boatload of replies. thanks to everyone. it looks like I have some
serious work to do. I'll do a very brief summary, but the only way to do
justice to the richness of the replies is to include a number of them at
the end of this, after my original message.
key item that one person gave me was that the install option you choose
is important. I had installed the entire distribution, figuring that the
programming tools would be there. I should have installed the minimal
system for servers.
next is to clean out rc2.d and rc3.d in addition to inetd.conf. lots of
things started from there. of course, I had done a 'kill -HUP' of the
inetd process, but it is also necessary to restart the system or kill
processes that have already been started. in this case, I had actually
restarted the system.
tools:
-- lsof widely recommended. get it from sunfreeware or from purdue.
'lsof -i' gives ports and processes. can pipe to grep.
http://www.sunfreeware.com
-- jass, Sun's security tightening tool. get it from Sun. it's a
script. can read it. can modify it. can just run it.
http://www.sun.com/security
-- someone pointed to a setup_rc script that removes all the stuff
you don't want. run it again after doing patches, because patches can
put startup scripts back in. I had already encountered this with
sendmail. I get rid of it, do recommended patches, then have to get rid
of it again. best to completely uninstall stuff you don't want so a
startup script won't find it anyway.
lots more detail in the replies, and a chuckle or two.
Thanks again to everyone.
---------------
Chris Hoogendyk
-
O__ ---- Network Specialist & Unix Systems Administrator
c/ /'_ --- Library Information Systems & Technology Services
(*) \(*) -- W.E.B. Du Bois Library
~~~~~~~~~~ - University of Massachusetts, Amherst
<choogend@library.umass.edu>
---------------
-------- My Original Question --------
Subject: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:45:03 -0400
From: Chris Hoogendyk <choogend@library.umass.edu>
To: Sun Managers <sunmanagers@sunmanagers.org>
Why does Solaris (e.g. 8) have so many ports open even when I've gone
through inetd.conf and commented out virtually everything?
I've got several web guides to securing Solaris. I've seen the SysAdmin
Magazine articles on locking down Solaris. I've done all that stuff. But
I still have ports open whose purposes and sources I don't understand.
Does anyone know where there is a guide or discussion of the absolute
minimum necessary and what you lose or don't lose by shutting down
everything else? I don't want to use a port blocking mechanism. I use
tcpwrappers to regulate access to ports that I do want open. It seems I
should find the source of excess ports and actually shut down the
processes that are opening them. I presume a lot of them come from rc2.d
or rc3.d.
I'm getting hammered by some folks who think I should only have about 2
ports open.
TIA
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:55:15 -0400
From: Chris <kingsqueak@kingsqueak.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Couple tips for you. It takes forever to manually go figure out all
the processes that are running with listening ports. To save a TON of
time, check www.sun.com/security and get the "JASS" script they have
there for free. Take a moment to read through it and then run it. It
will lock the box down but good. Actually just a heads up, it will
leave NO means to connect to the box over the network and lock out
root login from anything but the console. That is the default. You
can customize your own 'profile' to chose what it leaves running or
not once you get used to how the script works.
Another tip, www.sunfreeware.com , get 'lsof' it's there as a sun
package. lsof 'lists open files' including network connections. You
can find out what user/process owns any open files or network sockets
on a running system. It's handy for what you're doing, it's also
handy to figure out what process is hanging on to a mounted filesystem
when you try to unmount it (CD or floppy in particular).
For general box security, there's a mildly useful utility called ASET,
check into that as well, it handles locking down the ridiculously wide
open file permissions on a system. It is a script as is JASS.
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:02:21 +0100
From: Simon Crowther <SCrowthe@msxi-euro.com>
To: choogend@library.umass.edu
Chris,
You have to consider that the Solaris target audience is very broad,
from workstation users through developers to large server environments.
Some of these users will not have a great Sys Admin background or
knowledge, and these users especially will want a more no hassle
approach to installations where products and services are installed and
running that might be integral to a 3rd party application,
With so many 3rd party apps out there having differing dependancies,
its no wonder there is an "all lights on" approach...
