Re: Hardening a Solaris system.

From: Casper H.S. Dik (Casper.Dik_at_Sun.COM)
Date: 11/24/03

  • Next message: Joachim Ring: "Re: Need information on C3 Security for hpux." 
    Date: 24 Nov 2003 18:24:11 GMT

    gerryt@gtconnect.net () writes:

    >In article <3fc0f942$0$1505$e4fe514c@news.xs4all.nl>,
    > Casper H.S. *** <Casper.***@Sun.COM> writes:
    >> gerryt@gtconnect.net () writes:
    >>
    >>>Yes I use both a wrapped version of rpcbind and ip-filter rules..
    >>>Is the playground rpcbind not really recommended anymore on 9??
    >>
    >> The only rpcbind I could find is the standard tirpc2.3 one; it does not
    >> have all security fixes available in S9; I'm not even sure it support
    >> Ipv6 properly.

    >playground has this:
    >rpcsrc_40.tar 1100 KB 21/07/98 12:00:00 AM
    >The others are 1995 or earlier. Pretty OLD : >
    >Yes Ipv6 would be a problem Im sure. But we know who can fix
    >THAT dont we : >

    I think the more recent one is: tirpcsrc2.3.tar.Z
    (rpcsrc4.0 is really from a much earlier data and is only
    for SunOS 4.x; it's "socket rpc"; tirpcsrc is the
    "transport independent rpc" as found in Solaris)

    >a) I dont have a router - yet - : >
    >b) I dont except maybe locally. Right now I see:
    > 32771,2,6,7,8,9 listening
    > The box is set up to do jumpstarts.

    >Ill see what I can do about a 3271??-32799 rule in ip-filter : >
    >Unless theres a better way.

    I'd suggest (strongly) to filter everything incoming except
    the specific ports you want to keep open.

    And for outgoing traffic use keep state.

    Casper 

    -- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
  • Next message: Joachim Ring: "Re: Need information on C3 Security for hpux."