Thanks to the following for their input: Thomas Cannon Tim Chipman Brian Dunbar John Elser Paul Foti Rick Francis Tom Heinrichs Brent Killion Rich Kulawiec Steve Mickeler Jedrzej Nasiadek Hamid Ouyachi John Riddoch Craig Scott Justin Stringfellow John Tan Hendrik Visage Don Werve Anonymous from <sysadmin@astro.su.se> Several people were curious what our product is. It's a content optimizing web proxy server designed to be used in "slow" end user connection type networks such as portable cell phones. The current generation of cell phone operates at 9600-14400 baud which makes web surfing very unpleasant. We sell our servers to the large telecom industry players but we have just started offering a service ourselves to end users. For more information check out: bluekite.com --- Here are the suggestions received kin order of receipt: --- Use OpenBSD instead of Solaris 8. --- Run the Solaris install and specify "no" to almost everything. --- Look at JASS (Solaris Security Toolkit). --- lay down the install using minimum configuration option (as opposed to full eom version). test app remove your /etc/inetd.conf file. test app setup secure routes (this may cost you dollars). test app remove startup scripts you don't want from /etc/rc2.d and rc3.d. test app --- See the SANS guide: Solaris Security: Step-by-Step http://www.sansstore.org/Merchant/solaris.htm --- Lance Sptizner's 'Armoring' series. --- http://www.sans.org http://www.linuxsecurity.com http://www.packetst0rm.net/armor_solaris.txt http://www.usenix.org/sage/sysadmins/solaris/index.html http://fixsolaris.sunhelp.org/fixsolaris.txt http://www.sun.com/blueprints/1100/minimize-updt1.pdf http://www.sun.com/blueprints/1200/network-updt1.pdf see "securing public web servers" at http://www.cert.org/security-improvement/ Try the hardening tools at http://www.sans.org/ http://www.cert.org/ http://www.cisecurity.org/ specific to solaris: http://www.yassp.org/ --- Do a enduser instalation (The one just below a developer installation) choosing some extra stuff like the GNU utilities etc. as per you liking. Then once installed and connected, start culling the /etc/rc?.d/S* files and the packages that's not needed. --- Your best bet is probably to install the core OS which will include the base networking you require. Next, add the stuff you need (if you're unsure which package a file is in, do a full install elsewhere and grep on /var/sadm/install/contents for the file). Finally do a check on pkginfo and pkgrm anything you don't think you need. Test, and add anything which is missing. --- There was a Sun paper about that (probably available from sun.com) I can send it to you if you want (and if I find it among my files :-) Besides I strongly recommend you installing IPfilter, block everything and just select which communication do you want to pass and which to block. --- www.sun.com/blueprints/browsesubject.html --- Well you might want to take a look at Sun's Blueprint Docs www.sun.com/blueprints. They have a document for a secure install of an application (in this case iPlanet. The doc title is: Solaris Operating Environement Minimization for Security: A simple Reproducible and Secure Application Installation Methodology, by Alex Noordergraaf. --- - Try to do a minimal package install - Hope I haven't broken a bit of functionality I'll actually need - Boot the system - Use "ps" to see what's running; adjust /etc/rc* and /etc/inetd.conf to turn off as much as possible - Use "lsof" and "nmap" (both open-source tools) to figure out what ports are open and what's listening on them. (lsof lists which processes have which files open; that includes sockets. nmap is a pretty good port scanner.) Back to /etc/rc* and /etc/inetd.conf to turn things off. - Remove the daemons and clients for all the things I've turned off in previous steps. Also remove working/spool directories such as found in /var. Also remove any sockets or device entries associated with the service. (This is the step where I tend to start making mistakes, because much of the documentation is wrong or incomplete.) - Remove as much static data as possible. That means /usr/man/*, /usr/include/*, and so on. This doesn't directly do a lot for security, but it does reduce the size of the installed base, so that when I put an integrity checker (e.g. tripwire) on the system, it will have less to keep track of. - Clean out /usr/bin, /usr/sbin, etc. as much as possible. This is another error-prone step, so I tend to move things to temporary locations rather than actually delete them. (That comes after I've made sure I still have a working system.) - Test requisite functionality to make sure nothing I've done has broken the box for the purpose it's going to serve. - Repeat as much as necessary. - When I'm satisfied, record the system config. In your case, you might want to even consider burning a CD with the very tiniest config you can come up with so that your customers can install that, then your product, and move on. (I'm not sure what the licensing ramifications of that wrt Sun would be, though.) --- I *think* that someone did some work on that sort of thing here [at Sun] - it's not an uncommon query. but I don't know who. You may get some mileage from speaking to a salesman in case they know some more about it. --- http://www.cert.org/security-improvement/implementations/i027.02.html To "really" be paranoid, also install host-based firewall software on the server as well, so that **ALL** access is 100% controlled. Makes TCP-Wrappers look like a plaything. :-) (SunScreen Lite is free from sun and should do the trick. Be warned that IPF (freeware host-based firewall) has given us a tiny bit of grief here in the past while -- mystery system hangs were finally diagnosed to IPF after a month of hell) - so alas I am not sure I can recommend IPF for solaris at this time.) If it is to be a public web server, you could then setup a port mapping to grant fully public access against HTTP port 80, and have *everything* else locked down (ie, other than HTTP, have only SSH into the box open from a certain priviledged client box, for instance). --- I believe there's a Sun blueprint (http://www.sun.com/blueprints/) on that topic. As a first cut, you could install only the SUNWCreq cluster, then add packages only as needed. Sun's approach seems to be to install SUNWCuser, then run JASS and remove any unneeded stuff. (I'm talking about the security-conscious side of Sun; the rest will install SUNWCxall as a matter of policy.) --- Do the normal disabling of services that you won't run (like Portmap), and go the extra mile by chmodding the binaries (of things like portmap) to '000'. --- Solaris Security by Peter Gregory and Hack Proofing Sun Solaris 8 by Wyman Miles, Ed Mitchell, William Lynch and Randy Cook. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Jan 8 12:32:12 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:31 EST