SUMMARY: why so many ports open on Solaris

From: Chris Hoogendyk (choogend_at_library.umass.edu)
Date: 04/28/04

  • Next message: Lewars, Mitchell (EM, PTL): "SUMMARY: Solaris 8 Patch Breaks Commercial SSH ?" 
    Date: Wed, 28 Apr 2004 14:09:35 -0400
To: Sun Managers <sunmanagers@sunmanagers.org>

    boatload of replies. thanks to everyone. it looks like I have some
    serious work to do. I'll do a very brief summary, but the only way to do
    justice to the richness of the replies is to include a number of them at
    the end of this, after my original message.

    key item that one person gave me was that the install option you choose
    is important. I had installed the entire distribution, figuring that the
    programming tools would be there. I should have installed the minimal
    system for servers.

    next is to clean out rc2.d and rc3.d in addition to inetd.conf. lots of
    things started from there. of course, I had done a 'kill -HUP' of the
    inetd process, but it is also necessary to restart the system or kill
    processes that have already been started. in this case, I had actually
    restarted the system.

    tools:

       -- lsof widely recommended. get it from sunfreeware or from purdue.
    'lsof -i' gives ports and processes. can pipe to grep.
    http://www.sunfreeware.com

       -- jass, Sun's security tightening tool. get it from Sun. it's a
    script. can read it. can modify it. can just run it.
    http://www.sun.com/security

       -- someone pointed to a setup_rc script that removes all the stuff
    you don't want. run it again after doing patches, because patches can
    put startup scripts back in. I had already encountered this with
    sendmail. I get rid of it, do recommended patches, then have to get rid
    of it again. best to completely uninstall stuff you don't want so a
    startup script won't find it anyway.

    lots more detail in the replies, and a chuckle or two.

    Thanks again to everyone.

    ---------------

    Chris Hoogendyk

    -
        O__ ---- Network Specialist & Unix Systems Administrator
       c/ /'_ --- Library Information Systems & Technology Services
      (*) \(*) -- W.E.B. Du Bois Library
    ~~~~~~~~~~ - University of Massachusetts, Amherst

    <choogend@library.umass.edu>

    ---------------

    -------- My Original Question --------
    Subject: why so many ports open on Solaris
    Date: Tue, 27 Apr 2004 21:45:03 -0400
    From: Chris Hoogendyk <choogend@library.umass.edu>
    To: Sun Managers <sunmanagers@sunmanagers.org>

    Why does Solaris (e.g. 8) have so many ports open even when I've gone
    through inetd.conf and commented out virtually everything?

    I've got several web guides to securing Solaris. I've seen the SysAdmin
    Magazine articles on locking down Solaris. I've done all that stuff. But
    I still have ports open whose purposes and sources I don't understand.

    Does anyone know where there is a guide or discussion of the absolute
    minimum necessary and what you lose or don't lose by shutting down
    everything else? I don't want to use a port blocking mechanism. I use
    tcpwrappers to regulate access to ports that I do want open. It seems I
    should find the source of excess ports and actually shut down the
    processes that are opening them. I presume a lot of them come from rc2.d
    or rc3.d.

    I'm getting hammered by some folks who think I should only have about 2
    ports open.

    TIA

    -------- Original Message --------
    Subject: Re: why so many ports open on Solaris
    Date: Tue, 27 Apr 2004 21:55:15 -0400
    From: Chris <kingsqueak@kingsqueak.org>
    To: Chris Hoogendyk <choogend@library.umass.edu>
    References: <408F0C9F.4030603@library.umass.edu>

    Couple tips for you. It takes forever to manually go figure out all
    the processes that are running with listening ports. To save a TON of
    time, check www.sun.com/security and get the "JASS" script they have
    there for free. Take a moment to read through it and then run it. It
    will lock the box down but good. Actually just a heads up, it will
    leave NO means to connect to the box over the network and lock out
    root login from anything but the console. That is the default. You
    can customize your own 'profile' to chose what it leaves running or
    not once you get used to how the script works.

