installation can be secured: the object is to have a box which can be accessed remotely via SSH and therefore used as a general purpose Unix server.<\/p>\n
First\u00a0<\/span><ilnk=”patchsolaris”>patch and\u00a0<\/span><ilnk=”firewallsolaris”>firewall the machine.<\/p>\n In this section, our aim is to permanently stop network-related daemons which are not required, or better still, remove all software related to them. (Removal means fewer tools for intruders to play with.)<\/p>\n Whilst there are high-level, graphical tools which help with Solaris software package administration, we require something more fine-grained; in addition, it is beneficial to understand the Solaris package system so we opt for use of the command-line tools such as\u00a0<\/span>pkginfo<\/tt>\u00a0<\/span>and\u00a0<\/span>pkgrm<\/tt>. And\u00a0<\/span>\/var\/sadm\/install\/contents<\/tt>\u00a0<\/span>tells us which files belong to which packages.<\/p>\n The remainder of this section reflects the rough journal of the securing of and a real installation. As such it is not a textbook example, but a real one!<\/p>\n Scanning the Solaris box with\u00a0<\/span>nmap<\/tt>\u00a0<\/span>shows a scary number of possible entry points for would-be hackers:<\/p>\n Start simple: SSH does not run out of the super-server,\u00a0<\/span>inetd<\/tt>, so we comment out\u00a0<\/span>almost everything<\/i>\u00a0<\/span>from\u00a0<\/span>\/etc\/inetd.conf<\/tt>\u00a0<\/span>and<\/p>\n Next, look for network-related packages.<\/p>\n yields three SUNW packages to uninstall — shown also are packages which depend on those we want to remove (indentation indicates a package dependency<\/i>\u00a0<\/span>— an indented package depends on the above, less indented package):<\/p>\n Removing all the above, and bringing the machine into single-user mode and backup, the following are gone (good!):<\/p>\n Next, we target the printer daemon:<\/p>\n yields candidates: SUNWpsu Solaris Print – LP Server, (usr) SUNWpsr Solaris Print – LP Server, (root) SUNWpcu Solaris Print – Client, (usr) SUNWscplp Solaris Print – Source Compatibility SUNWpcr Solaris Print – Client, (root) Removal, moving to single-user mode and bringing the system back up we find<\/p>\n has gone.<\/p>\n And now, UUCP, FTP, Telnet and NTP:<\/p>\n The X font server:<\/p>\n More Services: YP\/NIS, NIS+, NFS, Samba, PPP, Web, DHCP<\/p>\n So what’s left?<\/p>\n We have removed the X-font-server package and no XFS-type daemon is running, but the machine is still listening on 7100!?!? Aha! The font-server entry in\u00a0<\/span>inetd.conf<\/tt>\u00a0<\/span>is still there...<\/tt>\u00a0<\/span>Comment out.