Solaris 2.6 Firewall, Example Installation & Configuration
Table of Contents
0) Disclaimer 1) Compile Host Information 2) Install OS from Solaris 2.6 CD 3) Configure System 4) Encryption and Authentication 5) Test and Retest 6) Additional Software
0) Disclaimer
This procedure details one way, of many, to configure a secure firewall platform based on Sun Solaris. It will be too restrictive for most other uses. It may even be to restrictive for your firewall. No warranty is made as to the accuracy or reliability of this document. Use at your own risk.
1) Compile Host Information
1.2 IP addresses = ___________________________ 1.3 defaultrouter = __________________________ (if any) 1.4 timeserver = _____________________________ (if any) 1.5 date = ___________________________________ 1.6 root password = __________________________ 1.7 part of a subnet = _______________________ 1.8 timezone = _______________________________ (i.e., US/Pacific) 1.9 naming service = _________________________ (DNS = other)
2) Install OS from Solaris 2.6 CD
2.1 select the "core system" software cluster 2.2 customize by adding the following packages: a) "automated security enhancement tools" b) "interprocess communication" c) "network time protocol" d) "source Compatibility" (usr) e) "static utilities" f) "sunOS 4.x binary compatibility" g) "system accounting" e) "system & network administration" h) "volume management" (root & usr) i) "xcu4 utilities" 2.3 manually layout the disks (partition - manual layout - customize) If Solaris 2.6: root = 1.9GB+, swap = 500MB+, remainder on /var else (2.7 or later): swap=750MB, root = everything else (assuming a single disk system) NOTE: * swap size is application dependent * root partitions larger than 2GB are not supported on older EEPROMs or 32 bit CPUs 2.4 select "install & reboot" 2.5 install the current recommended patch cluster from Sun's Sunsolve website at: http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access
3) Configure System
3.1 edit configuration files vi /etc/hosts (define loghosts, mailhost, timehost) vi /etc/hostname.* (substitute IP addresses for hostnames) vi /etc/vfstab (comment out /tmp swapfs if not needed) vi /etc/resolv.conf (domainname and 2 nameservers) vi /etc/nsswitch.conf (hosts: files dns) vi /etc/power.conf (comment out autoshutdown) vi /etc/defaultrouter (IP address of default router, disables RIP) vi /etc/ntp.conf (IF using xntp for time synchronization) vi /etc/default/{su,login} (CONSOLE=/dev/console) vi /etc/mail/sendmail.cf (Mprog, PrivacyOptions, MaxDaemonChildren MaxMessageSize, SuperSafe, ...) 3.2 create account files vi /.cshrc /.profile /.kshrc /.bashrc /.exrc more /etc/skel/cshrc 3.3 install sysadmin utilities (http://sunfreeware.com/) RCS: mkdir ~admin/RCS ; ln -s ~admin/RCS /etc cd /etc ; ci -l inetd.conf host* ftpusers, ... bash, gzip, less, lsof, rsync, sudo, tar, tcsh, top, zip, ... 3.4 disable unneeded startup scripts cd /etc/rcS.d mv S50devfsadm s50devfsadm cd /etc/rc2.d mv S92volmgt s92volmgt #mv S88sendmail s88sendmail mv S74autofs s74autofs mv S73nfs.client s73nfs.client mv S99dtlogin s99dtlogin mv S85power s85power mv S47asppp s47asppp mv S70uucp s70uucp mv S80lp s80lp ... cd /etc/rc3.d mv S15nfs.server s15nfs.server mv S76snmpdx s76snmpdx mv S77dmi s77dmi ... 