    Another tip, www.sunfreeware.com , get 'lsof' it's there as a sun
    package. lsof 'lists open files' including network connections. You
    can find out what user/process owns any open files or network sockets
    on a running system. It's handy for what you're doing, it's also
    handy to figure out what process is hanging on to a mounted filesystem
    when you try to unmount it (CD or floppy in particular).

    For general box security, there's a mildly useful utility called ASET,
    check into that as well, it handles locking down the ridiculously wide
    open file permissions on a system. It is a script as is JASS.

    -------- Original Message --------
    Subject: Re: why so many ports open on Solaris
    Date: Wed, 28 Apr 2004 10:02:21 +0100
    From: Simon Crowther <SCrowthe@msxi-euro.com>
    To: choogend@library.umass.edu

    Chris,

    You have to consider that the Solaris target audience is very broad,
    from workstation users through developers to large server environments.
    Some of these users will not have a great Sys Admin background or
    knowledge, and these users especially will want a more no hassle
    approach to installations where products and services are installed and
    running that might be integral to a 3rd party application,
    With so many 3rd party apps out there having differing dependancies,
    its no wonder there is an "all lights on" approach...

    Solaris does address this to a degree, by having different install
    options, packages are clustered in the following fashion:

    Core install
    End User System Support
    Developer System Support
    Entire Distribution
    Entire Distribution + OEM

    The core install is considered A minimum package set required which is
    supported by SUN (this may have changed now, since the popularity of the
    Sun Blueprints Minimisation Document which describes hardening
    techniques and further package removal)

    The Entire Distribution + OEM installs a great deal of product and
    services.

    The considerations for what should be running and what should not are
    dependant on the intended end use of the machine. For instance, a
    back-end server that runs a database which serves a web site may only
    have SSH and Oracle related daemons listening.

    The folk you speak of are right in principal, as you should attempt to
    configure your servers to serve only the services that make up it's
    intended use. some people achieve this by placing a host based firewall
    on the server or by setting TCP Wrappers and editing inetd.conf (which
    is similar to installing a host based firewall) and others will go for a
    "Defense in depth" approach...

    So the big Qn is HOW?

    This has been covered by many Docs and articles out on the web, but
    limiting factors are so often time and/or experience.

    A good starting point is Suns Blueprints which can be found here:

    http://www.sun.com/solutions/blueprints/browsesubject.html

    In particular....(this one is solaris 9)

    http://www.sun.com/blueprints/1102/816-5241.pdf

    Other examples of minimisation work can be found here:

    http://www.spitzner.net/

    also there are many varied documents here:

    http://www.securityfocus.com/infocus/unix

    Good resources to be found here:

    http://www.stokely.com/unix.sysadm.resources/faqs3.sun.html#perf.tun

    and a good step by step document here:

    http://www.filibeto.org/sun/lib/security/hardening_solaris_v0.86.pdf

    It will take time for you to develop safe and solid techniques, but the
    more you put in, the more you will get out ;-)

    Hope this helps,

    Simon Crowther.

    -------- Original Message --------
    Subject: Re: why so many ports open on Solaris
    Date: Tue, 27 Apr 2004 21:27:38 -0700
    From: Ric Anderson <ric@Opus1.COM>
    To: Chris Hoogendyk <choogend@library.umass.edu>
    References: <408F0C9F.4030603@library.umass.edu>

    Depends on the use of the machine. rpcbind services (like
    ttdbserver) run on workstations, but are not needed on servers.

    Make darn sure you have * Security fix - prevent execution on stack...

       set noexec_user_stack=1
       set noexec_user_stack_log=1

    in /etc/system, and you rebooted since you put those lines there; that
    will stop most of the crap (if you are running on Sparc hardware). The
    Intel lovers have no hardware equivalent protection, as the pentium and
    lower chips don't differentiate between stack read and stack execute on
    a per-page basis. Itaniums might have fixed that, but I don't know for
    sure.

