lenient. Access is denied only if client's identd reports a user-id that's different  from  what  the  client
	      program claims. This can be overridden in the sockd.conf file on a line by line basis.

       Log entries similar to the following are produced upon failure of user-id verification:

	Apr 15 14:42:51 eon sockd[729]: cannot connect to identd on big.edu
	Apr 15 14:42:51 eon sockd[729]: refused -- Connect from bob(unknown)@big.edu to xyz.com (ftp)
	Jul 15 12:23:06 eon sockd[832]: *Alert*: real user is sam, not jim
	Jul 15 12:23:06 eon sockd[832]: refused -- Connect from jim(sam)@abc.org to bad.place.com (WWW)

FILES

       /etc/sockd.fc, /etc/sockd.conf, /etc/sockd.fr, /etc/sockd.route, /etc/inetd.conf, /etc/services, /var/adm/messages, /etc/syslog.conf

SEE ALSO

       socks_clients(1), sockd.conf(5), sockd.route(5), socks.conf(5), make_sockdfc(8), make_sockdfr(8), dump_sockdfc(8), dump_sockdfr(8)

AUTHOR

       David Koblas, koblas@sgi.com
       Ying-Da Lee, ylee@syl.dl.nec.com
       David Mischel, dm@kansas.gene.com

								   June 6, 1996 							  SOCKD(8)
All times are GMT -4. The time now is 11:41 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy