Solaris 10 Basic installation Optimizing and Hardening
Solaris10 install and hardening:
To begin insert the Solaris CD/DVD to start the installation, press 5 to apply a new driver.
Insert the 6i array driver-floppy diskette and press f to load the driver, press e to continue.
To begin insert the Solaris CD/DVD to start the installation, press 5 to apply a new driver.
Insert the 6i array driver-floppy diskette and press f to load the driver, press e to continue.
Keep installing the OS, and when ask choose Non-Networked installation (there are a few bugs there), choose Great Britain as a locale.
As for the disk space, Generally, The largest partition in /var/
because of the logs.
/ - minimum 10G
Swap – set for 1024M
/var - All the space left
Swap – set for 1024M
/var - All the space left
The system will start to install itself and it will ask you to
insert the 6i array driver diskette again at the end of the installation.
Basically, at the production servers we are using dual e1000g (Intel NIC), make sure that the drivers are working (by doing: ifconfig plumb e1000g0/1).
Basically, at the production servers we are using dual e1000g (Intel NIC), make sure that the drivers are working (by doing: ifconfig plumb e1000g0/1).
Install the libiconv, rsync, and the sudo packages you downloaded,
make links to rsync and sudo to /usr/bin/
Make a link from /usr/local/etc/sudoers to /etc/ and add do:
Make a link from /usr/local/etc/sudoers to /etc/ and add do:
echo "rladmin ALL=(ALL) NOPASSWD: ALL" >>
/etc/sudoers
sys-unconfig is installed by default in Solaris 10 The sys-unconfig command is used to restore a system's con- figuration to an "as-manufactured" state.
sys-unconfig is installed by default in Solaris 10 The sys-unconfig command is used to restore a system's con- figuration to an "as-manufactured" state.
Autofs
configuration
Please comment out inside the follow files:
/etc/auto_home
/etc/auto_master
/etc/auto_home
/etc/auto_master
Restart autofs service:
svcadm restart autofs
svcadm restart autofs
DNS
Lookup Tools Installation
If you want to install DNS Lookup tools, like nslookup , host,
and dig
You'll need to install SUNWbind,
You must asure that the bind service is DOWN run
You'll need to install SUNWbind,
You must asure that the bind service is DOWN run
svcadm disable bind
Multipathing
(Teaming) and Network Configuration
Multipathing, Routing and
DNS configuration
For the hosting segment we want to make a redundancy with two
network cards, one is disabled and one is enabled.
Those two network card have also test IPs, each test IP for each
network card,
The test IP must be at the same class of the real IP,
Test IP is closed to the outside world (with the deprecated argument), and it will not cause collisions inside the network.
The test IP must be at the same class of the real IP,
Test IP is closed to the outside world (with the deprecated argument), and it will not cause collisions inside the network.
Sun is call calling this method Multipathing or IPMP (IP
MultiPathing).
Edit /etc/hosts e.g.
Edit /etc/hosts e.g.
127.0.0.1 localhost
10.44.128.129 REAL loghost
10.44.128.130 TEST_IP1
10.44.128.131 TEST_IP2
10.44.128.130 TEST_IP1
10.44.128.131 TEST_IP2
10.44.0.129 REAL-MGT
At this point we need to tell the system to use it's Multipathing options by modifying its /etc/hostname.xxx, e.g.
/etc/hostname.bge0 (PRIMERY NIC)
REAL netmask + broadcast + group production \
addif TEST_IP1 deprecated -failover netmask + broadcast + up
addif TEST_IP1 deprecated -failover netmask + broadcast + up
and for the secondary NIC (NON ACTIVE)
TEST_IP2 netmask + broadcast + deprecated group production
-failover standby up
You have just inserted those two NICs into a group named "production".
For the management interface just put the regular hostname you
have written at the host file or you can use the same method for another two
interfaces for the management segment.
Enter the default router's IP into /etc/defaultrouter file.
Enter the right values on /etc/netmasks , and also add static routes to S70Static-routes.
Enter the right values on /etc/netmasks , and also add static routes to S70Static-routes.
On our production environment we have two DNS servers configured
with reversed zones, the primary is the management server and the secondary is
the stage server.