    Sort of normal open ports are 22(ssh), 25 (smtp), 111 (RPC), 4045
    (lockd), and 3277x (rpc services, like statd and dtlogin). If a
    windowing server is running, port 6000 (X11) will show up also.

    This is about as far as I trim my machines. I could, with more work,
    turn off sendmail, and run it from cron to make sure no outbound
    messages get queued up for any length of time, and kill off dtlogin.
    However, since all my boxes are either NFS clients (to mount home dirs)
    or NFS servers (or both), I can't get rid of rpcbind, statd, and lockd.

    In a non-NFS, non-console windowing world you could hack the startup
    scripts to eliminate those boxes, but you'll then have to deal with
    patch installs unding your work, or failing because you touched those
    scripts in some cases, so approach with caution.

    Cheers,
    Ric Anderson (ric@opus1.com)

    -------- Original Message --------
    Subject: Re: why so many ports open on Solaris
    Date: Wed, 28 Apr 2004 09:56:33 +0100
    From: Simon Burr <simes@bpfh.net>
    To: Chris Hoogendyk <choogend@library.umass.edu>
    References: <408F0C9F.4030603@library.umass.edu>

    I tend to just comment out all of inetd before sending it the HUP.

    You have two options; one is to install IP-Filter which provides
    router-like ACLs on a per network interface. That will guarentee that
    even if a port is open, no one can reach it; this assumes that IP-Filter
    is configured correctly tho; you can get IP-Filter from
    http://coombs.anu.edu.au/~avalon/

    I've got a couple of scripts which I run on servers which lock them down
    quite nicely. The first job I do is remove a gaggle of packages which I
    don't need or replace with others - a good example of this is removing
    the sendmail packages (replaced by PostFix) as sendmail has a habit of
    being re-enabled after patch clusters have been applied. The other job
    is to then disable certain startup scripts in /etc/rc2.d and /etc/rc3.d;
    personally I do this by prepending "no." to the start of the file names.

    The scripts are:

       ## Remove certain packages
       cat > /tmp/pkgrm-admin <<EOF
       mail=
       instance=unique
       partial=quit
       runlevel=nocheck
       idepend=nocheck
       rdepend=nocheck
       space=quit
       setuid=nocheck
       conflict=nocheck
       action=nocheck
       basedir=default
       EOF
       for rempkg in SUNWpppdt SUNWpppdu SUNWpppdr SUNWbnur SUNWbnuu SUNWsndmr \
                     SUNWsndmu SUNWdialh SUNWdialx SUNWdial SUNWkdcu SUNWkdcr \
                     SUNWapchd SUNWapchu SUNWapchr SUNWsshu SUNWsshr SUNWsshdu \
                     SUNWsshdr SUNWsshcu SUNWsmbau SUNWsmbac SUNWsmbar
    SUNWntpr \
                     SUNWntpu SUNWpsu SUNWpsr SUNWpcu SUNWpcr SUNWppm
    SUNWscplp \
                     SUNWmp SUNWwbcor SUNWwbcou
       do
         pkginfo -q ${rempkg}
         if [ $? -eq 0 ]; then
           echo "Removing ${rempkg}"
           pkgrm -n -a /tmp/pkgrm-admin ${rempkg}
         fi
       done
       rm /tmp/pkgrm-admin

       ## Disable certain startup scripts
       for file in /etc/rc2.d/S71ldap.client /etc/rc2.d/S71rpc \
                   /etc/rc2.d/S73nfs.client /etc/rc2.d/S74autofs \
                   /etc/rc2.d/S76nscd /etc/rc2.d/S80spc \
                   /etc/rc2.d/S80lp /etc/rc2.d/S90wbem \
                   /etc/rc2.d/S99dtlogin /etc/rc3.d/S15nfs.server \
                   /etc/rc3.d/S16boot.server /etc/rc3.d/S34dhcp \
                   /etc/rc3.d/S52imq /etc/rc3.d/S76snmpdx \
                   /etc/rc3.d/S77dmi /etc/rc3.d/S80mipagent \
                   /etc/rc3.d/S81volmgt /etc/rc3.d/S84appserv
       do
         if [ ! -f $file ]; then continue ; fi
         new=`dirname $file`/no.`basename $file`
         mv $file $new
         if [ $? -ne 0 ]; then echo "Failed to rename $file" ; fi
       done

    Note that this is a fairly strict lockdown - for example volume
    management is disabled, along with dtlogin. The above works on Solaris 8
    and Solaris 9. 

