I summarize what we basically plan to do. Thanks to: Henrik Huhtinen Brent Killion Jay Lessert Sergio Gelato Mike Peppard Bill Mooney Andrew Stueve Adrian Blount Vincent Power Alex Slade Randy Romero 1) Start with a minimal install 2) We compiled BIND 9.1.3 from the source and then distributed (Jumpstart) it to the DNS servers. Several recommended alternatives to BIND - djbdns (http://www.djbdns.com), tinydns. It was also recommended to run DNS in a chrooted jail. 3) Harden the system, you only want to run DNS and possibly ssh There are several tools and documents available to assist you in hardening a Solaris system: Titan http://www.fish.com/titan JASS http://www.sun.com/security YAASP http://www.yassp.org Solaris ASET <http://www.securityfocus.com/focus/sun/articles/harden1.html> <http://www.securityfocus.com/focus/sun/articles/harden2.html> <http://www.enteract.com/~lspitz/armoring.html> 4) If going to use ssh also implement TCPWrappers 5) Tripwire 6) Have the external DNS servers be cache servers from an Internal DNS server which is authoritative. 7) Remove any unneeded accounts from passwd. 8) Put the machine(s) on a switch vs hub. Blaine Owens Eastman Chemical Company Phone - (423)-229-3579 Cell Phone - (423)-817-0704 Fax - (423)-229-1188 bowens@eastman.comReceived on Mon Oct 1 19:39:00 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:31 EDT