Network
Services configuration
SSH configuration
From the first disk and the second, install SSH packages
pkgadd –d . SUNWsshcu SUNWsshdr , SUNWsshdu , SUNWsshr , SUNWsshu
pkgadd –d . SUNWsshcu SUNWsshdr , SUNWsshdu , SUNWsshr , SUNWsshu
Create keys for the service
ssh-keygen -t rSa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
This is an example of
/etc/ssh/sshd_config
ListenAddress 10.40.20.23
AllowTcpForwarding no
GatewayPorts no
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
KeepAlive yes
KeyRegenerationInterval 3600
LogLevel info
LoginGraceTime 300
MaxAuthTries 6
MaxAuthTriesLog 3
PAMAuthenticationViaKBDInt yes
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
PermitRootLogin no
Banner /etc/issue
Port 22
PrintMotd no
Protocol 2
RhostsAuthentication no
RhostsRSAAuthentication no
ServerKeyBits 768
StrictModes yes
SyslogFacility auth
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
AllowTcpForwarding no
GatewayPorts no
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
KeepAlive yes
KeyRegenerationInterval 3600
LogLevel info
LoginGraceTime 300
MaxAuthTries 6
MaxAuthTriesLog 3
PAMAuthenticationViaKBDInt yes
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
PermitRootLogin no
Banner /etc/issue
Port 22
PrintMotd no
Protocol 2
RhostsAuthentication no
RhostsRSAAuthentication no
ServerKeyBits 768
StrictModes yes
SyslogFacility auth
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
* Edit ListenAddress to you Management IP of the server
Copy the authorized_keys file of your users to the remote servers,
and check that you can login with the user without password.
DNS
configuration
Configure nsswitch.conf
cp /etc/nsswitch.dns /etc/nsswitch.conf
Edit /etc/resolv.conf
domain domain.com
nameserver 10.10.44.250
nameserver 10.10.44.249
nameserver 10.10.44.250
nameserver 10.10.44.249
NTP
configuration
Install the NTP packages (SUNWntpr , SUNWntpu)
All the servers are time synced via NTP server, which is the management server, /etc/inet/ntp.conf :
All the servers are time synced via NTP server, which is the management server, /etc/inet/ntp.conf :
server NTP_SERVER prefer
driftfile /var/ntp/ntp.drift
statsdir /var/ntp/ntpstats
filegen peerstats file peerstats type day enable
filegen loopstats file loopstats type day enable
filegen clockstats file clockstats type day enable
driftfile /var/ntp/ntp.drift
statsdir /var/ntp/ntpstats
filegen peerstats file peerstats type day enable
filegen loopstats file loopstats type day enable
filegen clockstats file clockstats type day enable
start the service
svcadm enable ntp
svcadm enable ntp
SNMP
Configuration
To monitor all the server’s activities, we need to setup an SNMP
servrice for the OS/Hardware monitoring.
We need to enable Net-SNMP ,we are installing the SUNWsmagt to
install the service, and follow the procedure:
mkdir –p /etc/snmp/conf/
echo "rocommunity xxx" > /etc/snmp/conf/snmpd.conf
echo "rocommunity xxx" > /etc/snmp/conf/snmpd.conf
You will need to make RC script at /etc/rc3.d/S77snmpd
---- Starting the Shell Script ----
#!/bin/bash
case $1 in
start)
echo "starting SNMPD...."
/usr/sfw/sbin/snmpd -S d -s -c /etc/snmp/conf/snmpd.conf UDP:161
;;
stop)
echo "stopping SNMPD...."
pkill -9 snmpd
;;
*)
echo "SNMPD daemon script, Syntax:"
echo "$0 start/stop"
;;
esac
start)
echo "starting SNMPD...."
/usr/sfw/sbin/snmpd -S d -s -c /etc/snmp/conf/snmpd.conf UDP:161
;;
stop)
echo "stopping SNMPD...."
pkill -9 snmpd
;;
*)
echo "SNMPD daemon script, Syntax:"
echo "$0 start/stop"
;;
esac
---- End of the Shell Script ----
Optimizing
and Hardening Solaris 10
Enable TCP Wrappers and set services Access List
Enable the TCP Wrappers with inetadm command:
inetadm -M tcp_wrappers=true ; svcadm refresh inetd
inetadm -M tcp_wrappers=true ; svcadm refresh inetd
Create those two files to /etc/
echo "ALL : ALL" > /etc/hosts.deny
echo "ALL : 127.0.0.1" >> /etc/hosts.allow
echo "sshd : MANAGEMENT_IP, STAGE_IP" >> /etc/hosts.allow
echo "ALL : 127.0.0.1" >> /etc/hosts.allow
echo "sshd : MANAGEMENT_IP, STAGE_IP" >> /etc/hosts.allow
Disable
irrelevant users to login
Disable irrelevant users to
login
Put /usr/bin/false at all the users who don't
need to login, generally, all except root and the users you created.
/etc/default configurations
/etc/default/inetinit, change: TCP_STRONG_ISS=1 to
TCP_STRONG_ISS=2
/etc/default/login, Uncomment and change:
TIMEOUT=1200
SLEEPTIME=5
DISABLETIME=20
RETRIES=10
SYSLOG_FAILED_LOGINS=10
SLEEPTIME=5
DISABLETIME=20
RETRIES=10
SYSLOG_FAILED_LOGINS=10
Enabling NoExec
Add those entries to /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=1
set noexec_user_stack_log=1
Disable all inetd services
comment all the services at /etc/inetd.conf
Check inetadm that all is disabled.
