UNIX Security: A Solaris 10 example

_{Status: Public/rev.0.1}

Objective: This general overview is meant to show System Administrators how to apply various measures in order to improve the security of their hosts as seen from the Internet.

Assumptions about this guide:

• You know the purpose of the system you are installing and which services you want activated.
• The results here are based on a complete 64-bit Solaris 10 default installation (Complete Solaris Installation + OEM Support, No Kerberos, No IPv6, No NIS+/LDAP).
• The measures here are niether definitive nor guaranteed; i.e. there are many ways to secure a system. These measures are only a basic guideline.

Additional Services

Pre-Installation

• You should not connect your system to the Internet until you've completed at least the items listed in the section Services below.

Services

Objective: Disable unneccessary services which could be remotely used to manipulate or break into a system.

It is advisable to turn off whatever services are not needed in order to prevent them from being abused. To give you an idea of what is visible on your system after the default installation, here is an NMap scan of the computer.

There are basically three main types of services which are started in Solaris:

1. Services found in the /etc/init.d, /etc/rc2.d, ... directories. If these services are started they usually remain active in memory until they are stopped. (e.g. /etc/init.d/sendmail stop)
2. Services found in the /etc/inet/inetd.conf file. These services are started when a connection is made to the host, for example when font services are requested. After the service completes its task, it no longer remains resident in memory. This will be discussed further in the section on TCP_Wrapper filtering.
3. New to Solaris 10 are services which are activated and managed using the SMF Administrative and Programming Interfaces; an extension of inetd services.

Procedure: Start by turning off services you don't need, for example in the /etc/rc3.d directory. See /etc/rc2.d/README for startup file naming conventions. Generally, as in the example below, you don't need to have SNMP activated.

sol10demo# /bin/cd /etc/inet
(Edit inetd.conf and comment out the services which are not needed, such as rpc.cmsd, rpc.ttdbserverd, etc. Afterwards the inetd daemon needs to be restarted)
sol10demo# /usr/sbin/inetconv -i /etc/inet/inetd.conf

The third type of services to disable can be seen using the SMF (Service Management Facility) program svcs.
sol10demo# /usr/bin/svcs -a
To see which services are actually running (online)
sol10demo# /usr/bin/svcs -a | /usr/bin/grep online

Among these services, the ones which can be immediately disabled using the svcadm utility are:

sol10demo# /usr/sbin/svcadm disable svc:/network/finger:default
sol10demo# /usr/sbin/svcadm disable svc:/network/login:rlogin
sol10demo# /usr/sbin/svcadm disable svc:/network/shell:default
sol10demo# /usr/sbin/svcadm disable svc:/network/telnet:default
sol10demo# /usr/sbin/svcadm disable svc:/network/rpc/rstat:default
sol10demo# /usr/sbin/svcadm disable svc:/network/rpc/rusers:default

Other services which could be turned off, depending on the purpose of your system, are as follows. Otherwise such services can be filtered as shown later.

sol10demo# /usr/sbin/svcadm disable svc:/network/smtp:sendmail - Sendmail Server
sol10demo# /usr/sbin/svcadm disable svc:/network/ftp:default - FTP Server

If you enabled IPv6 functionality during the installation, you can deactivate it by removing the interface and rebooting
sol10demo# /bin/rm /etc/hostname6.hme0
If you have multiple interfaces, you will have to remove the other hostname6.* files. You will also need to disable IPv6 services in inetd.conf.

{Now connect the system to the network and reboot}
sol10demo# /usr/sbin/reboot

Patches

Objective: Apply fixes regularly to the software installation to patch known security holes.

Procedure: After the initial installation of Solaris go to the URL http://sunsolve.sun.com
and copy the 10_Recommended.zip patch-bundle to /tmp
(or via FTP: sunsolve.sun.com/patchroot/clusters/10_Recommended.zip)
sol10demo# /bin/cd /tmp
sol10demo# /bin/unzip -q 10_Recommended.zip
sol10demo# /bin/cd 10_Recommended
sol10demo# ./install_cluster

After the patches are installed, reboot the system

NOTE: For a more thorough update of the system or to update the system on a regular basis, consider using the Solaris smpatch facility:
sol10demo# /usr/bin/smpatch update
or the new updatemanager utility of Solaris 10
sol10demo# /bin/updatemanager
{With updatemanager a valid Sunsolve.com account is required}

Filtering

Objective: Filter specific services which are run from the Service Management Facility (SMF) or from the /etc/inet/inetd.conf file in order to control access.

