The Solaris installation programme does not have a "build me a secure box" option. These notes outline how a standard Solaris 9 installation can be secured: the object is to have a box which can be accessed remotely via SSH and therefore used as a general purpose Unix server.
First
In this section, our aim is to permanently stop network-related daemons which are not required, or better still, remove all software related to them. (Removal means fewer tools for intruders to play with.)
Whilst there are high-level, graphical tools which help with Solaris software package administration, we require something more fine-grained; in addition, it is beneficial to understand the Solaris package system so we opt for use of the command-line tools such as pkginfo and pkgrm. And /var/sadm/install/contents tells us which files belong to which packages.
The remainder of this section reflects the rough journal of the securing of and a real installation. As such it is not a textbook example, but a real one!
Scanning the Solaris box with nmap shows a scary number of possible entry points for would-be hackers:
7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 540/tcp open uucp 587/tcp open submission 898/tcp open unknown 4045/tcp open lockd 6112/tcp open dtspc 7100/tcp open font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19 32779/tcp open sometimes-rpc21 32780/tcp open sometimes-rpc23
Start simple: SSH does not run out of the super-server, inetd, so we comment out almost everything from /etc/inetd.conf and
kill -HUP <inetd pid>
Next, look for network-related packages.
pkginfo | grep -i network
yields three SUNW packages to uninstall --- shown also are packages which
depend on those we want to remove (indentation indicates a package
dependency --- an indented package depends on the
above, less indented package):
SUNWrcmdc Remote Network Client Commands
SUNWppm Solaris Print Manager
SUNWmp MP Print Filter
SUNWscpu Source Compatibility, (Usr)
SUNWbcp SunOS 4.x Binary Compatibility
SUNWscbcp SPARCompilers Binary Compatibility Libraries
SUNWrcmdr Remote Network Server Commands (Root)
SUNWrcmds Remote Network Server Commands (Usr)
Removing all the above, and bringing the machine into single-user mode and
backup, the following are gone (good!):
79/tcp open finger 512/tcp open exec # rexec 513/tcp open login # rlogin 514/tcp open shell # rsh
Next, we target the printer daemon:
pkginfo | grep -i printer
yields candidates:
SUNWpsu Solaris Print - LP Server, (usr)
SUNWpsr Solaris Print - LP Server, (root)
SUNWpcu Solaris Print - Client, (usr)
SUNWscplp Solaris Print - Source Compatibility
SUNWpcr Solaris Print - Client, (root)
Removal, moving to single-user mode and bringing the system back up we find
515/tcp open printer
has gone.
And now, UUCP, FTP, Telnet and NTP:
pkginfo | grep -i uucp
pkginfo | grep -i ftp
pkginfo | grep -i telnet
pkginfo | grep -i ntp
yielded
SUNWbnur Networking UUCP Utilities, (Root)
SUNWbnuu Networking UUCP Utilities, (Usr)
SUNWftpr FTP Server, (Root)
SUNWftpu FTP Server, (Usr)
SUNWtnetr Telnet Server Daemon (Root)
SUNWtnetc Telnet Command (client)
SUNWtnetd Telnet Server Daemon (Usr)
SUNWntpr NTP, (Root)
SUNWntpu NTP, (Usr)