Check inetadm that all is disabled.
Setting up the system with
ndd
Put the follow line in a new rc script at /etc/rc3.d/S70ndd
---- Starting the Shell Script ----
#!/usr/bin/bash
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 30000
/usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 30000
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
/usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 30000
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
---- End of Shell Script ----
Then: chmod +x /etc/rc3.d/S70ndd
Disable SETUID commands
Disable all SETUID files, and enable the specific files.
find / -type f \( -perm -4000 \) -exec ls -la {} \;
find / -type f \( -perm -4000 \) -exec ls -la {} \;
Disable unwanted services
svcadm disable svc:/network/pfil:default
svcadm disable svc:/system/metainit:default
svcadm disable svc:/network/iscsi_initiator:default
svcadm disable svc:/network/ipfilter:default
svcadm disable svc:/network/rpc/bind:default
svcadm disable svc:/network/dns/client:default
svcadm disable svc:/network/ldap/client:default
svcadm disable svc:/network/nfs/status:default
svcadm disable svc:/network/nfs/nlockmgr:default
svcadm disable svc:/network/nfs/cbd:default
svcadm disable svc:/network/nfs/mapid:default
svcadm disable svc:/network/rpc/keyserv:default
svcadm disable svc:/network/inetd-upgrade:default
svcadm disable svc:/network/nfs/client:default
svcadm disable svc:/system/filesystem/autofs:default
svcadm disable svc:/system/mdmonitor:default
svcadm disable svc:/network/rpc/bootparams:default
svcadm disable svc:/network/rarp:default
svcadm disable svc:/network/security/kadmin:default
svcadm disable svc:/network/security/krb5kdc:default
svcadm disable svc:/system/consadm:default
svcadm disable svc:/network/rpc/gss:default
svcadm disable svc:/network/rpc/meta:default
svcadm disable svc:/network/rpc/mdcomm:default
svcadm disable svc:/network/rpc/metamed:default
svcadm disable svc:/network/rpc/metamh:default
svcadm disable svc:/network/rpc/rstat:default
svcadm disable svc:/network/rpc/rusers:default
svcadm disable svc:/network/rpc/spray:default
svcadm disable svc:/network/rpc/wall:default
svcadm disable svc:/network/nfs/rquota:default
svcadm disable svc:/network/security/ktkt_warn:default
svcadm disable svc:/network/chargen:dgram
svcadm disable svc:/network/chargen:stream
svcadm disable svc:/network/daytime:dgram
svcadm disable svc:/network/daytime:stream
svcadm disable svc:/network/discard:dgram
svcadm disable svc:/network/discard:stream
svcadm disable svc:/network/echo:dgram
svcadm disable svc:/network/echo:stream
svcadm disable svc:/network/time:dgram
svcadm disable svc:/network/time:stream
svcadm disable svc:/network/ftp:default
svcadm disable svc:/network/comsat:default
svcadm disable svc:/network/finger:default
svcadm disable svc:/network/login:eklogin
svcadm disable svc:/network/login:klogin
svcadm disable svc:/network/login:rlogin
svcadm disable svc:/network/rexec:default
svcadm disable svc:/system/metainit:default
svcadm disable svc:/network/iscsi_initiator:default
svcadm disable svc:/network/ipfilter:default
svcadm disable svc:/network/rpc/bind:default
svcadm disable svc:/network/dns/client:default
svcadm disable svc:/network/ldap/client:default
svcadm disable svc:/network/nfs/status:default
svcadm disable svc:/network/nfs/nlockmgr:default
svcadm disable svc:/network/nfs/cbd:default
svcadm disable svc:/network/nfs/mapid:default
svcadm disable svc:/network/rpc/keyserv:default
svcadm disable svc:/network/inetd-upgrade:default
svcadm disable svc:/network/nfs/client:default
svcadm disable svc:/system/filesystem/autofs:default
svcadm disable svc:/system/mdmonitor:default
svcadm disable svc:/network/rpc/bootparams:default
svcadm disable svc:/network/rarp:default
svcadm disable svc:/network/security/kadmin:default
svcadm disable svc:/network/security/krb5kdc:default
svcadm disable svc:/system/consadm:default
svcadm disable svc:/network/rpc/gss:default
svcadm disable svc:/network/rpc/meta:default
svcadm disable svc:/network/rpc/mdcomm:default
svcadm disable svc:/network/rpc/metamed:default
svcadm disable svc:/network/rpc/metamh:default
svcadm disable svc:/network/rpc/rstat:default
svcadm disable svc:/network/rpc/rusers:default
svcadm disable svc:/network/rpc/spray:default
svcadm disable svc:/network/rpc/wall:default
svcadm disable svc:/network/nfs/rquota:default
svcadm disable svc:/network/security/ktkt_warn:default
svcadm disable svc:/network/chargen:dgram
svcadm disable svc:/network/chargen:stream
svcadm disable svc:/network/daytime:dgram
svcadm disable svc:/network/daytime:stream
svcadm disable svc:/network/discard:dgram
svcadm disable svc:/network/discard:stream
svcadm disable svc:/network/echo:dgram
svcadm disable svc:/network/echo:stream
svcadm disable svc:/network/time:dgram
svcadm disable svc:/network/time:stream
svcadm disable svc:/network/ftp:default
svcadm disable svc:/network/comsat:default
svcadm disable svc:/network/finger:default
svcadm disable svc:/network/login:eklogin
svcadm disable svc:/network/login:klogin
svcadm disable svc:/network/login:rlogin
svcadm disable svc:/network/rexec:default
****Run port scan (TCP and UDP), on the new machine, you will need
to see only SSH open, reboot and run the port scan again, so you can see that
all the changes are valid.