3.5 configure logging vi /etc/syslog.conf (convert all spaces to tabs) syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console *.alert;auth.debug;kern.err;daemon.err;user.none operator kern.notice /var/log/kern.messages daemon.debug /var/log/daemon.messages user.debug /var/log/user.messages cron.emerg /var/log/cron.messages auth.info /var/log/auth.messages news.debug /var/log/news.messages mail.info /var/log/mail.messages uucp.notice /var/log/uucp.messages lpr.debug /var/log/lpr.messages local0.info /var/log/local0.messages local1.debug /var/log/local1.messages local2.debug /var/log/local2.messages local3.debug /var/log/local3.messages local4.debug /var/log/local4.messages local5.debug /var/log/local5.messages local6.debug /var/log/local6.messages local7.debug /var/log/local7.messages debug @loghost2 create the logfiles under /var/log (touch) kill -1 <syslog pid> touch /var/adm/loginlog chmod o-w /var/{log,adm}/* /var/log/sysidconfig.log 3.5 enable aset /usr/aset/aset -p -l med 3.6 schedule periodic administrative tasks crontab -e 22 * * * * /var/admin/cron/hourly 22 22 * * * /var/admin/cron/daily 2 22 * * 0 /var/admin/cron/weekly 2 2 1 * * /var/admin/cron/monthly 3.7 cleanup non-root crontabs cd /var/spool/cron/crontabs rm -f uucp sys adm lp chmod go-rwx . * ls -l sed 's/:.*$//' /etc/passwd | grep -v root > /etc/cron.d/at.deny (or rm at.deny) sed 's/:.*$//' /etc/passwd | grep -v root > /etc/cron.d/cron.deny (or rm cron.deny) 3.8 email aliases forward root & postmaster to real user forward system accounts to /dev/null rebuild: /usr/lib/sendmail -bi 3.9 delete extraneous files rm -f /usr/sbin/{eeprom} /dev/openprom /devices/pseudo/openeepr@0:openprom ls -l /usr/sbin/{eeprom} /dev/openprom /devices/pseudo/openeepr@0:openprom rm -rf /var/spool/uucp* /etc/uucp ls -l /var/spool/uucp* /etc/uucp rm -rf /tftp* /.dt* /.Xauthority /.wastebasket /xfn /net /export /mnt /core ls -l /tftp* /.dt* /.Xauthority /.wastebasket /xfn /net /export /mnt /core rm -f /var/adm/spellhist ln -s /dev/null /var/adm/spellhist ln -s /dev/null /core (?) 3.10 disable incoming ftp sed 's/:.*$//' /etc/passwd > /etc/ftpusers 3.11 disable 'cron' logging (to avoid full disk bug) vi /etc/default/cron (CRONLOG=NO) 3.12 create login banners echo "------ Unauthorized Access Prohibited ------" > /etc/issue echo "" >> /etc/motd echo " ------ Unauthorized Access Prohibited ------" >> /etc/motd echo "" >> /etc/motd 3.13 disable kernel routing echo "" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forwarding 0" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forward_src_routed 0" >> /etc/rc2.d/S69inet echo "ndd -set /dev/ip ip_forward_directed_broadcasts 0" >> /etc/rc2.d/S69inet vi /etc/default/inetinit (TCP_STRONGS_ISS=2) touch /etc/notrouter touch /etc/defaultrouter 3.14 restrict standard and rpc services vi /etc/inetd.conf comment out everything (:1,$s/^/#/) uncomment as needed kill -1 <inetd_pid> echo "rpcbind : ALL" > /etc/hosts.deny (with modified rpcbind) 3.15 check the password files vipw add /bin/false shell to system accounts (add "admin" user (admin:x:0:1:Super-User:/var/admin:/bin/csh)) (add "operator" and "suoperator" accounts as needed) pwck check /etc/passwd for errors awk -F: '{print $2}' /etc/shadow check /etc/shadow for errors 3.16 check /etc/system grep -v '^*' /etc/system | grep -v '^$' 3.17 tighten permissions and other misc holes (per ISS & CERT) find /opt/SUNWrtvc -perm 777 -exec chmod go-w {} \; -ls chmod 660 /devices/sbus@1f,0/espdma@e,8400000/esp@e,8800000/st@4* chmod 550 /usr/lib/fs/ufs/ufsrestore chmod 555 /usr/openwin/bin/ff.core #chmod 550 /bin/su chmod 000 /etc/default/sys-suspend /usr/openwin/bin/sys-suspend vi /usr/openwin/lib/speckeysd.map chgrp sysadmin `which admintool`; chmod o-rwx `which admintool` chmod -R ugo+r /usr/openwin chmod 400 /usr/vmsys/bin/chkperm
4) Encryption and Authentication
4.1 install ssh ftp://ftp.cs.hut.fi/pub/ssh/ ftp://sunsite.unc.edu/pub/packages/security/ssh/ ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/ vi /etc/services (ssh 22/tcp) vi sshd_config (see below) kill -1 `ps auxww|grep inetd|grep -v grep|awk '{print $2}'` telnet localhost 22 If there's no inetd: use a startup script (/etc/rc2.d/S81sshd) else add to inetd.conf
5) Test, Test and Retest
5.1 local ps auxww (ps -ef) ; netstat -a ; showrev -p ; prtconf ; ... 5.2 remote nmap ; portscan ; rpcinfo -p ; ...