eliminating
540/tcp open uucp
21/tcp open ftp
23/tcp open ftp
# The ntp daemon was not actually listening.
The X font server:
SUNWxwfs X Window System Font server
7100/tcp open font-service
More Services: YP/NIS, NIS+, NFS, Samba, PPP, Web, DHCP
SUNWypr NIS Server for Solaris (root)
SUNWypu NIS Server for Solaris (usr)
SUNWnisr Network Information System, (Root)
SUNWnisu Network Information System, (Usr)
SUNWnfscr Network File System (NFS) client support (Root)
SUNWvolu Volume Management, (Usr)
SUNWvolg Volume Management Graphical User Interface
SUNWnfscu Network File System (NFS) client support (Usr)
SUNWnfscx Network File System (NFS) client support (Root) (64-bit)
SUNWnfssr Network File System (NFS) server support (Root)
SUNWnfssu Network File System (NFS) server support (Usr)
SUNWnfssx Network File System (NFS) server support (Root) (64-bit)
SUNWsmbac samba - A Windows SMB/CIFS fileserver for UNIX (client)
SUNWsmbar samba - A Windows SMB/CIFS fileserver for UNIX (Root)
SUNWsmbau samba - A Windows SMB/CIFS fileserver for UNIX (Usr)
SUNWpppd Solaris PPP Device Drivers
SUNWpppdr Solaris PPP configuration files
SUNWpppdt Solaris PPP Tunneling
SUNWpppdu Solaris PPP daemon and utilities
SUNWpppdx Solaris PPP Device Drivers (64-bit)
SUNWpppg GNU utilities for PPP
SUNWapchr Apache Web Server (root)
SUNWapchu Apache Web Server (usr)
SUNWapchd Apache Web Server (usr)
SUNWtcatr Tomcat Servlet/JSP Container (root)
SUNWtcatu Tomcat Servlet/JSP Container
SUNWdhcm DHCP Manager
SUNWdhcsb Binary File Format Data Module for BOOTP/DHCP Services
SUNWdhcsr BOOTP/DHCP Server Services, (Root)
SUNWdhcsu BOOTP/DHCP Server Services, (Usr)
So what's left?
22/tcp open ssh 25/tcp open smtp 111/tcp open sunrpc 587/tcp open submission 6112/tcp open dtspc 7100/tcp open font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19We have removed the X-font-server package and no XFS-type daemon is running, but the machine is still listening on 7100!?!? Aha! The font-server entry in inetd.conf is still there... Comment out.
Next up, Sendmail: we want to be able to send email but not receive it so rename and chmod 400 the sendmail init script in /etc/init.d and remove S88sendmail from rc2.d:
mv sendmail __sendmail.orig_install.no_start
and eliminated
25/tcp open smtp
Hmmm, port 587 also closed, I wonder what did that?
Google [port 587 solaris]:
If you are using sendmail to receive
messages (on port 25), you should turn off the Message Submission
port (587/tcp). In /etc/mail/sendmail.cf, comment out
O DaemonPortOptions=Port=587, Name=MSA, M=E
with a hashmark
So we got one for free!
There is a load of RPC-related stuff to get rid of. CDE uses RPC and its crap anyway... There's also dtspc on 6112:
fgrep dtspc /var/sadm/install/contents
yields
/usr/dt/bin/dtspcd f none 0555 root bin 27376 27505 1016069365 SUNWdtdmn
/usr/dt/config/dtspcdenv f none 0444 root bin 1183 21978 1016069365 SUNWdtdmn
/usr/dt/share/man/man1m/dtspcd.1m f none 0444 root bin 5230 44603 1016073808 SUNWdtma
/usr/dt/share/man/man4/dtspcdenv.4 f none 0444 root bin 5316 53514 1016073844 SUNWdtma
so remove
SUNWdtma CDE man pages
SUNWdtdmn CDE daemons
SUNWscgui Solaris Smart Card Administration GUI
SUNWjmfp Java Media Framework Player
SUNWpdas PDA Synchronization for Solaris
SUNWdtjxt Java Extensions
SUNWdtdst CDE Desktop Applications
SUNWpmowu Power Management OW Utilities, (Usr)
SUNWdtnsc Netscape Componentization Support for CDE
SUNWpmowm Power Management OW Utilities Man Pages
SUNWdthe CDE HELP RUNTIME
SUNWdtezt Solaris Desktop Extensions Applications
SUNWdtmaz Desktop Power Pack man pages
SUNWdtim Solaris CDE Image Viewer
SUNWdtwm CDE DESKTOP WINDOW MANAGER
SUNWdtab CDE DTBUILDER
SUNWdthev CDE HELP VOLUMES
SUNWdthez Desktop Power Pack Help Volumes
SUNWdtdem CDE DEMOS
Noticed this on a restart:
Shutting down Solaris Management Console server on port 898.