Procedure: Solaris 10 contains the TCP_Wrappers filtering software as part of the default installation. (binaries are located in the /usr/sfw/sbin directory). See Enabling TCP Wrappers in the Solaris 10 Operating System for a detailed description of enable TCP_Wrappers. This software allows you to "wrap" or firewall certain services contained in the /etc/inet/inetd.conf file. Activate this filtering by editing the file /etc/default/inetd and making the following changes:

Here's a quick example of allowing TCP_Wrappers access for telnet. (Which you would never do, since you're using SSH, right?)

sol10demo# /bin/svcs -a | /bin/grep telnet
disabled Sep_06 svc:network/telnet:default
sol10demo# /usr/sbin/svcadm enable svc:network/telnet:default

Activate the TCP_Wrappers Service for the inetd services
sol10demo# /usr/sbin/inetadm -M tcp_wrappers=true
sol10demo# /usr/sbin/svcadm refresh inetd
Check that the service is wrapped
sol10demo# /usr/sbin/inetadm -l telnet | /bin/grep tcp_wrappers
default tcp_wrappers=true

Edit /etc/hosts.deny and add
in.telnetd : ALL

Edit /etc/hosts.allow and add
in.telnetd : 123.345.67.1 172.20.
to allow access from a specific IP-address or address range.

Example hosts.allow/hosts.deny files:
The hosts.allow file specifies which hosts are allowed to use which services. Sample /etc/hosts.allow file
The hosts.deny file specifies what to do with all hosts which are not allowed. Sample /etc/hosts.deny file

Don't forget to allow telnet access in your IPF firewall, for example in /etc/ipf/ipf.conf add:
pass in quick proto tcp from any to 123.456.7.8 port = 23 keep state
where 123.456.7.8 represents the local host.

Verify that the filtering is working correctly. Try telneting in from a system which is not entered in the hosts.allow file. If things are working correctly, you should see a message like the following in /var/adm/messages:
Sep 7 15:00:08 sol10demo in.telnetd[2382]: [ID 808943 daemon.warning] refused connect from bad-ip.com (access denied)

Again, you can verify whether or not the service is being correctly filtered by looking in the appropriate logfiles; either /var/adm/messages or /var/log/syslog. The programs tcpdchk and tcpdmatch are also useful for determining a proper installation of TCP_Wrappers.

Here is a partial listing of services which are usually seen in the inetd.conf file.

Secure Connections

Objective: Disable insecure protocols and only allow secure (encrypted) connections via Secure Shell (SSH).

Solaris 10 comes with Secure Shell (SSH) installed. SSH is a secure protocol which allows users to make trusted logins, copy files and perform other transactions to SSH servers. It is also a secure replacement for telnet, rsh, rcp, ftp, & rlogin, which allows you to turn these untrusted services off either in the /etc/inet/inetd.conf file or as part of the Solaris Service Management Facility (SMF).

Procedure: To make sure the SSH server is running on your system you can perform the following command:

First check that the service is running.
sol10demo# /bin/svcs -a | /bin/grep ssh
online 14:34:07 svc:/network/ssh:default

Check if the daemon is running on port 22 either from the localhost or from another system on the network.
sol10demo# /bin/telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-Sun_SSH_1.1
quit {Enter quit here to exit}
Protocol mismatch.
Connection to localhost closed.
sol10demo#

If there is no answer, check if the daemon is running
sol10demo# /bin/ps -ef | /bin/grep sshd
root 679 1 0 10:15:05 ? 0:00 /usr/lib/ssh/sshd
sol10demo#

The initial installation of Solaris should create the necessary encryption keys needed to run SSH and the daemon should start as soon as your system enters multi-user mode. If you need to start it by hand simply start
sol10demo# /usr/lib/ssh/sshd

Personal Firewalls

Objective: Control/log system access and prevent various network-based attacks using a Personal Firewall product.

Procedure:
The IP Filter (IPF) software has now been integrated into Solaris 10. The following will help you to get IPF up and running and gives examples of setting up some firewall-filtering rules.