Solaris does address this to a degree, by having different install
options, packages are clustered in the following fashion:
Core install
End User System Support
Developer System Support
Entire Distribution
Entire Distribution + OEM
The core install is considered A minimum package set required which is
supported by SUN (this may have changed now, since the popularity of the
Sun Blueprints Minimisation Document which describes hardening
techniques and further package removal)
The Entire Distribution + OEM installs a great deal of product and
services.
The considerations for what should be running and what should not are
dependant on the intended end use of the machine. For instance, a
back-end server that runs a database which serves a web site may only
have SSH and Oracle related daemons listening.
The folk you speak of are right in principal, as you should attempt to
configure your servers to serve only the services that make up it's
intended use. some people achieve this by placing a host based firewall
on the server or by setting TCP Wrappers and editing inetd.conf (which
is similar to installing a host based firewall) and others will go for a
"Defense in depth" approach...
So the big Qn is HOW?
This has been covered by many Docs and articles out on the web, but
limiting factors are so often time and/or experience.
A good starting point is Suns Blueprints which can be found here:
http://www.sun.com/solutions/blueprints/browsesubject.html
In particular....(this one is solaris 9)
http://www.sun.com/blueprints/1102/816-5241.pdf
Other examples of minimisation work can be found here:
http://www.spitzner.net/
also there are many varied documents here:
http://www.securityfocus.com/infocus/unix
Good resources to be found here:
http://www.stokely.com/unix.sysadm.resources/faqs3.sun.html#perf.tun
and a good step by step document here:
http://www.filibeto.org/sun/lib/security/hardening_solaris_v0.86.pdf
It will take time for you to develop safe and solid techniques, but the
more you put in, the more you will get out ;-)
Hope this helps,
Simon Crowther.
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:27:38 -0700
From: Ric Anderson <ric@Opus1.COM>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Depends on the use of the machine. rpcbind services (like
ttdbserver) run on workstations, but are not needed on servers.
Make darn sure you have * Security fix - prevent execution on stack...
set noexec_user_stack=1
set noexec_user_stack_log=1
in /etc/system, and you rebooted since you put those lines there; that
will stop most of the crap (if you are running on Sparc hardware). The
Intel lovers have no hardware equivalent protection, as the pentium and
lower chips don't differentiate between stack read and stack execute on
a per-page basis. Itaniums might have fixed that, but I don't know for
sure.
Sort of normal open ports are 22(ssh), 25 (smtp), 111 (RPC), 4045
(lockd), and 3277x (rpc services, like statd and dtlogin). If a
windowing server is running, port 6000 (X11) will show up also.
This is about as far as I trim my machines. I could, with more work,
turn off sendmail, and run it from cron to make sure no outbound
messages get queued up for any length of time, and kill off dtlogin.
However, since all my boxes are either NFS clients (to mount home dirs)
or NFS servers (or both), I can't get rid of rpcbind, statd, and lockd.
In a non-NFS, non-console windowing world you could hack the startup
scripts to eliminate those boxes, but you'll then have to deal with
patch installs unding your work, or failing because you touched those
scripts in some cases, so approach with caution.
Cheers,
Ric Anderson (ric@opus1.com)
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 09:56:33 +0100
From: Simon Burr <simes@bpfh.net>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
I tend to just comment out all of inetd before sending it the HUP.
You have two options; one is to install IP-Filter which provides
router-like ACLs on a per network interface. That will guarentee that
even if a port is open, no one can reach it; this assumes that IP-Filter
is configured correctly tho; you can get IP-Filter from
http://coombs.anu.edu.au/~avalon/
I've got a couple of scripts which I run on servers which lock them down
quite nicely. The first job I do is remove a gaggle of packages which I
don't need or replace with others - a good example of this is removing
the sendmail packages (replaced by PostFix) as sendmail has a habit of
being re-enabled after patch clusters have been applied. The other job
is to then disable certain startup scripts in /etc/rc2.d and /etc/rc3.d;
personally I do this by prepending "no." to the start of the file names.
