Re: Hardening a Solaris system.

From: Dr. David Kirkby (see_my_signature_for_my_real_address_at_hotmail.com)
Date: 11/17/03

  • Next message: Rich Teer: "Re: Can cd into dir, but not cd ... OK for root." 
    Date: 16 Nov 2003 22:09:25 -0800

    see_my_signature_for_my_real_address@hotmail.com (Dr. David Kirkby) wrote in message news:<c99d2c79.0311140749.2e91890e@posting.google.com>...
    > I know files that execute with root permissions by normal users (e.g.
    > su) can be a security risk. Is it necessary to have any such files, if
    > only the root user logs in ?? In other words, making the sytem
    > unusable to anyone but root.
    >
    > I'm particulary thinking about Solaris 9 on a Sun SPARCstation 20.
    >
    > I've set up a web server, running Apache, so are thinking about what I
    > can do to reduce the chances of it being hacked. I've done several
    > things.
    <snip>
    > Dr. David Kirkby.

    Thanks everyone for your tips. I hope you don't mind me not replying
    to each of you individually, but since several people naturally
    suggested the same things (like intall ssh), it would be a bit
    pointless in my replying individually.

    I'm sure I'll follow several tips, although not all for
    practical/economic reasons. I should state the machine is a home
    computer, serving no commerical value, so if it gets hacked it is not
    the end of the world. But I'd take it as a failing on my part if it
    did get hacked.

    Several people disagreed with the point about not installing man
    pages. I think I did originally intend to install them, but they
    depend on a 'document development' or something similar being present.
    And I think that depended on something else. So it seemed easier to
    not bother. Then I thought it might be more secure anyway. Since I'll
    access it from a Sun, I really don't see it makes the system more
    unusable. I take the point they are online.

    The idea of using a 3rd machine, with ipfilter on 1 forwarding
    requests to the web server is not really practical - the application
    does not justify the extra power consumption and noise. Likewise for
    buying commerical software. I can get the hardware firewall/router to
    do port forwarding, but I'm not sure there is a lot of point. I
    thought a web server had to run on a privilidged port (<1024), but
    then I guess that is not true, since 8080 is used sometimes.

    If there is a point in getting the hardware firewall to forward data
    for port 80 to another point, that would be useful to know.

    The SS20 does not have 3 network interfaces - only one. The Ultra 80
    is my main machine on the Lan and that is connected to a different
    interface of the hadware firewall.

    I am going to set up an identical SS20 as a backup. Should the first
    be hacked or break down, I can drop another in its place in no time at
    all.

    The Intertex IX66 hardware ADSL model/router/firwall has 4 interface -
    ADSL in, USB out (which I don't use), and two ethernet connections.
    One ethernet connection is configured as a LAN where all machines can
    access each other. The other ethernet connected is configured as a
    so-called demilitrised zone (DMZ). The machine on the DMZ can not
    connect to the LAN, but the LAN can connecto the the DMZ. The
    webserver obviously resides on the DMZ.

    I've reduced /etc/initd.conf to just the CacheFS Daemon. That I admit
    I don't know anything about, but I guess from its name that it might
    impact performance if its not running. That said, given anyone can
    download from the web server at a maximum of 256 kbit, the system is
    going to be limited by the ADSL connection and I doubt it makes one
    ounce of difference the peformance of the Sun. Curretly it has dual
    125 MHz CPUs, but I think I might put them to better use and use a
    slower CPU - not that I find the HyperSPARC that good anyway.

    I have of course used ssh. But I must admit sometimes I wonder if that
    is more secure when you are the only user and its behind a firewall.
    There seems to be more security announcments/patches with ssh than
    telnet. I can see the logic more of ssh when you are worried about
    someone snooping on the network traffic, but I don't think this is
    likely here. But I have installed it anyway.

    Apache is the standard Solaris install, with a few changes to the
    config file. I note is runs as 'nobody'

    I've not installed tcp_wrappers. I can't help but feel that is a bit
    surplorous, with ipfilter in place, but perhaps I'm wrong. In any case
    there is a hardware firewall too, which does block outgoing traffic in
    addition to that coming in.

    A couple of programs (ps etc) have been renamed and will power the
    system off if run. I'll soon notice that has happened! I've never seen
    that idea mentioned before, but it does not seem totally stupid.

    I did before (years back) run tripwire and arrange it to cause a
    shutdown if a file was changed. But in that case I found I purposly
    edited a file, forgot about tripwire and the machine was forever being
    shut down in error. I gave up with that idea. I found Sun's web page
    where you had the ability to put in the md5 checksums of programs and
    see if they were okay quite useful. The only progrem was the limit of
    250 files (I think). I admit I've not run that for a while.

    Things like CDE, semdmail were never installed in the first place. I
    installed Solaris on this with the sole intention of it being a web
    server.

    At the minute there are only static html pages - no cgi or similar. I
    know I can do a bit more to the apache config file now, but have not
    done that. I don't know enough about Apace yet - but I'll learn.

    The chroot idea sounds good, but my knowledge of that is quite small.
    As I think I said, I'm not a professional system admin. In fact, as of
    the first of this month I'm unemployed. Anyone want to hire me ? First
    degree in electroncs, background in optics, microwaves and a
    reasonable knoweldge of Solaris.

    The benchmark booklets at http://www.cisecurity.org look interesting
    and will allow me to disable a bit more in /etc/init.d once I know a
    bit more about them and the implications.

    I will remove uucp and lp. Note done yet I must admit.

    I've alreadly seen in the apache log what looks very much like an
    unsuccesful attempt to send total junk to Apache, with some .exe
    thrown in at the end.

    Thanks for the notes about ipfilter's stability - I had found that on
    the web. but my version seems okay.

    Well I think that covers most things people suggested. But untimately,
    this is not an ecommerce site, so I can't justify too make
    hardware/software/noise/power consumption thrown at the problem.

    Dr. David Kirkby.

  • Next message: Rich Teer: "Re: Can cd into dir, but not cd ... OK for root."