6) Additional Software
6.1 compile secure rpcbind (if you MUST use rpc) Download from ftp://ftp.win.tue.nl/pub/security/rpcbind_2.tar.gz make; cp /usr/sbin/rpcbind /usr/sbin/rpcbind.ori; cp rpcbind /usr/sbin/rpcbind; reboot vi /etc/hosts.deny (and /etc/hosts.allow) for access control Using the OS supplied named or sendmail is generally NOT recommended. Compile the current version from source code instead (bind, sendmail, dhcp, etc). 6.2 periodic cron scripts (/var/admin/cron/ or /etc/periodic/) hourly: ping remote hosts test/set emailbox permissions check daemons (syslog, sendmail, named, fwm, ssh) rotate any log files larger than 1.5MB daily: check disk utilization check sendmail queue synchronize time (ntpdate, rdate) weekly (report emailed): disk utilization check/report (password file, SYN queue, hosts.{allow,deny}, ftp access, sendmail queue, wtmp/wtmpx size) ASET report Solaris patches run tripwire and mail separate report monthly (report emailed): rotate and archive log files 6.3 ssh /etc/sshd*config: PermitRootLogin no IgnoreRhosts yes SyslogFacility LOCAL3 RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no AllowHosts ... 6.4 skey Download from ftp://ftp.win.tue.nl/pub/security/logdaemon...tar.gz compile the skeysh to allow logins to the root account comment the section in skeysh/skeysh.c: "ROOT LOGIN REFUSED" (create an skey account (with or without a password) for ssh) 6.5 Firewall-1 1) install under /opt/SUNWfw apply any patches 2) add the following to /.cshrc if ( -d /opt/SUNWfw ) then setenv FWDIR /opt/SUNWfw setenv PATH ${PATH}:${FWDIR}/bin setenv MANPATH ${MANPATH}:${FWDIR}/man endif 3) vi /etc/rc3.d/S95firewall1 add $FWDIR/bin/fwm 4) vi /opt/SUNWfw/bin/fwstart comment out snmp startup (if not needed) 5) add mgmt users fwm -a 6) add mgmt hosts vi $FWDIR/conf/gui-clients (not $FWDIR/conf/masters) 7) clean license file (as required) cd $FWDIR/conf mv fw.license fw.license.ori mv fw.LICENSE fw.LICENSE.ori ../bin/fw putlic ... 8) disable SNMP; Security Policy, Properties, ... 9) reboot & check /etc/rcS.d/S30rootuser.sh 6.6 one time passwords (root account only?) skey/logdaemon /usr/sbin/skeysh, skey account; keyinit+key 6.7 heavy duty filesystem and integrity checking iss s3, (axent), tripwire, ... 6.8 if inetd services are enabled tcp_wrappers (for logging and authentication) tcpdchk 6.9 sendmail spam filters, RBL, DUL, ORBS
http://www.roble.com/docs/secure_solaris.html Copyright 1999, Roble Systems Consulting, All rights reserved