so
pkginfo | grep -i management
so
SUNWmcex Solaris Management Console 2.1 (Examples)
SUNWmcdev Solaris Management Console 2.1 (Development Kit)
SUNWmc Solaris Management Console 2.1 (Server Components)
SUNWwbmc Solaris Management Console 2.1 (WBEM Components)
SUNWmga Solaris Management Applications
SUNWdclnt Solaris Diskless Client Management Application
SUNWlvmg Solaris Volume Management Application
SUNWrmui Resource Management User Interface Components
SUNWpmgr Solaris Patch Management Applications
SUNWlvma Solaris Volume Management APIs
SUNWmga Solaris Management Applications
SUNWmcc Solaris Management Console 2.1 (Client Components)
SUNWmccom Solaris Management Console 2.1 (Common Components)
then init s, init 3 had no effect! Try a reboot --- eliminated:
898/tcp open unknown
A netstat -a | grep LIST shows up
*.5987 *.* 0 0 49152 0 LISTEN
Google [port 5987 solaris]
The CIM Object Manager listens for remote method invocation (RMI) connections on RMI port 5987 and now listens for XML/HTTP connections on HTTP port 5988. (In the Solaris 8 software release and updates of the Solaris 8 release, the CIM Object Manager listened for XML/HTTP connections on default HTTP port 80.)Solaris documentation indicates that CIM is part of WBEM.
fgrep -i WBEM /var/sadm/install/contents
yields up
SUNWmgapp WBEM Management Applications
SUNWrmwbu Resource Management WBEM Instrumentation (usr)
SUNWrmwbx Resource Management WBEM Instrumentation (64-bit
SUNWwbcou WBEM Services (usr)
Restart; eliminated!
Aside from SSH, only RPC-related stuff left:
22/tcp open ssh 111/tcp open sunrpc 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11
What processes are running?
ps -ef
reveals
rpc.ttdbserverd snmpXdmid dmispdOf ToolTalk Google says:
CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gainand we know about SNMP...
fgrep -i tooltalk /var/sadm/install/contents
gives candidates:
SUNWtltk ToolTalk runtime
SUNWolrte OPEN LOOK toolkits runtime environment
SUNWtltkd ToolTalk developer support
SUNWtltkm ToolTalk manual pages
SUNWdtct UTF-8 Code Conversion Tool
SUNWxwdem X Window System demo programs
SUNWlpmsg LP Alerts
# ...and for SNMP :
SUNWsacom Solstice Enterprise Agents 1.0.3 files for root file system
SUNWmipr Mobile-IP (Root)
SUNWmipu Mobile-IP (Usr)
A final consideration of inetd and RPC --- we don't need the former since SSH runs independently and we don't want the latter, so:
/etc/init.d/inetsvc stop (to stop inetd)
/etc/init.d/rpc stop
cd /etc/init.d
mv inetsvc __inetsvc.orig_install.no_start
mv rpc __rpc.orig_install.no_start
chmod 400 __inetsvc.orig_install.no_start
chmod 400 __rpc.orig_install.no_start
That leaves no TCP listeners and one UDP listener:
*.syslog Idle
The man page for syslogd indicates that the default
behaviour is to listen.
/etc/init.d/syslog: # ...and /etc/rc?.d/S??syslog
## /usr/sbin/syslogd >/dev/msglog 2>&1 &
/usr/sbin/syslogd -t >/dev/msglog 2>&1 &
/etc/default/syslogd:
LOG_FROM_REMOTE=NO # ...from "YES"
and restart.
| ...cont's | next... |