First, make sure the service is enabled.
sol10demo# /bin/svcs -a | /bin/grep ipf
disabled 14:33:53 svc:/network/ipfilter:default
sol10demo# /usr/sbin/svcadm enable svc:/network/ipfilter:default
sol10demo# /bin/svcs -a | /bin/grep ipf
enabled 14:33:53 svc:/network/ipfilter:default

Next, start setting up the filtering.
sol10demo# /bin/cd /etc/ipf
Edit the file /etc/ipf/pfil.ap and uncomment the interface(s) which apply to your system. In this example bge is the network interface.
sol10demo# /bin/grep bge /etc/ipf/pfil.ap
bge -1 0 pfil

Now create the base filtering file. This mkfilters command will create the base filters based on the IP addresses associated with your system. These filter simply dissallow nasty stuff (i.e. spoofing, incomplete packets, etc.) at the network level.
sol10demo# /usr/share/ipfilter/examples/mkfilters > /etc/ipf/ipf.conf
Now you need to reboot your system so that the network interface can start filtering.
sol10demo# /usr/sbin/reboot

After rebooting you should check that IPF has been started.
sol10demo# /bin/grep ipf /var/adm/messages
Sep 5 14:33:52 sol10demo ipf: [ID 774698 kern.info] IP Filter: v4.0.2, running.

At this point you have a set of rules for blocking various attacks but not much else. You should decide what services or functionality you want to make available and then select the filters accordingly. Some examples are already provided as part of the Solaris 10 installation and can be found under /usr/share/ipfilter/examples. Here's an example thrown together to give you an idea of how you can put rules together. _{NOTE: These are examples only. The usual disclaimer applies that we are not responsible for how this information is applied or make any guarantees to the functionality of the product.}

Another source of IPF information is from the following URL: http://coombs.anu.edu.au/~avalon/examples.html
A sample configuration file shows some possibilities using IPFilter. Note that firewall products are not a guaranteed solution for preventing unauthorized access to your system and should be used in combination with other security measures, such as those suggested in this document.

Further Information
A full description of this product can be found at:
http://rr.sans.org/firewall/IPfilter.php
http://www.obfuscation.org/ipf/ipf-howto.txt

System Changes

Objective: Make the following changes in order to protect the system from various buffer-overflow attacks

Procedure: Add the following information to the /etc/system file. (You must reboot the system for these changes to take affect.)

set noexec_user_stack = 1
set noexec_user_stack_log = 1

To ensure accuracy of time-relevant information set the system time correctly by adding the following line to the root crontab file, for example:
0,10,20,30,40,50 * * * * /usr/sbin/ntpdate <timeserver> > /dev/null 2>&1
{Within the ethz.ch domain, <timeserver> should be time.ethz.ch}

Post-Installation

Whenever you install new patches make sure that any changes you made to the system are not set back to their original state. For example, if you replace the Solaris version of Sendmail with the BSD version, make sure that /usr/lib/sendmail is not overwritten by patch updates. In such cases it is advisable to remove the Solaris package to avoid these types of conflicts.

You should also subscribe yourself to get security bulletins from Sun. To receive security bulletins directly from the Sun Security Coordination Team, go to sunsolve.sun.com

Additional Services

The following information describes how to configure/install additional services which help improve the security of your system. Some services exist already as part of the Solaris installation or can be easily added onto the system.

Secure Shell (OpenSSH) - Installed with OS.
TCP_Wrappers ------------ Installed with OS, but not activated.
RPCBind ------------------- Must be installed seperately.
FTP Server ---------------- Installed with OS. Can be actived if needed.
Samhein ------------------- Must be installed seperately

Secure Shell (SSH)

Objective: Install OpenSSH by hand if you need to apply security patches quickly, add support-options into the program or need to have a specific version for testing - for example.

Procedure: OpenSSH is preinstalled on Solaris. You can use the Solaris version or install your own version. Note that OpenSSH has dependencies on other packages such as OpenSSL, and Zlib.