<\/p>\n Next up, Sendmail: we want to be able to send email but not receive it so rename and\u00a0<\/span>chmod 400<\/tt>\u00a0<\/span>the sendmail init script in\/etc\/init.d<\/tt>\u00a0<\/span>and remove\u00a0<\/span>S88sendmail<\/tt>\u00a0<\/span>from\u00a0<\/span>rc2.d<\/tt>:<\/p>\n and eliminated<\/p>\n Hmmm, port 587 also closed, I wonder what did that? Google [port 587 solaris<\/tt>]:<\/p>\n If you are using sendmail to receive messages (on port 25), you should turn off the Message Submission port (587\/tcp). In \/etc\/mail\/sendmail.cf, comment out<\/p>\n with a hashmark<\/p><\/blockquote>\n So we got one for free!<\/p>\n There is a load of RPC-related stuff to get rid of. CDE uses RPC and its crap anyway...<\/tt>\u00a0<\/span>There’s also\u00a0<\/span>dtspc<\/tt>\u00a0<\/span>on\u00a0<\/span>6112<\/tt>:<\/p>\n yields<\/p>\n so remove<\/p>\n Noticed this on a restart:<\/p>\n so<\/p>\n so<\/p>\n then\u00a0<\/span>init s<\/tt>,\u00a0<\/span>init 3<\/tt>\u00a0<\/span>had no effect! Try a reboot — eliminated:<\/p>\n A\u00a0<\/span>netstat -a | grep LIST<\/tt>\u00a0<\/span>shows up<\/p>\n Google [port 5987 solaris<\/tt>]<\/p>\n The CIM Object Manager listens for remote method invocation (RMI) connections on RMI port 5987 and now listens for XML\/HTTP connections on HTTP port 5988. (In the Solaris 8 software release and updates of the Solaris 8 release, the CIM Object Manager listened for XML\/HTTP connections on default HTTP port 80.)<\/p><\/blockquote>\n Solaris documentation indicates that CIM is part of WBEM.<\/p>\n yields up<\/p>\n Restart; eliminated!<\/p>\n Aside from SSH, only RPC-related stuff left:<\/p>\n What processes are running?<\/p>\n reveals<\/p>\n Of ToolTalk Google says:<\/p>\n CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain<\/p><\/blockquote>\n and we know about SNMP...<\/tt><\/p>\n gives candidates:<\/p>\n A final consideration of\u00a0<\/span>inetd<\/tt>\u00a0<\/span>and RPC — we don’t need the former since SSH runs independently and we don’t want the latter, so:<\/p>\n That leaves no TCP listeners and one UDP listener:<\/p>\n The\u00a0<\/span>man<\/tt>\u00a0<\/span>page for\u00a0<\/span>syslogd<\/tt>\u00a0<\/span>indicates that the\u00a0<\/span>default<\/i>\u00a0<\/span>behaviour is to listen.<\/p>\n and restart.<\/p>\n","protected":false},"excerpt":{"rendered":" installation can be secured: the object is to have a box which can be accessed remotely via SSH and therefore used as a general purpose Unix server.<\/p>\n 1.1. Patch and Firewall <\/p>\n First <ilnk=”patchsolaris”>patch and <ilnk=”firewallsolaris”>firewall the machine.<\/p>\n 1.2. Network-Related Daemons <\/p>\n In this section, our aim is to permanently stop network-related daemons which are not required, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5102"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5102"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5102\/revisions"}],"predecessor-version":[{"id":5104,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5102\/revisions\/5104"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1.2. Network-Related Daemons<\/h3>\n
