Configure Network Access Control
Moving outward, the next step is configuring the access to and from the network.
Disable IP forwarding and IP Routing
To disable IP forwarding do: touch /etc/notrouter.
Block Broadcast Packets
To prevent incoming broadcast packets from entering the network, add the following at the end of /etc/rc2.d/S69inet
ndd -set /dev/ip ip_forward_directed_broadcasts 0
To prevent the system from responding to incoming broadcast packets, add the following command at the end of /etc/rc2.d/S69inet
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Install WU FTPD
If FTP is required for the Web services consider installing the Washington University FTP (WU-FTPD) daemon available at http://www.sunfreeware.com. The WU-FTPD package contains the WU-FTPD FTP (File Transfer Protocol) server daemon. The FTP protocol is a method of transferring files between machines on a network and/or over the Internet. WU-FTPD's features include logging of transfers, logging of commands, on the fly compression and archiving, classification of users' type and location, per class limits, per directory upload permissions, restricted guest accounts, system wide and per directory messages, directory aliases, cdpath, filename filters, and virtual host support.
Configure System Logging
Keeping good system logs will make researching a compromise on your network much more productive. Chances are, you will never know how important this type of information is until you need it.
Restrict Access to System Logs
Make sure only root has write access to the following log files:
/var/log/authlog
/var/log/syslog
/var/adm/messages*
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
Log All su Activity
All su activity can be logged to a local file or to a loghost machine.
Note: You must use the tab key to enter whitespace characters in syslog.conf.
To Logging to a local file:
Edit /etc/syslog.conf add the entry:
auth.notice /var/log/authlog
To Logging to a loghost machine:
Edit /etc/syslog.conf, add the entry
auth.warning ifdef (`LOGHOST`, /var/log/authlog,@loghost)
where "loghost" is the name of the centralized logging server. Note: syslog uses UDP to send messages and therefore may not reliably transmit messages to the logging server. Also, syslog sends cleartext messages. This means other systems on the network could potentially read important log messages.
Unsuccessful user logins can be logged by doing the following:
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 644 /var/adm/loginlog
Click here for the rest of this 12-part tip.