    -- 
     Simon the stressed
     http://www.bpfh.net/
     simes@bpfh.net
     Chocolate is *not* a substitute for sleep
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:05 -0400
From: Steve Sandau <ssandau@gwi.net>
Reply-To: ssandau@bath.tmac.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
If you never run CDE or any other GUI, you can have like 2 ports open. I
do this on an Oracle server on Sol 8. CDE, Gnome and so on open up
(need?) many ports to start with. In addition many other optional
services run out of scripts in /etc/rc2.d. I can't give you a list, but
I have tracked many down in the past by reading the script and looking
at the man page for the particular binary.
I think that KDE, Gnome and others open lots of ports on Linux as well.
Really minimal ports open is related to the window manager, not the OS.
My opinion anyway... ;)
SteveS
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:31:30 -0400
From: William Enestvedt <William.Enestvedt@jwu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
    Well, not everyuthing listening on a port gets started via inetd, if 
I recall correctly. (See the instructions for installing TCP Wrappers: 
the explanation of the two methods of installation might shed more light 
on this than I can.)
    Also, you restarted inetd after changing its conf file,right? :7)
    SANS publishes a book about securing Solaris that's quite good; if 
you read through it, it explains why certain services are being disabled 
-- but I must confess that it wants you to accet their assurances pretty 
blindly.
    I have taken to disabling a lot of the things in /etc/rc2.d and 
rc3.d, but I try to read the man pages to figure out whether I can get 
by without them (like picld, which I'd love to shut off but which I 
*think* is required by Solaris) before I kill them.
    Suns "JASS Toolkit" for securing Jumpstarting Solaris systems 
contains scripts for securing various services and ports. You could 
probably glean a lot from reading the supporting paper on the Sun 
Blueprints site.
    I think many Linux distributions use xinetd to start more 
services/deamons/processes than Solaris does, which is why they can rely 
on keeping more things disabled by default (feeling safe that the right 
stuff will get launched when it tickles xinetd). But I could be wrong.
-wde
--
Will Enestvedt
UNIX System Administrator
Johnson & Wales University -- Providence, RI
William.Enestvedt@jwu.edu
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:58:57 -0400
From: Andrew J Caines <A.J.Caines@halplant.com>
Reply-To: Andrew J Caines <A.J.Caines@halplant.com>
Organization: H.A.L. Plant
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Chris,
You should have exactly as many ports open as are used by the network 
services you want offered by the system, no more.
inetd is just one handler of network services. Solaris comes with a 
bucketload of other server which start by default on install, or after 
patching which puts the start scripts back. You are expected to manually 
turn them off, or better not install the software in the first place.
See the setup_rc script[1], which makes the process of removing all 
unwanted startup scripts. Run it after install and patching.
Consider removing the packages containing the software you don't use.
Since you didn't mention any details, you need to find out what's 
listening on those ports. I suggest using "lsof -i" and looking for 
processes in a LISTEN state on each port. You can look for the process 
listening on a particular port by specifying it, eg.
# lsof -i :22
COMMAND PID USER FD  TYPE	 DEVICE SIZE/OFF NODE NAME
sshd    257 root  3u IPv6 0x30001e54638      0t0  TCP *:ssh (LISTEN)
sshd    257 root  4u IPv4 0x30001e547b8      0t0  TCP *:ssh (LISTEN)
A good reference is Alex Noordergraaf's Sun Blueprints, "Minimizing the 
Solaris Operating Environment for Security"[2] and "Solaris Operating 
Environment Minimization for Security: A Simple, Reproducible and Secure 
Application Installation Methodolgy"[3]. Other Blueprints will probably 
be of interest to you, too.
[1] http://halplant.com:88/software/Solaris/scripts/setup_rc
[2] http://www.sun.com/blueprints/1102/816-5241.pdf
[3] http://www.sun.com/blueprints/1100/minimize-updt1.pdf
-Andrew-
  _______________________________________________________________________
| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines@halplant.com
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:34:05 +0200
From: Gandalf el gris <gandalf@tierramedia.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Hi Chris
By default Sun Soalris come with a lot of open services. If you want to 
close these services you can use a Security tool like JASS or Titan, or 
make it by your self with a guide, a very good book about that is 
syngress Hard Proffig Sun Solaris.
With JASS you can harden your sistem clossing almost all open ports, or 
  securizing them. JASS is a Sun developed software and is the tool that 
SUN use to harden their systems.
I hope this can help you.
Cheers
     MArcos
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:25:14 -0400 (EDT)
From: Mark Montague <markmont@umich.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
You can install a copy of lsof.  It doesn't come standard with Solaris 