Remove unneeded software
Remove the follow packages:
SUNWftpr - FTP Server, (Root)
SUNWftpu - FTP Server, (Usr)
SUNWnfsckr - Network File System (NFS) client kernel support
SUNWnfscr - Network File System (NFS) client support (Root)
SUNWnfscu - Network File System (NFS) client support (Usr)
SUNWnfsskr - Network File System (NFS) server kernel support
SUNWnfssr - Network File System (NFS) server support (Root)
SUNWnfssu - Network File System (NFS) server support (Usr)
SUNWnisr - Network Information System, (Root)
SUNWnisu - Network Information System, (Usr)
SUNWpcmci - PCMCIA Card Services, (Root)
SUNWpcmcu - PCMCIA Card Services, (Usr)
SUNWpcmem - PCMCIA memory card driver
SUNWpcser - PCMCIA serial card driver
SUNWpsdpr - PCMCIA ATA card driver
SUNWsndmr - Sendmail (root)
SUNWsndmu - Sendmail (/usr)
SUNWtftp - Trivial File Transfer Server
SUNWtftpr - Trivial File Transfer Server (Root)
SUNWtnamd - Trivial Name Server (Usr)
SUNWtnamr - Trivial Name Server (Root)
SUNWtnetd - Telnet Server Daemon (Usr)
SUNWtnetr - Telnet Server Daemon (Root)
SUNWftpu - FTP Server, (Usr)
SUNWnfsckr - Network File System (NFS) client kernel support
SUNWnfscr - Network File System (NFS) client support (Root)
SUNWnfscu - Network File System (NFS) client support (Usr)
SUNWnfsskr - Network File System (NFS) server kernel support
SUNWnfssr - Network File System (NFS) server support (Root)
SUNWnfssu - Network File System (NFS) server support (Usr)
SUNWnisr - Network Information System, (Root)
SUNWnisu - Network Information System, (Usr)
SUNWpcmci - PCMCIA Card Services, (Root)
SUNWpcmcu - PCMCIA Card Services, (Usr)
SUNWpcmem - PCMCIA memory card driver
SUNWpcser - PCMCIA serial card driver
SUNWpsdpr - PCMCIA ATA card driver
SUNWsndmr - Sendmail (root)
SUNWsndmu - Sendmail (/usr)
SUNWtftp - Trivial File Transfer Server
SUNWtftpr - Trivial File Transfer Server (Root)
SUNWtnamd - Trivial Name Server (Usr)
SUNWtnamr - Trivial Name Server (Root)
SUNWtnetd - Telnet Server Daemon (Usr)
SUNWtnetr - Telnet Server Daemon (Root)
Banners
/etc/issue banner
W A R N I N G
THIS IS A PRIVATE COMPUTER
SYSTEM!!
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures,
survivability and operational security.
Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may
be examined, recorded, copied and used for authorized purposes. All information
including personal information, placed on or sent over this system may be
monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of any such
unauthorized use collected during monitoring may be used for administrative,
criminal or other adverse action. Use of this system constitutes consent to
monitoring for these purposes.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures,
survivability and operational security.
Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may
be examined, recorded, copied and used for authorized purposes. All information
including personal information, placed on or sent over this system may be
monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of any such
unauthorized use collected during monitoring may be used for administrative,
criminal or other adverse action. Use of this system constitutes consent to
monitoring for these purposes.
/etc/motd banner
WARNING: Unauthorized access to this system is
forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
No comments:
Post a Comment