Initial Scan of Open Ports<\/h3>\n
7\/tcp open echo \r\n 9\/tcp open discard \r\n 13\/tcp open daytime \r\n 19\/tcp open chargen \r\n 21\/tcp open ftp \r\n 22\/tcp open ssh \r\n 23\/tcp open telnet \r\n 37\/tcp open time \r\n 79\/tcp open finger \r\n 111\/tcp open sunrpc \r\n 512\/tcp open exec \r\n 513\/tcp open login \r\n 514\/tcp open shell \r\n 515\/tcp open printer \r\n 540\/tcp open uucp \r\n 587\/tcp open submission\r\n 898\/tcp open unknown \r\n 4045\/tcp open lockd \r\n 6112\/tcp open dtspc \r\n 7100\/tcp open font-service \r\n 32771\/tcp open sometimes-rpc5 \r\n 32772\/tcp open sometimes-rpc7 \r\n 32773\/tcp open sometimes-rpc9 \r\n 32774\/tcp open sometimes-rpc11 \r\n 32775\/tcp open sometimes-rpc13 \r\n 32776\/tcp open sometimes-rpc15 \r\n 32777\/tcp open sometimes-rpc17 \r\n 32778\/tcp open sometimes-rpc19 \r\n 32779\/tcp open sometimes-rpc21 \r\n 32780\/tcp open sometimes-rpc23 \r\n<\/pre>\n
inetd<\/tt><\/h3>\n
kill -HUP <inetd pid>\r\n<\/pre>\n
Network-Related Packages (r<\/tt>-commands;\u00a0<\/span>finger<\/tt>)<\/h3>\n
pkginfo | grep -i network \r\n<\/pre>\n
SUNWrcmdc Remote Network Client Commands\r\n SUNWppm Solaris Print Manager\r\n SUNWmp MP Print Filter\r\n SUNWscpu Source Compatibility, (Usr)\r\n SUNWbcp SunOS 4.x Binary Compatibility\r\n SUNWscbcp SPARCompilers Binary Compatibility Libraries\r\n\r\n SUNWrcmdr Remote Network Server Commands (Root)\r\n SUNWrcmds Remote Network Server Commands (Usr)\r\n<\/pre>\n
79\/tcp open finger \r\n 512\/tcp open exec # rexec\r\n 513\/tcp open login # rlogin\r\n 514\/tcp open shell # rsh\r\n<\/pre>\n
Printer Daemon<\/h3>\n
pkginfo | grep -i printer\r\n<\/pre>\n
515\/tcp open printer \r\n<\/pre>\n
UUCP, FTP, Telnet and NTP<\/h3>\n
pkginfo | grep -i uucp\r\n pkginfo | grep -i ftp\r\n pkginfo | grep -i telnet\r\n pkginfo | grep -i ntp \r\n\r\n\r\nyielded\r\n\r\n SUNWbnur Networking UUCP Utilities, (Root)\r\n SUNWbnuu Networking UUCP Utilities, (Usr)\r\n\r\n SUNWftpr FTP Server, (Root)\r\n SUNWftpu FTP Server, (Usr)\r\n\r\n SUNWtnetr Telnet Server Daemon (Root)\r\n SUNWtnetc Telnet Command (client)\r\n SUNWtnetd Telnet Server Daemon (Usr)\r\n\r\n SUNWntpr NTP, (Root)\r\n SUNWntpu NTP, (Usr) \r\n\r\neliminating\r\n\r\n 540\/tcp open uucp \r\n 21\/tcp open ftp \r\n 23\/tcp open ftp \r\n # The ntp daemon was not actually listening.\r\n<\/pre>\n
X Font Server<\/h3>\n
SUNWxwfs X Window System Font server\r\n\r\n 7100\/tcp open font-service \r\n<\/pre>\n
YP, NIS+, NFS, Samba, PPP, HTTP and DHCP<\/h3>\n