The scripts are:
## Remove certain packages
cat > /tmp/pkgrm-admin <<EOF
mail=
instance=unique
partial=quit
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=quit
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default
EOF
for rempkg in SUNWpppdt SUNWpppdu SUNWpppdr SUNWbnur SUNWbnuu SUNWsndmr \
SUNWsndmu SUNWdialh SUNWdialx SUNWdial SUNWkdcu SUNWkdcr \
SUNWapchd SUNWapchu SUNWapchr SUNWsshu SUNWsshr SUNWsshdu \
SUNWsshdr SUNWsshcu SUNWsmbau SUNWsmbac SUNWsmbar
SUNWntpr \
SUNWntpu SUNWpsu SUNWpsr SUNWpcu SUNWpcr SUNWppm
SUNWscplp \
SUNWmp SUNWwbcor SUNWwbcou
do
pkginfo -q ${rempkg}
if [ $? -eq 0 ]; then
echo "Removing ${rempkg}"
pkgrm -n -a /tmp/pkgrm-admin ${rempkg}
fi
done
rm /tmp/pkgrm-admin
## Disable certain startup scripts
for file in /etc/rc2.d/S71ldap.client /etc/rc2.d/S71rpc \
/etc/rc2.d/S73nfs.client /etc/rc2.d/S74autofs \
/etc/rc2.d/S76nscd /etc/rc2.d/S80spc \
/etc/rc2.d/S80lp /etc/rc2.d/S90wbem \
/etc/rc2.d/S99dtlogin /etc/rc3.d/S15nfs.server \
/etc/rc3.d/S16boot.server /etc/rc3.d/S34dhcp \
/etc/rc3.d/S52imq /etc/rc3.d/S76snmpdx \
/etc/rc3.d/S77dmi /etc/rc3.d/S80mipagent \
/etc/rc3.d/S81volmgt /etc/rc3.d/S84appserv
do
if [ ! -f $file ]; then continue ; fi
new=`dirname $file`/no.`basename $file`
mv $file $new
if [ $? -ne 0 ]; then echo "Failed to rename $file" ; fi
done
Note that this is a fairly strict lockdown - for example volume
management is disabled, along with dtlogin. The above works on Solaris 8
and Solaris 9.
--
Simon the stressed
http://www.bpfh.net/
simes@bpfh.net
Chocolate is *not* a substitute for sleep
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:05 -0400
From: Steve Sandau <ssandau@gwi.net>
Reply-To: ssandau@bath.tmac.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
If you never run CDE or any other GUI, you can have like 2 ports open. I
do this on an Oracle server on Sol 8. CDE, Gnome and so on open up
(need?) many ports to start with. In addition many other optional
services run out of scripts in /etc/rc2.d. I can't give you a list, but
I have tracked many down in the past by reading the script and looking
at the man page for the particular binary.
I think that KDE, Gnome and others open lots of ports on Linux as well.
Really minimal ports open is related to the window manager, not the OS.
My opinion anyway... ;)
SteveS
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:31:30 -0400
From: William Enestvedt <William.Enestvedt@jwu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
Well, not everyuthing listening on a port gets started via inetd, if
I recall correctly. (See the instructions for installing TCP Wrappers:
the explanation of the two methods of installation might shed more light
on this than I can.)
Also, you restarted inetd after changing its conf file,right? :7)
SANS publishes a book about securing Solaris that's quite good; if
you read through it, it explains why certain services are being disabled
-- but I must confess that it wants you to accet their assurances pretty
blindly.
I have taken to disabling a lot of the things in /etc/rc2.d and
rc3.d, but I try to read the man pages to figure out whether I can get
by without them (like picld, which I'd love to shut off but which I
*think* is required by Solaris) before I kill them.