First download and install the latest version of OpenSSL from http://www.openssl.org

OpenSSL
sol10demo# /bin/gzcat openssl-0.9.8.tar.gz | /bin/tar xf -
sol10demo# /bin/cd openssl-0.9.8
sol10demo# ./Configure
sol10demo# /usr/ccs/bin/make
Installation of openssl will be to the /usr/local/ssl directory, seperate from the OS-installed version. At this point you can uninstall the Solaris OpenSSL packages if you want. Otherwise install the program.
sol10demo# /usr/ccs/bin/make install

OpenSSH
sol10demo# /bin/gzcat openssh-4.1p1.tar.gz | /bin/tar xf -
sol10demo# /bin/cd openssh-4.1p1
sol10demo# ./configure --with-ssl-dir=/usr/local/ssl --with-tcp-wrappers=/usr/sfw/sbin
sol10demo# /usr/ccs/bin/make
# Run the following commands to handle priviledge seperation
- /bin/mkdir /var/tmp
- /bin/chown -R root:sys /var/empty
- /bin/chmod 755 /var/empty
- /usr/sbin/groupadd sshd
- /usr/sbin/useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
At this point you may uninstall existing OpenSSH packages but be careful that libssl.so and libcrypto.so don't get uninstalled or pkginfo and other tools won't work anymore.
sol10demo# ls -l /usr/sfw/lib/libssl*
1323548 Aug 29 14:59 /usr/sfw/lib/libssl.so
9 Aug 29 14:59 /usr/sfw/lib/libssl.so.0.9.7 -> libssl.so
sol10demo# /bin/ls -al /usr/sfw/lib/libcrypto*
1433440 Aug 29 15:00 /usr/sfw/lib/libcrypto.so
12 Aug 29 15:01 /usr/sfw/lib/libcrypto.so.0.9.7 ->libcrypto.so
sol10demo# /usr/ccs/bin/make install

You now have to make sure that the sshd daemon starts correctly on system startup. If you have removed the OpenSSH packages from Solaris then you'll need to add a startup script like this to the /etc/init.d/directory and rename it to sshd
sol10demo# /bin/ls -al /etc/init.d/sshd
-rwxr-xr-x 1 root sys 1396 sshd
sol10demo# /bin/ln /etc/init.d/sshd /etc/rc2.d/S99sshd

Otherwise, if the OpenSSH packages are still installed on the system, you can modify the /lib/svc/method/sshd file directly and change the following:
KEYGEN="/usr/bin/ssh-keygen -q"
to
KEYGEN="/usr/local/bin/ssh-keygen -q"

and change
/usr/lib/ssh/sshd
to
/usr/local/sbin/sshd

Optionally add /etc/hosts.allow and /etc/hosts.deny
sol10demo# /bin/cat /etc/hosts.deny
sshd : ALL
sol10demo# /bin/cat /etc/hosts.allow
sshd : mydomain.com

You will have to activate TCP_Wrappers, as described below, in order for this to work correctly.

Now make sure you're using the new version of SSH by restarting the daemon.
sol10demo# /bin/kill -HUP `/bin/cat /var/run/sshd.pid`
Verify that you have the correct version running
sol10demo# telnet localhost 22
Trying 127.0.0.1...
Connected to sol10demo.foo.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.1

TCP_Wrappers/RPCBind

Objective: Replace the /usr/sbin/rpcbind program in order to use TCP_Wrappers-like filtering for RPC services.

Procedure: RPCBind with TCP_Wrappers support should now be built into Solaris 10. The simplest way to activate the services with tcp_wrappers is:
sol10demo# svccfg -s inetd setprop defaults/tcp_wrappers=true
sol10demo# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
{Now restart the services}
sol10demo# svcadm refresh inetd
sol10demo# svcadm refresh rpc/bind

If you want to build an RPCBind the old-fashioned way, the information is listed below. First download the rpcbind_2.1.tar.gz from ftp://ftp.porcupine.org/pub/security/index.html#software

Install Rpcbind Filtering (Depends on TCP_Wrappers installation or the location of the libwrap.a library file. Under Solaris 10 the library is available as libwrap.so
sol10demo# /bin/gzcat rpcbind_2.1.tar.gz | /bin/tar xf -
sol10demo# /bin/cd rpcbind_2.1

Edit the Makefile
Add "CC=gcc" to the top of the Makefile (without quotes)