SUNWypr NIS Server for Solaris (root)\r\n SUNWypu NIS Server for Solaris (usr)\r\n\r\n\r\n SUNWnisr Network Information System, (Root)\r\n SUNWnisu Network Information System, (Usr)\r\n\r\n\r\n SUNWnfscr Network File System (NFS) client support (Root)\r\n SUNWvolu Volume Management, (Usr)\r\n SUNWvolg Volume Management Graphical User Interface\r\n SUNWnfscu Network File System (NFS) client support (Usr)\r\n SUNWnfscx Network File System (NFS) client support (Root) (64-bit)\r\n SUNWnfssr Network File System (NFS) server support (Root)\r\n SUNWnfssu Network File System (NFS) server support (Usr)\r\n SUNWnfssx Network File System (NFS) server support (Root) (64-bit)\r\n\r\n \r\n SUNWsmbac samba - A Windows SMB\/CIFS fileserver for UNIX (client)\r\n SUNWsmbar samba - A Windows SMB\/CIFS fileserver for UNIX (Root)\r\n SUNWsmbau samba - A Windows SMB\/CIFS fileserver for UNIX (Usr)\r\n\r\n\r\n SUNWpppd Solaris PPP Device Drivers\r\n SUNWpppdr Solaris PPP configuration files\r\n SUNWpppdt Solaris PPP Tunneling\r\n SUNWpppdu Solaris PPP daemon and utilities\r\n SUNWpppdx Solaris PPP Device Drivers (64-bit)\r\n SUNWpppg GNU utilities for PPP\r\n\r\n\r\n SUNWapchr Apache Web Server (root)\r\n SUNWapchu Apache Web Server (usr)\r\n SUNWapchd Apache Web Server (usr)\r\n\r\n\r\n SUNWtcatr Tomcat Servlet\/JSP Container (root)\r\n SUNWtcatu Tomcat Servlet\/JSP Container\r\n\r\n\r\n SUNWdhcm DHCP Manager\r\n SUNWdhcsb Binary File Format Data Module for BOOTP\/DHCP Services\r\n SUNWdhcsr BOOTP\/DHCP Server Services, (Root)\r\n SUNWdhcsu BOOTP\/DHCP Server Services, (Usr)\r\n<\/pre>\n
What’s Left?<\/h3>\n
22\/tcp open ssh \r\n 25\/tcp open smtp \r\n 111\/tcp open sunrpc \r\n 587\/tcp open submission \r\n 6112\/tcp open dtspc \r\n 7100\/tcp open font-service \r\n 32771\/tcp open sometimes-rpc5 \r\n 32772\/tcp open sometimes-rpc7 \r\n 32773\/tcp open sometimes-rpc9 \r\n 32774\/tcp open sometimes-rpc11 \r\n 32775\/tcp open sometimes-rpc13 \r\n 32776\/tcp open sometimes-rpc15 \r\n 32777\/tcp open sometimes-rpc17 \r\n 32778\/tcp open sometimes-rpc19 \r\n<\/pre>\n
Sendmail<\/h3>\n
mv sendmail __sendmail.orig_install.no_start\r\n<\/pre>\n
25\/tcp open smtp\r\n<\/pre>\n
O DaemonPortOptions=Port=587, Name=MSA, M=E \r\n<\/pre>\n
CDE (\/usr\/dt<\/tt>)<\/h3>\n
fgrep dtspc \/var\/sadm\/install\/contents\r\n<\/pre>\n
\/usr\/dt\/bin\/dtspcd f none 0555 root bin 27376 27505 1016069365 SUNWdtdmn\r\n \/usr\/dt\/config\/dtspcdenv f none 0444 root bin 1183 21978 1016069365 SUNWdtdmn\r\n \/usr\/dt\/share\/man\/man1m\/dtspcd.1m f none 0444 root bin 5230 44603 1016073808 SUNWdtma\r\n \/usr\/dt\/share\/man\/man4\/dtspcdenv.4 f none 0444 root bin 5316 53514 1016073844 SUNWdtma\r\n<\/pre>\n
SUNWdtma CDE man pages\r\n SUNWdtdmn CDE daemons\r\n SUNWscgui Solaris Smart Card Administration GUI\r\n SUNWjmfp Java Media Framework Player\r\n SUNWpdas PDA Synchronization for Solaris\r\n SUNWdtjxt Java Extensions\r\n SUNWdtdst CDE Desktop Applications\r\n SUNWpmowu Power Management OW Utilities, (Usr)\r\n SUNWdtnsc Netscape Componentization Support for CDE\r\n SUNWpmowm Power Management OW Utilities Man Pages\r\n SUNWdthe CDE HELP RUNTIME\r\n SUNWdtezt Solaris Desktop Extensions Applications\r\n SUNWdtmaz Desktop Power Pack man pages\r\n SUNWdtim Solaris CDE Image Viewer\r\n SUNWdtwm CDE DESKTOP WINDOW MANAGER\r\n SUNWdtab CDE DTBUILDER \r\n SUNWdthev CDE HELP VOLUMES\r\n SUNWdthez Desktop Power Pack Help Volumes\r\n SUNWdtdem CDE DEMOS\r\n<\/pre>\n
