To secure a Solaris box do the following:
1. Download YASSP (Yet Another Solaris Security Package) from http://www.yassp.org, install it, and follow the instructions. This package does runs fix perms (script from Sun that drastically improves the default file system permissions). It also installs OpenSSH, Tripwire and some checking scripts. It then updates all of your rc files so that you can control all of your exposed services from a single administration point, namely /etc/yassp.conf. The nice thing about this security package is that if you stop using it you can program it and to restore your system to its previous state. To connect to the server after the install you will need an SSH client. Personally, I use TeraTerm (http://hp.vector.co.jp/authors/VA002416/teraterm.html) with the SSH extension available from http://www.zip.com.au/~roca/ttssh.html.
2. Now go to http://www.snort.org and download, compile and install Snort. It is a very lightweight (in terms of resource usage) intrusion detection system but it has a huge database of exploits. Snort should be started from an rc script with something like:
snort -g snort -h [home network] -i [interface name] -N -q -s -c /etc/snort/snort.conf
This will log all alerts via the syslog.
3. Get IP Filter from http://coombs.anu.edu.au/ipfilter/ and install it. Be sure to read the FAQs in order to produce a set of useful rules. This is a stateful packet filter and essentially
4. Download SWATCH from http://www.stanford.edu/~atkins/swatch and configure it to monitor your log files for Snort alerts and IP Filter packet rejects and SSH rejects, etc. Then set it to alert you via email.
5. Get the latest set of Sun recommended patches and install them. Sun lists recommended patches at http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches.
6. Look at the Solaris section of http://www.securityfocus.com, particularly the exploit database, and see if there is anything new to consider.
7. Go to http://www.insecure.org and get a copy of Nmap. Run this from another Unix host against the host you are securing (documentation on site). Check to make sure that you get alerts from Snort and IP Filter. If not, investigate. Nmap is the most common tool used to identify interesting hosts to hack, so use it before someone else does.
8. Go to http://www.nessus.org and download and intsall Nessus on another Unix host and run it against the host you are securing. Nessus is an auditing tool that has hundreds of exploits which is runs against your host and then gives you a report.
9. If you are securing a number of hosts, go to http://www.samba.org and get rsync and configure it to run over SSH. Then you can securely update all of your server configurations from a master server. This works best if you divide your servers into classes such as Web servers, ftp servers and nfs servers. Then you can hold a single set of IP Filter and Snort config files for each class of host, and push them out to all the hosts of that type when you need to make a config change.
This will give a reasonably secure server that will keep the ankle biters at bay. This configuration can be greatly improved upon but the above will make you more secure than about 99% of Solaris servers I have come across.
Ken Robson is a Solaris systems administrator.
This was first published in May 2001