Suns "JASS Toolkit" for securing Jumpstarting Solaris systems
contains scripts for securing various services and ports. You could
probably glean a lot from reading the supporting paper on the Sun
Blueprints site.
I think many Linux distributions use xinetd to start more
services/deamons/processes than Solaris does, which is why they can rely
on keeping more things disabled by default (feeling safe that the right
stuff will get launched when it tickles xinetd). But I could be wrong.
-wde
--
Will Enestvedt
UNIX System Administrator
Johnson & Wales University -- Providence, RI
William.Enestvedt@jwu.edu
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:58:57 -0400
From: Andrew J Caines <A.J.Caines@halplant.com>
Reply-To: Andrew J Caines <A.J.Caines@halplant.com>
Organization: H.A.L. Plant
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Chris,
You should have exactly as many ports open as are used by the network
services you want offered by the system, no more.
inetd is just one handler of network services. Solaris comes with a
bucketload of other server which start by default on install, or after
patching which puts the start scripts back. You are expected to manually
turn them off, or better not install the software in the first place.
See the setup_rc script[1], which makes the process of removing all
unwanted startup scripts. Run it after install and patching.
Consider removing the packages containing the software you don't use.
Since you didn't mention any details, you need to find out what's
listening on those ports. I suggest using "lsof -i" and looking for
processes in a LISTEN state on each port. You can look for the process
listening on a particular port by specifying it, eg.
# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 257 root 3u IPv6 0x30001e54638 0t0 TCP *:ssh (LISTEN)
sshd 257 root 4u IPv4 0x30001e547b8 0t0 TCP *:ssh (LISTEN)
A good reference is Alex Noordergraaf's Sun Blueprints, "Minimizing the
Solaris Operating Environment for Security"[2] and "Solaris Operating
Environment Minimization for Security: A Simple, Reproducible and Secure
Application Installation Methodolgy"[3]. Other Blueprints will probably
be of interest to you, too.
[1] http://halplant.com:88/software/Solaris/scripts/setup_rc
[2] http://www.sun.com/blueprints/1102/816-5241.pdf
[3] http://www.sun.com/blueprints/1100/minimize-updt1.pdf
-Andrew-
_______________________________________________________________________
| -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:34:05 +0200
From: Gandalf el gris <gandalf@tierramedia.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Hi Chris
By default Sun Soalris come with a lot of open services. If you want to
close these services you can use a Security tool like JASS or Titan, or
make it by your self with a guide, a very good book about that is
syngress Hard Proffig Sun Solaris.
With JASS you can harden your sistem clossing almost all open ports, or
securizing them. JASS is a Sun developed software and is the tool that
SUN use to harden their systems.
I hope this can help you.
Cheers
MArcos
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:25:14 -0400 (EDT)
From: Mark Montague <markmont@umich.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
You can install a copy of lsof. It doesn't come standard with Solaris
8, but you can get it from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
Running "lsof -i" will tell you what processes are using which ports.
This will tell you which /etc/init.d scripts to disable.
If you are not actually using a port, you should not have it open, in my
opinion. A common mistake is to leave a port open because you might
need it. Turn off the service, and if you ever wind up needing it, turn
it on (permanently) then.
Mark Montague
LS&A Information Technology
The University of Michigan
markmont@umich.edu
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 13:19:04 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
On Tue, Apr 27, 2004 at 09:45:03PM -0400, Chris Hoogendyk wrote:
> Why does Solaris (e.g. 8) have so many ports open even when I've gone
> through inetd.conf and commented out virtually everything?
The glib answer:
Because Sun ships systems that way in order to minimize support costs to
them: otherwise they'd be fielding an endless stream of "Why doesn't FOO
work?" calls. Compare/contrast with OpenBSD, which ships with darn near
everything turned off by default.
The more useful answer:
Because while inetd "listens on behalf of other daemons" and thus opens
those ports that those daemons provide services on, some daemons and
other processes do their own listening: thus any ports that they choose
to open are, uh, open.