Solaris Management Tools<\/h3>\n
Shutting down Solaris Management Console server on port 898.\r\n<\/pre>\n
pkginfo | grep -i management\r\n<\/pre>\n
SUNWmcex Solaris Management Console 2.1 (Examples)\r\n SUNWmcdev Solaris Management Console 2.1 (Development Kit)\r\n SUNWmc Solaris Management Console 2.1 (Server Components)\r\n SUNWwbmc Solaris Management Console 2.1 (WBEM Components)\r\n SUNWmga Solaris Management Applications\r\n SUNWdclnt Solaris Diskless Client Management Application\r\n SUNWlvmg Solaris Volume Management Application\r\n SUNWrmui Resource Management User Interface Components\r\n SUNWpmgr Solaris Patch Management Applications\r\n SUNWlvma Solaris Volume Management APIs\r\n SUNWmga Solaris Management Applications\r\n SUNWmcc Solaris Management Console 2.1 (Client Components)\r\n SUNWmccom Solaris Management Console 2.1 (Common Components)\r\n<\/pre>\n
898\/tcp open unknown \r\n<\/pre>\n
Solaris Web Management Tools<\/h3>\n
*.5987 *.* 0 0 49152 0 LISTEN\r\n<\/pre>\n
fgrep -i WBEM \/var\/sadm\/install\/contents\r\n<\/pre>\n
SUNWmgapp WBEM Management Applications\r\n SUNWrmwbu Resource Management WBEM Instrumentation (usr)\r\n SUNWrmwbx Resource Management WBEM Instrumentation (64-bit\r\n\r\n SUNWwbcou WBEM Services (usr)\r\n<\/pre>\n
Nearly There!<\/h3>\n
22\/tcp open ssh \r\n 111\/tcp open sunrpc \r\n 32771\/tcp open sometimes-rpc5 \r\n 32772\/tcp open sometimes-rpc7 \r\n 32773\/tcp open sometimes-rpc9 \r\n 32774\/tcp open sometimes-rpc11 \r\n<\/pre>\n
The Last Few RPC-Related Daemons<\/h3>\n
ps -ef\r\n<\/pre>\n
rpc.ttdbserverd\r\n snmpXdmid\r\n dmispd\r\n<\/pre>\n
fgrep -i tooltalk \/var\/sadm\/install\/contents\r\n<\/pre>\n
SUNWtltk ToolTalk runtime\r\n SUNWolrte OPEN LOOK toolkits runtime environment\r\n SUNWtltkd ToolTalk developer support\r\n SUNWtltkm ToolTalk manual pages\r\n SUNWdtct UTF-8 Code Conversion Tool\r\n SUNWxwdem X Window System demo programs\r\n SUNWlpmsg LP Alerts\r\n\r\n # ...and for SNMP :\r\n\r\n SUNWsacom Solstice Enterprise Agents 1.0.3 files for root file system\r\n SUNWmipr Mobile-IP (Root)\r\n SUNWmipu Mobile-IP (Usr)\r\n<\/pre>\n
Inetd and RPC: Finally<\/h3>\n
\/etc\/init.d\/inetsvc stop (to stop inetd)\r\n \/etc\/init.d\/rpc stop \r\n\r\n cd \/etc\/init.d\r\n mv inetsvc __inetsvc.orig_install.no_start\r\n mv rpc __rpc.orig_install.no_start\r\n chmod 400 __inetsvc.orig_install.no_start\r\n chmod 400 __rpc.orig_install.no_start\r\n<\/pre>\n
syslogd<\/tt><\/h3>\n
*.syslog Idle\r\n<\/pre>\n
\/etc\/init.d\/syslog: # ...and \/etc\/rc?.d\/S??syslog\r\n\r\n ## \/usr\/sbin\/syslogd >\/dev\/msglog 2>&1 &\r\n \/usr\/sbin\/syslogd -t >\/dev\/msglog 2>&1 &\r\n\r\n\r\n \/etc\/default\/syslogd:\r\n\r\n LOG_FROM_REMOTE=NO # ...from \"YES\"\r\n<\/pre>\n