8, but you can get it from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
Running "lsof -i" will tell you what processes are using which ports. 
This will tell you which /etc/init.d scripts to disable.
If you are not actually using a port, you should not have it open, in my 
opinion.  A common mistake is to leave a port open because you might 
need it.  Turn off the service, and if you ever wind up needing it, turn 
it on (permanently) then.
                 Mark Montague
                 LS&A Information Technology
                 The University of Michigan
                 markmont@umich.edu
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 13:19:04 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
On Tue, Apr 27, 2004 at 09:45:03PM -0400, Chris Hoogendyk wrote:
 > Why does Solaris (e.g. 8) have so many ports open even when I've gone
 > through inetd.conf and commented out virtually everything?
The glib answer:
Because Sun ships systems that way in order to minimize support costs to 
them: otherwise they'd be fielding an endless stream of "Why doesn't FOO 
work?" calls.  Compare/contrast with OpenBSD, which ships with darn near 
everything turned off by default.
The more useful answer:
Because while inetd "listens on behalf of other daemons" and thus opens 
those ports that those daemons provide services on, some daemons and 
other processes do their own listening: thus any ports that they choose 
to open are, uh, open.
 > Does anyone know where there is a guide or discussion of the absolute
 > minimum necessary and what you lose or don't lose by shutting down
 > everything else? I don't want to use a port blocking mechanism. I use
 > tcpwrappers to regulate access to ports that I do want open. It seems I
 > should find the source of excess ports and actually shut down the
 > processes that are opening them. I presume a lot of them come from rc2.d
 > or rc3.d.
The best answer to this is "it depends", because which ones you can turn 
off without disabling a vital service depends on which services are 
vital to you.
I can offer three bits of guidance:
	1. Get lsof, as mentioned in the Sun-Manager's FAQ, because
	running lsof will enable you to figure who has which port(s)
         open.
	2. Resist the temptation to disable everything at once.  Again,
	this depends on what you're doing with your system, but even
         when I *know* that eventually I will probabbly end of turning
         off lots of things, I've found it better to take things one step
         at a time, and make sure -- after each change -- that everything
         I think should still be working IS still working.
	3. Things that I find that I can often disable without screwing
	things up (and these are from Solaris 9, so salt to taste):
		nfs.client
		nfs.server
		lp
		keymap
		sendmail
		volmgt
		autofs
		init.snmpdx
		init.dmi
		picld
		skipkey
---Rsk
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:48 -0600
From: Colin Bigam <colin@west.gecems.com>
Reply-To: colin@west.gecems.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Hi Chris;
First of all, if services are shut down in inetd, then you'll probably 
find about five remaining ports open. Sendmail(port 25) is one you can 
shut down in Solaris 8, and still mail out stuff from that machine. 
nfs.client can safely be shut down if the machine won't be NFS mounting 
anything.
The remaining few are probably RPC-related ports. It's close to 
impossible to shut down RPC entirely, so you'll have to look at 
deregistering them. Getting this far will eliminate nearly all of the 
open ports.
As for a guide, Sun has a whitepaper on hardening Solaris/Sparc. Look 
that up, and you'll get quite a few interesting bits of info.
Colin
--
Colin Bigam
Senior Unix Analyst, GEITS
colin@west.gecems.com
(403) 699-4584
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:25:40 -0400
From: Roetman, Paul <PRoetman@csxwt.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
Sun put out this doc:
   Minimizing the Solaris Operating Environment for Security
   816-5241.pdf
Which has some quite good reading!
Cheers
Paul
-------- Original Message --------
Subject: 	RE:why so many ports open on Solaris
Date: 	Wed, 28 Apr 2004 14:39:42 +0200
From: 	Pavic, Aleksander <Aleksander.Pavic@telekom.de>
To: 	choogend@library.umass.edu
Hi,
rpc Services are not handled with /etc/inetd.conf. If you really want to 
disable everything and open just the things you  need, you have to 
disable the S71rpc script in /etc/rc2.d.
But think about your needs, some services need rpc (like nis,nfs,)
There are probably some other services that are not controled by rpc or 
  inetd.conf. Then you have to disable the startscript for this service.
To find out the startscript for a service thats called "lala" you can 
mostly find all scripts with 'find /etc/rc?.d | xargs grep -i lala'.
HTH
Aleks
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:40:15 -0400
From: Brent Mcdaniel <Brent.McDaniel@TheICE.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
Chris,
We tie our boxes down to only ssh and whatever app is running on it, 
i.e. Weblogics, database, etc.... So if you have commented out almost 
everything in /etc/inetd.conf and HUP'd it, then the only other place 
would be in /etc/rc2.d and /etc/rc3.d
If you want to give me a list from a "netstat -an | grep LISTEN" and 