> Does anyone know where there is a guide or discussion of the absolute
> minimum necessary and what you lose or don't lose by shutting down
> everything else? I don't want to use a port blocking mechanism. I use
> tcpwrappers to regulate access to ports that I do want open. It seems I
> should find the source of excess ports and actually shut down the
> processes that are opening them. I presume a lot of them come from rc2.d
> or rc3.d.
The best answer to this is "it depends", because which ones you can turn
off without disabling a vital service depends on which services are
vital to you.
I can offer three bits of guidance:
1. Get lsof, as mentioned in the Sun-Manager's FAQ, because
running lsof will enable you to figure who has which port(s)
open.
2. Resist the temptation to disable everything at once. Again,
this depends on what you're doing with your system, but even
when I *know* that eventually I will probabbly end of turning
off lots of things, I've found it better to take things one step
at a time, and make sure -- after each change -- that everything
I think should still be working IS still working.
3. Things that I find that I can often disable without screwing
things up (and these are from Solaris 9, so salt to taste):
nfs.client
nfs.server
lp
keymap
sendmail
volmgt
autofs
init.snmpdx
init.dmi
picld
skipkey
---Rsk
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:48 -0600
From: Colin Bigam <colin@west.gecems.com>
Reply-To: colin@west.gecems.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
Hi Chris;
First of all, if services are shut down in inetd, then you'll probably
find about five remaining ports open. Sendmail(port 25) is one you can
shut down in Solaris 8, and still mail out stuff from that machine.
nfs.client can safely be shut down if the machine won't be NFS mounting
anything.
The remaining few are probably RPC-related ports. It's close to
impossible to shut down RPC entirely, so you'll have to look at
deregistering them. Getting this far will eliminate nearly all of the
open ports.
As for a guide, Sun has a whitepaper on hardening Solaris/Sparc. Look
that up, and you'll get quite a few interesting bits of info.
Colin
--
Colin Bigam
Senior Unix Analyst, GEITS
colin@west.gecems.com
(403) 699-4584
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:25:40 -0400
From: Roetman, Paul <PRoetman@csxwt.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
Sun put out this doc:
Minimizing the Solaris Operating Environment for Security
816-5241.pdf
Which has some quite good reading!
Cheers
Paul
-------- Original Message --------
Subject: RE:why so many ports open on Solaris
Date: Wed, 28 Apr 2004 14:39:42 +0200
From: Pavic, Aleksander <Aleksander.Pavic@telekom.de>
To: choogend@library.umass.edu
Hi,
rpc Services are not handled with /etc/inetd.conf. If you really want to
disable everything and open just the things you need, you have to
disable the S71rpc script in /etc/rc2.d.
But think about your needs, some services need rpc (like nis,nfs,�)
There are probably some other services that are not controled by rpc or
inetd.conf. Then you have to disable the startscript for this service.
To find out the startscript for a service thats called "lala" you can
mostly find all scripts with 'find /etc/rc?.d | xargs grep -i lala'.
HTH
Aleks
-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:40:15 -0400
From: Brent Mcdaniel <Brent.McDaniel@TheICE.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
Chris,
We tie our boxes down to only ssh and whatever app is running on it,
i.e. Weblogics, database, etc.... So if you have commented out almost
everything in /etc/inetd.conf and HUP'd it, then the only other place
would be in /etc/rc2.d and /etc/rc3.d
If you want to give me a list from a "netstat -an | grep LISTEN" and
"netstat -an | grep Idle", I'd be happy to tell you what ports those are
and how to stop that process.
Brent
I n t e r c o n t i n e n t a l E x c h a n g e
_____________________________________________
Brent McDaniel | http://www.intcx.com |
Senior Systems Administrator cell
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 09:31:56 -0400
From: Matt Clausen <mclausen@csit.fsu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
A lot of the inetd processes will hang around even after you restart the
inetd server (either by a kill -HUP to force it to reread its
configuration file or killing it all together and restarting it). If you
reset the box you may find that a lot of the open ports will disappear.