Change libwrap.a to libwrap.so
For example, change
LDLIBS = $(WRAP_DIR)/libwrap.a -lsocket -lnsl -ldl
to
LDLIBS = $(WRAP_DIR)/libwrap.so -lsocket -lnsl -ldl

sol10demo# setenv WRAP_DIR /usr/sfw/lib
sol10demo# /bin/ls $WRAP_DIR/libwrap* {The libwrap.so file needs to exist here}
libwrap.so libwrap.so.1.0 libwrap.so.1
sol10demo#
sol10demo# make
gcc -g -I. -DPORTMAP -DCHECK_LOCAL -DFACILITY=LOG_MAIL -DSEVERITY=LOG_INFO -c check_bound.c
gcc -g -I. -DPORTMAP -DCHECK_LOCAL -DFACILITY=LOG_MAIL -DSEVERITY=LOG_INFO -c pmap_svc.c
. . .
sol10demo#
Make a backup copy of the Solaris original rpcbind
sol10demo# /bin/cp -p /usr/sbin/rpcbind /usr/sbin/rpcbind.orig
sol10demo# /bin/cp -p rpcbind /usr/sbin
sol10demo# /bin/ls -al /usr/sbin/rpcbind
-rwxr-xr-x 1 root root 150520 Sep 6 2005 /usr/sbin/rpcbind
sol10demo# /bin/chown root:bin /usr/sbin/rpcbind
sol10demo# /bin/chmod 555 /usr/sbin/rpcbind
sol10demo# /bin/ls -al /usr/sbin/rpcbind
-r-xr-xr-x 1 root bin 150520 Sep 6 2005 /usr/sbin/rpcbind
sol10demo#

The syntax required for rpcbind in the /etc/hosts.allow and /etc/hosts.deny files is the same as with TCP_Wrappers. Simply add a line like
rpcbind : 123.456.78.23 123.456.67.
to the /etc/hosts.allow file. Then add a line like
rpcbind : ALL
to the /etc/hosts.deny file. This example allows access from the host 123.456.78.23 and from the subnet 129.456.67.*.

For RPCBind to take affect, you need to reboot your system.
sol9demo# /usr/sbin/shutdown -i6 -g0 -y

FTP Server

Objective: Activate the FTP server using security measures built into Solaris.

Procedure: The FTP Server integrated into Solaris 10 is based on the Washington University WU-FTP Server and has security features already built in. If you have to activate an FTP Server (instead of using SCP - Secure Shell copy [see man -s 1 scp]), then you can start FTP as follows:

Make sure the FTP service is enabled
sol10demo# /bin/svcs -a | /bin/grep ftp
online 14:59:25 svc:/network/ftp:default
Otherwise activate the service using svcadm
sol10demo# /usr/sbin/svcadm enable svc:/network/ftp:default

Now edit the file /etc/ftpd/ftpaccess and change
class realusers real *
to
class realusers real 123.456.78.9 123.456.98.*
in order to filter access to a single IP-address or an address range.

Don't forget to allow FTP access in your IPF firewall, for example in /etc/ipf/ipf.conf add:
pass in quick proto tcp from any to 123.456.7.8 port = 21 keep state
where the to address corresponds to the local system.

Samhain

Objective: Protect the installed operating system from unauthorized modifications. Samhain is an advanced file integrity / intrusion detection tool. It is designed for tamper resistance and centralized monitoring of multiple hosts in a network.

Procedure: First get the software (samhain-current.tar.gz) from Samhain Labs

Then follow the instructions published on same page as where you downloaded the software. Make sure that you have edited the /etc/aliases file to add the name of a real person for the root user. Then run
sol10demo# /usr/sbin/newaliases
to update the sendmail database.

In the /etc/samhainrc file you should uncomment the SetMailAddress=root@localhost directive so that messagees which samhain sends are delivered to a real person.

Note that you might see some error messages during the initialization of the database (i.e. when running samhain -t init). You'll need to modify the /etc/samhainrc file to correct the problems and then re-run the above command. You should also review what files and directories samhain is looking after in the samhainrc file.

Also, if you are running a program like NetBackup, you will need to add the following directive to the samhainrc file under the category [Misc]:
Change
# RedefReadOnly = (no default)
to
RedefReadOnly = CTM

 

(C) 2005 ETH Zurich - Communication/Informatic Services