Last time, I talked about trimming the fat off Solaris systems to make them lean, mean security machines. To do that, you can enlist the aid of several programs such as TITAN, and YASSP, to send your systems to the Security Fat Farm. But what if you wanted to do it yourself? Where do you start on hardening your systems to make them more secure? In this tip we'll explore do-it-yourself Solaris security.
Since it's uncommon to see a system sitting in lonely isolation anymore, the best place to start is securing systems from attacks from the network. How open to attack are your Solaris systems? Issue the following command and be prepared for a long list:
netstat -an | more
Look at all those network services being run. Solaris, like most modern Unix systems, comes out of the box with all sorts of services enabled. Attackers can use incorrectly configured or security vulnerabilities to gain control of your systems. Do you really need all those services running on the systems? Probably not. Overall, the best policy to have for network services is "if you don't have a need for it; don't run it." Let's look at some ways to trim down those services.
The first place to start is the so-called "small services." These services are in the low port range of 1 through 19, inclusive. Services like echo, tcpmux, discard, and chargen (character generator) live in this range. These services primary purpose are diagnostic and testing services. But they can
Recommendation: Turn these services off.
Moving up the services food chain, we come to things like telnet, FTP, and the "r" services (rcp, rlogin, rsh, rexec, etc.) Telnet and FTP are dangerous because passwords are sent in clear text, that is, unencrypted. An intruder could be sniffing the network for such sessions to capture passwords. Also, telnet and FTP are vulnerable to session hijacking and man-in-the-middle attacks. The "r" commands are dangerous because they exploit a trust relationship between systems. Most often, the "r" commands are enabled because system administrators use them to quickly log-in to systems or perform system maintenance.
Recommendations: Use the Secure Shell (SSH) instead of these and turn these services off.
There are some services that can be used for reconnaissance or exploitation by intruders. The "finger" service is useful for finding out who is logged in. Further fingering can tell an intruder how long they have been logged in and how long their session has been idle. TFTP (Trivial File Transfer Protocol) is used by routers and X Terminals to up/download configuration information. It is also a darling of hackers to exploit for storing and downloading pirated programs and other contraband.
Recommendations: Turn off finger. If you have no need for TFTP, turn it off. If you do, follow Sun's guidelines on setting up TFTP.
Under the RPC umbrella, there are services that can be your friend or your fiend. Take for instance portmap. This double-edged service tells friend and foe alike what services are running on your system. This can include services like tooltalk, NFS, mountd, and lockd. Does every system need to run RPC services? Not really. Most often, these are turned on and used as a convenience for system administrators.
Recommendations: If you don't have a need for them, turn off the RPC services. If you need them, look into securing them with TCP Wrappers.
With the proliferation of GUI desktops like CDE, KDE, GNOME, etc., it's hard not to have a GUI interface on a system. All of these are based on X windows and the exploits for tapping into X window sessions have been around for some time.
Recommendations: Block TCP ports 6000-6100 on your firewall/router and do not run X windows applications on externally accessible systems such as email servers, web servers, or systems in a DMZ.
Since there are 65,535 possible services that can run on system, it's next to impossible to know what they all do and the security implications of each one. If you come across you are one your not familiar with use this as your guide: If you don't know what it is, turn it off. If somebody needs it, they will let you know. If it's not needed, you've closed a potential doorway through which an intruder could waltz right in.
This was first published in August 2002