"netstat -an | grep Idle", I'd be happy to tell you what ports those are 
and how to stop that process.
Brent
  	I n t e r c o n t i n e n t a l E x c h a n g e	
  _____________________________________________
    Brent McDaniel  |  http://www.intcx.com |
    Senior Systems Administrator          cell
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 09:31:56 -0400
From: Matt Clausen <mclausen@csit.fsu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
A lot of the inetd processes will hang around even after you restart the 
  inetd server (either by a kill -HUP to force it to reread its 
configuration file or killing it all together and restarting it). If you 
  reset the box you may find that a lot of the open ports will disappear.
You can also use tools like nmap to scan these ports and it will often 
give you some clues as to what the ports that are open are.
-------- Original Message --------
Subject: Solaris network ports open
Date: Wed, 28 Apr 2004 08:31:54 -0400
From: Schernau, Ed <Edward.Schernau@citizensbank.com>
To: 'choogend@library.umass.edu' <choogend@library.umass.edu>
Just install ipfilter, then they won't see any ports open.  I routinely 
do it here, to mask my machines from prying eyes.  Set up a policy to 
drop all but the stuff you know about.
Ed Schernau
Systems Management Specialist, ECC
Citizens Bank, East Providence Operations Center
401.282.1262 ed.schernau@citizensbank.com
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:47:36 -0500
From: Kelly Setzer <Kelly.Setzer@LiquidChicken.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
  <snip>
In my crankier moods, I dream about just typing 'killall' and
pronouncing the system "secure".
Kelly
  < ;-) >
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:58:37 -0500 (EST)
From: J. Oquendo <sil@politrix.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
You more than likely have some of the RPC services open.
Grab yourself a copy of lsof from Sunfreeware.com if you don't have it 
and lsof|grep -i listening to see what exactly is accessing what port 
using what.
Another thing you may want to do to really restrict the machine itself 
is looking into using ACL's if you have users, and running Titan on the 
machine. Titan is available for free via www.fish.com and is a pretty 
nifty tool.
TCP Wrappers if you ask me are rather obsolete I haven't used them since 
about 1998 or so. Currently on my personal machine I have it modified by 
Titan which resolves almost 95% of the problems, I've got most known 
patches I need, and I have a modified version of Pitbull running on ths 
machine. (www.argus-systems.com) Although Pitbull is not free, it is 
worth picking up if you have a budget.
Other tools I used are for deception. Modified DTK (Deception Tool Kit), 
Port Sentry. I used to run Snort to maintain awareness of who was doing 
what but too many false positives, and a high load on the system made me 
chuck it.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 19:03:06 -0700
From: Roy S. Rapoport <rsr@inorganic.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
*TWO* ports? These sort of naive fools are what makes security so hard! 
An open port is an invitation to hacking, which is why I prefer to keep 
my systems with all network ports closed, superglue gumming up the 
serial and network interfaces, power disconnected, and the machine 
itself embedded in half a ton of concrete.  That's the only way to be sure!
Sorry :)
You likely need exactly as many ports open as services you're offering, 
no more and no less.  This likely means 1 (remote access) + whatever 
public services you're offering.
For servers, this is quite easy -- if you've got a web server, you 
really should only have, say, 22 (for ssh) and 80 open.
For desktops it gets a bit ugly because every full-featured desktop 
system out there seems to rely on network ports for some of its 
communication.
Regardless, there are two sources for open ports on Solaris (well, and 
other systems):
inetd will spawn ports if it's configured to do so; and server processes 
will always be listening on a given port.
You *can* -- and *should* -- run through every process running on the 
machine, familiarize yourself with it, and know what it does.
You *can* -- and *should* -- then go and check out JASS, the Jumpstart 
Architecture and Security Scripts, AKA the Solaris Security Toolkit. 
JASS, when integrated with Jumpstart, will result in systems that come 
out of the jumpstart process nicely tight.  JASS is also a really nice 
architecture to manage Jumpstart, by the way.
Hope this helps,
-roy
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 20:57:19 -0500 (CDT)
From: Mike's List <mikelist@sky.net>
To: Chris Hoogendyk <choogend@library.umass.edu>
So list the ports so other can see what it is and tells you where it's
coming from.
Yes, some ports are open with some services are enable, in /etc/rc2.d
and /etc/rc3.d. ie. if you don't need /etc/rc3.d/S16boot.server, stop
the process and rename the file so it won't start.
www.sun.com/bigadmin --start here and search.
http://www.spitzner.net/
http://www.fish.com/titan/
http://www.yassp.org/
- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
  • Next message: Lewars, Mitchell (EM, PTL): "SUMMARY: Solaris 8 Patch Breaks Commercial SSH ?"

