This site depends heavily on Cascading Style Sheets (CSS). While it will work without CSS, it does look much better if you enable CSS.

-----
Unix Security: Solaris Specific Measures
New
Users		 Department
Contacts		 CLASnet
Users		 About
CLASnet		   CLASnet
Home

Solaris systems ship with a set of certain default choices that do not work well in UF's networking environment. This page attempts to document some of the more glaring problems, and how to secure them.

Note: This page does not cover all of the known security problems. Implementing the mentioned changes is not a replacement for hiring a competent systems security administrator/consultant.

Sendmail
By default, sendmail runs on each machine. While this is useful if your department doesn't use a central mail host, it also allows unauthorized machines on the Internet to use your host as a "relay" for unsolicited commercial email (UCE, a.k.a. "spam").

Fix:

Edit /etc/init.d/sendmail, remove the "-bd" flag, and reboot. Other machines will no longer be able to send messages to this machine. If this machine requires incoming email support, you should upgrade to a newer version of sendmail.

"Stack-smashing" exploits
Many of the remote-access exploits use a buffer overflow bug known as a "stack smash". Beginning with a security patch to Solaris 2.6 (and included in Solaris 7 and later), you can patch the host's kernel to disable many of these exploits.

Fix:

Add the following lines to /etc/system.

set noexec_user_stack=1 set noexec_user_stack_log=1
Then, reboot the system with the command
reboot -- -r
NOTE: each space and hyphen matters

Admind & Sadmind
Supposedly used for remote administration, this programs default settings can allow anyone on the Internet to modify the machine's configuration.

Fix:

Comment the line out of /etc/inetd.conf and reboot. If you must use the daemon, add

-S 2
switch to the admind line in /etc/inetd.conf.

SNMP
By default, Solaris ships with an SNMP sub-system, which allows remote read (and write) access to the machine. Under certain circumstances, intruders can modify the host's configuration.

Fix:

Remove the following packages, via pkgrm(1m) and reboot:

  • SUNWmibii
  • SUNWsacom
  • SUNWadmi
  • SUNWsasnm

If the /var/sadm directory has been damaged, you may be unable to remove these packages. Delete the /etc/rc3.d/S76snmpdx startup file and reboot.

BSD-style remote utilities
These remote access utilities do not properly check the originating host for identification and/or authentication. Also, when they use a password, the password is passed in clear text.

Fix:

Comment out the following services from /etc/inetd.conf and reboot.

  • shell (rsh)
  • login (rlogin)
  • exec (rexec)
  • rexd

As an alternative, install and use SSH to provide equivalent functionality. In this case, you may wish to disable the telnet service as well.

RPC statd
Used for NFS file locking, older versions of the daemon can be fooled into overwriting system files.

Fix:

Apply the current security patch set for Solaris, or disable it if you aren't using NFS. Look at /etc/init.d/nfs.client for more information.

ToolTalk DB
The ToolTalk database daemon is part of CDE. Among other services, the rpc.ttdbserverd allows "drag & drop" operations under CDE. Unfortunately, many versions will allow remote file creation and/or program execution.

Fix:

Comment out the rpc.ttdbserverd from /etc/inetd.conf and reboot. If you require its functionality, make sure you stay current with the Solaris security patches.

Network Information Services (NIS)
NIS is used for sharing account/group/password information between multiple machines. While useful, the standard configuration will let anyone on the Internet download that information, and remotely "crack" your password(s).

Fix:

Add a /var/yp/securenets file to restrict what hosts may contact your NIS daemons. Take a look at the securenets(4) man page for more information.

NFS exports
By default, sharing a filesystem via NFS allows "world access" to read and write the filesystem. A cracker could modify files on the shared filesystem, potentially providing access.

Fix:

Use the ro, rw, root flags to limit access to known secure hosts. It is recommended to never use the root or anon=0 options unless you are a full-time Unix administrator who fully understands both NFS and NIS.

Bootparam
Bootparam is used to net-boot other Solaris machines. Among other information, the daemon provides your server's NIS domain. Combined with the the potential NIS problem mentioned earlier, a remote cracker can access your NIS maps.

Fix:

Comment bootparamd out of /etc/inetd.conf unless you're actively supporting a network of Sun net-booting workstations.

Portmapper
Most RPC programs are configured to register themselves with the machine's portmapper upon startup. While this registration is critical for the machine to invoke RPC programs, remote machines can exploit RPC programs via the portmapper.

Fix:

No fix is available from Sun. We recommend adding a port filter on your switch or router to protect your machines from remote networks. You will need to filter these ports:

  • 111 / tcp
  • 111 / udp

Please remember that this is not a complete list. We welcome your submissions of problems and solutions.

[CLASnet main page] Last updated: Aug 03, 2004 (09:47:50 AM EDT)
URL: http://www.clasnet.ufl.edu/security/unix-solaris.shtml

College of Liberal Arts & Sciences
CLASnet
109 Rolfs Hall
PO Box 117300
Gainesville FL 32611
 
Contact: CLASnet
Phone: (352) 846.1990
FAX: (352) 846.1995

Printer-Friendly Page

Search CLASnet