Configure Network Access Control
Moving outward, the next step is configuring the access to and from the network.
Disable IP forwarding and IP Routing
To disable IP forwarding do: touch /etc/notrouter.
Block Broadcast Packets
To prevent incoming broadcast packets from entering the network, add the following at the end of /etc/rc2.d/S69inet
ndd -set /dev/ip ip_forward_directed_broadcasts 0
To prevent the system from responding to incoming broadcast packets, add the following command at the end of /etc/rc2.d/S69inet
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Install WU FTPD
If FTP is required for the Web services consider installing the Washington University FTP (WU-FTPD) daemon available at http://www.sunfreeware.com. The WU-FTPD package contains the WU-FTPD FTP (File Transfer Protocol) server daemon. The FTP protocol is a method of transferring files between machines on a network and/or over the Internet. WU-FTPD's features include logging of transfers, logging of commands, on the fly compression and archiving, classification of users' type and location, per class limits, per directory upload permissions, restricted guest accounts, system wide and per directory messages, directory aliases, cdpath, filename filters, and virtual host support.
Configure System Logging
Keeping good system logs will make researching a compromise on your network much more productive.
Restrict Access to System Logs
Make sure only root has write access to the following log files:
Log All su Activity
All su activity can be logged to a local file or to a loghost machine.
Note: You must use the tab key to enter whitespace characters in syslog.conf.
To Logging to a local file:
Edit /etc/syslog.conf add the entry:
To Logging to a loghost machine:
Edit /etc/syslog.conf, add the entry
auth.warning ifdef (`LOGHOST`, /var/log/authlog,@loghost)
where "loghost" is the name of the centralized logging server. Note: syslog uses UDP to send messages and therefore may not reliably transmit messages to the logging server. Also, syslog sends cleartext messages. This means other systems on the network could potentially read important log messages.
Unsuccessful user logins can be logged by doing the following:
chown root:sys /var/adm/loginlog
chmod 644 /var/adm/loginlog
In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the Solaris platform.
Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion
This was first published in October 2002