-
How To Prepare a System for
Production.
update 11/07/2001
By Colin A. Bitterfield
SUN Microsystems, Inc.
-
Contact
Me
A note on these recommendations.
Since Solaris 2.6 is end of life and Solaris 8 is the flagship OS currently.
This article is targeted to Solaris 8. Some of the tuning parameters listed
will did not exist in Solaris 2.6 and others are no longer an issue in
8.
Edit or Create the following Files:
a. /etc/default/login
+
CONSOLE=/dev/console
+
PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb:.
+
SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
+
SYSLOG_FAILED_LOGINS=3
b. /etc/default/su
+
PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
+
SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
c. /etc/default/telnetd
+
BANNER=""
d. /etc/default/ftpd
+
BANNER=""
e. /etc/default/inetinit
-
TCP_STRONG_ISS=1
+
TCP_STRONG_ISS=2
f. /etc/inetd.conf
Please note
that a router filter should be in place for not allowing REXEC type commands
from outside the network.
g. /etc/init.d/inetsvc
-
/usr/sbin/inetd -s&
+
/usr/sbin/inetd -s -t&
h. create file /etc/notrouter
#
touch /etc/notrouter
i. Modify /etc/init.d/inetinit (At end), set
TCP tuning parameters.
Reference: This information is an
excerpt/recommendation from SysAdmin magazine November 2000, "Securing
Solaris" by Idu Dubrowsky.
+/usr/sbin/ndd
-set /dev/tcp tcp_mss_def_ipv4 846
+/usr/sbin/ndd
-set /dev/arp arp_cleanup_interval 150000
Reference: This information is an excerpt
from "SUN Tuning and Performance" by Adrian Cockcroft and Richard Pettit
second edition.
(use
at own risk, these are some of my recommendations for web services based
machine)
+/usr/sbin/ndd
-set /dev/tcp tcp_time_wait_interval 60000
+/usr/sbin/ndd
-set /dev/tcp tcp_conn_req_max_q0 1024
+/usr/sbin/ndd
-set /dev/tcp tcp_xmit_hiwat 32768
+/usr/sbin/ndd
-set /dev/tcp tcp_recv_hiwat 32768
+/usr/sbin/ndd
-set /dev/tcp tcp_slow_start_initial 2
Reference:
This one is from a test I performed on moving small files via FTP. I saw
a 500% improvement with this setting change.
+/usr/sbin/ndd
-set /dev/tcp tcp_deferred_ack_interval1
j. Modify /etc/system
Reference:
This is the manual
for all tuning parameters in Solaris 8.Do *not* make hundreds of changes
because you think you need them. Please read the book by Adrian Cockcroft
and Richard Pettit.
*
Good Values to add from defaults
*
This adjusts many other parameters that use this as a base for calculation
set
maxusers=512
*
This parameter allows more "telnet/pty" connections
*
Note max_pty is no longer required to be set in Solaris 8. See tuning manaual.
*
set the tcp hash size
set
tcp:tcp_conn_hash_size=8192
*
Do not set this higher than the default unless you absolutely need to.
rlim_fd_max
*
Do not set this higher than the default unless you absolutely need to.
rlim_fd_cur
* There are issue with the
above parameters when the exceed 1024 which is the new default/
Below
are some examples to add for various packages. Please note that the 2 examples
below overlap with two different settings. If you need both on the same
machine, choose the large value of the parameter.
*
For Oracle
set
shmsys:shminfo_shmmax=4294967295
set
shmsys:shminfo_shmmin=1
set
shmsys:shminfo_shmmni=100
set
shmsys:shminfo_shmseg=10
set
semsys:seminfo_semmni=100
set
semsys:seminfo_semmsl=100
set
semsys:seminfo_semmns=200
set
semsys:seminfo_semopm=100
set
semsys:seminfo_semvmx=32767
*
The following lines are required for Exploring the GNOME Desktop
(version 1.4)
set
shmsys:shminfo_shmmax = 0x2000000
set
shmsys:shminfo_shmmni = 0x1000
set
shmsys:shminfo_shmseg = 0x100
*
End of settings for Exploring the GNOME Desktop (version 1.4)
k. modify /etc/skel/local.profile
-PATH=/usr/bin:/usr/ucb:/etc:.
l. modify /etc/profile
(At Beginning)
+LD_LIBRARY_PATH=/opt/sfw/lib:/usr/local/lib:/usr/lib:/usr/openwin/lib:/usr/dt/lib
+MANPATH=/opt/sfw/man:/usr/man:/usr/local/man:/usr/dt/man:/usr/openwin/man
+CC=/opt/sfw/bin/gcc
+EDIT=vi
+export
LD_LIBRARY_PATH MANPATH CC EDIT
(Later you
may want to change the prompts to reflect relative path and hostname)
m. modify /etc/.login
(If you use
any of the C shells)
n. Create /etc/issue
# banner “restricted” “ system”
“$HOSTNAME” > /etc/issue
# echo “To request access
or report violations contact ###-###-####” >> /etc/issue
(For Instance)
o. modify /etc/motd
Make sure to add a section on acceptable use
of the system and a phone number to contact in case of issues.
p. Deactivate Sendmail
1. If a not a mail server, mv /etc/rc2.d/S88sendmail
to K88sendmail & make sure that mailhost resolves to the central mail
server.
2. If a sendmail server, mv /etc/mail/main.cf
to /etc/mail/sendmail.cf
q. Deactivate LPD/LPR services
If not a print server, mv /etc/rc2.d/S80lp
to K80lp and edit the /etc/inetd.conf and comment out the printer line.
r. Install OpenSSH
Install openssl
package
Install openssh
package
Use keygen for creating the 3 key files.
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key
-N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key
-N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key
-N ""
create and install /etc/init.d/ssh.server
script
s. A More Serious Lock Down
Disable all
"R" commands in /etc/inetd.conf
Disabletelnet
services and only allow SSH
Disable ftp
services
Remove almost
everything from the inetd.conf
t. Notes on CDE desktops
Make sure to
create the directories:
/etc/dt/config
/etc/dt/config/Xsession.d
You can place
a ksh script into the Xession.d to set environmental values. See the article
on environmental manager.
u. Notes on /etc/skel
If you need
to create a directrory structure for each user when you create the accounts,
create the directories and files here.
For instance:
Using profiles you can custom edit a file during the useradd process. i.e.
a customer index.html for each new user.
./public_html
./projects
v. Add on packages to make your life easier.
Look into webmin it
is a good web based graphical management tool for a system administer.
Yes you can use SSL. If you install the SSL package listed above you can
provide access via https.
If you need a free ssh client for your PC than putty.exe
is your best bet. A single small < 1MB executeable. No install required.
One File.