You can also use tools like nmap to scan these ports and it will often
give you some clues as to what the ports that are open are.
-------- Original Message --------
Subject: Solaris network ports open
Date: Wed, 28 Apr 2004 08:31:54 -0400
From: Schernau, Ed <Edward.Schernau@citizensbank.com>
To: 'choogend@library.umass.edu' <choogend@library.umass.edu>
Just install ipfilter, then they won't see any ports open. I routinely
do it here, to mask my machines from prying eyes. Set up a policy to
drop all but the stuff you know about.
Ed Schernau
Systems Management Specialist, ECC
Citizens Bank, East Providence Operations Center
401.282.1262 ed.schernau@citizensbank.com
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:47:36 -0500
From: Kelly Setzer <Kelly.Setzer@LiquidChicken.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
<snip>
In my crankier moods, I dream about just typing 'killall' and
pronouncing the system "secure".
Kelly
< ;-) >
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:58:37 -0500 (EST)
From: J. Oquendo <sil@politrix.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
You more than likely have some of the RPC services open.
Grab yourself a copy of lsof from Sunfreeware.com if you don't have it
and lsof|grep -i listening to see what exactly is accessing what port
using what.
Another thing you may want to do to really restrict the machine itself
is looking into using ACL's if you have users, and running Titan on the
machine. Titan is available for free via www.fish.com and is a pretty
nifty tool.
TCP Wrappers if you ask me are rather obsolete I haven't used them since
about 1998 or so. Currently on my personal machine I have it modified by
Titan which resolves almost 95% of the problems, I've got most known
patches I need, and I have a modified version of Pitbull running on ths
machine. (www.argus-systems.com) Although Pitbull is not free, it is
worth picking up if you have a budget.
Other tools I used are for deception. Modified DTK (Deception Tool Kit),
Port Sentry. I used to run Snort to maintain awareness of who was doing
what but too many false positives, and a high load on the system made me
chuck it.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 19:03:06 -0700
From: Roy S. Rapoport <rsr@inorganic.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>
*TWO* ports? These sort of naive fools are what makes security so hard!
An open port is an invitation to hacking, which is why I prefer to keep
my systems with all network ports closed, superglue gumming up the
serial and network interfaces, power disconnected, and the machine
itself embedded in half a ton of concrete. That's the only way to be sure!
Sorry :)
You likely need exactly as many ports open as services you're offering,
no more and no less. This likely means 1 (remote access) + whatever
public services you're offering.
For servers, this is quite easy -- if you've got a web server, you
really should only have, say, 22 (for ssh) and 80 open.
For desktops it gets a bit ugly because every full-featured desktop
system out there seems to rely on network ports for some of its
communication.
Regardless, there are two sources for open ports on Solaris (well, and
other systems):
inetd will spawn ports if it's configured to do so; and server processes
will always be listening on a given port.
You *can* -- and *should* -- run through every process running on the
machine, familiarize yourself with it, and know what it does.
You *can* -- and *should* -- then go and check out JASS, the Jumpstart
Architecture and Security Scripts, AKA the Solaris Security Toolkit.
JASS, when integrated with Jumpstart, will result in systems that come
out of the jumpstart process nicely tight. JASS is also a really nice
architecture to manage Jumpstart, by the way.
Hope this helps,
-roy
-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 20:57:19 -0500 (CDT)
From: Mike's List <mikelist@sky.net>
To: Chris Hoogendyk <choogend@library.umass.edu>
So list the ports so other can see what it is and tells you where it's
coming from.
Yes, some ports are open with some services are enable, in /etc/rc2.d
and /etc/rc3.d. ie. if you don't need /etc/rc3.d/S16boot.server, stop
the process and rename the file so it won't start.
www.sun.com/bigadmin --start here and search.
http://www.spitzner.net/
http://www.fish.com/titan/
http://www.yassp.org/
- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Apr 28 14:11:17 2004