Re: Hardening a Solaris system.

gerryt_at_gtconnect.net
Date: 11/21/03

  • Next message: Bob: "Need information on C3 Security for hpux." 
    Date: Fri, 21 Nov 2003 16:58:52 GMT

    In article <c99d2c79.0311162209.bf0f4e6@posting.google.com>,
            see_my_signature_for_my_real_address@hotmail.com (Dr. David Kirkby) writes:
    > see_my_signature_for_my_real_address@hotmail.com (Dr. David Kirkby) wrote in message news:<c99d2c79.0311140749.2e91890e@posting.google.com>...
    >> I know files that execute with root permissions by normal users (e.g.
    >> su) can be a security risk. Is it necessary to have any such files, if
    >> only the root user logs in ?? In other words, making the sytem
    >> unusable to anyone but root.
    >>
    >> I'm particulary thinking about Solaris 9 on a Sun SPARCstation 20.
    >>
    >> I've set up a web server, running Apache, so are thinking about what I
    >> can do to reduce the chances of it being hacked. I've done several
    >> things.
    > <snip>
    >> Dr. David Kirkby.
    >
    > Thanks everyone for your tips. I hope you don't mind me not replying
    > to each of you individually, but since several people naturally
    > suggested the same things (like intall ssh), it would be a bit
    > pointless in my replying individually.

    Solaris 9 comes with their own version of ssh
    If you have tcp_wrappers installed you can easily deny
    access to port 22 except for trusted IPs..
    That leaves port 111 (rpcbind) - there is a tcp_wrapper
    version in source at playground.sun.com :
    ftp://playground.sun.com/pub/rpc
    netstat -an | grep LIST displays listening ports
    lsof -i :PORT# tell you what service is attached
    Either tcp_wrappers or ip-filter can make them "safe".
    ip-nat could make your SS20 a bastion machine if it had 2 NICs.
    Even if it doesnt.

    In setting up a reasonably secure home network:
    you learn stuff
    Its can even be kinda fun
    Fewer grey hairs even

    Forgive me for saying so but it seems like a pretty trivial
    thought process for a Phd like Doc Kirby at least from my
    envious viewpoint - mere technologist : > .

    > I'm sure I'll follow several tips, although not all for
    > practical/economic reasons. I should state the machine is a home
    > computer, serving no commerical value, so if it gets hacked it is not
    > the end of the world. But I'd take it as a failing on my part if it
    > did get hacked.

    It might be the end of the World for the rest of us though if you get
    hacked. Compromised machines can be used to do evil things in your name
    so I wouldnt be so cavalier about it!

  • Next message: Bob: "Need information on C3 Security for hpux."
    Loading