    Relevant Pages

    • Re: which linux? (not flame bait, thank you)
      ... > Portupgrade really helps with maintaining ports. ... I would like to have a little exposure to linux ... > keep my server and desktop running with the same versions, ... 'full' RH or SuSE install, but slightly behind the times, as is Debian, ...
      (freebsd-questions)
    • Re: compromised server
      ... Restrict access to your box using IP Firewall services. ... the less secure your server is. ... will enable you to view various programs and ports being use. ... In anycase being hacked rootkits install various programs to setup setuid ...
      (FreeBSD-Security)
    • Re: FreeBSD vs Linux
      ... Install a base system manually with sysinstall. ... that the system will boot with a floppy in the drive (priority to ... On a floppy I have three scripts, ... -STABLE and ports. ...
      (freebsd-questions)
    • Hacked?
      ... If you install it on one of your machines, ... He'd set up the network with a Symantec ... >currently hosting the email server, DNS, as well ... Also opened ports for ssl, termserver, ...
      (microsoft.public.win2000.security)
    • Re: Ex2003 ports to AD?
      ... >From a security standpoint the recommendation is to have an ISA server ... installed in a DMZ and to have your Front End server ... > need to know which ports to open between EX and the DC. ... >>> I'm about to install Exchange 2003 in our organization. ...
      (microsoft.public.exchange2000.setup.installation)