SUMMARY: why so many ports open on Solaris

From: Chris Hoogendyk <choogend_at_library.umass.edu>
Date: Wed Apr 28 2004 - 14:11:37 EDT
boatload of replies. thanks to everyone. it looks like I have some 
serious work to do. I'll do a very brief summary, but the only way to do 
justice to the richness of the replies is to include a number of them at 
the end of this, after my original message.

key item that one person gave me was that the install option you choose 
is important. I had installed the entire distribution, figuring that the 
programming tools would be there. I should have installed the minimal 
system for servers.

next is to clean out rc2.d and rc3.d in addition to inetd.conf. lots of 
things started from there. of course, I had done a 'kill -HUP' of the 
inetd process, but it is also necessary to restart the system or kill 
processes that have already been started. in this case, I had actually 
restarted the system.

tools:

   -- lsof widely recommended. get it from sunfreeware or from purdue. 
'lsof -i' gives ports and processes. can pipe to grep. 
http://www.sunfreeware.com

   -- jass, Sun's security tightening tool. get it from Sun. it's a 
script. can read it. can modify it. can just run it. 
http://www.sun.com/security

   -- someone pointed to a setup_rc script that removes all the stuff 
you don't want. run it again after doing patches, because patches can 
put startup scripts back in. I had already encountered this with 
sendmail. I get rid of it, do recommended patches, then have to get rid 
of it again. best to completely uninstall stuff you don't want so a 
startup script won't find it anyway.

lots more detail in the replies, and a chuckle or two.


Thanks again to everyone.




---------------

Chris Hoogendyk

-
    O__  ---- Network Specialist & Unix Systems Administrator
   c/ /'_ --- Library Information Systems & Technology Services
  (*) \(*) -- W.E.B. Du Bois Library
~~~~~~~~~~ - University of Massachusetts, Amherst

<choogend@library.umass.edu>

---------------





-------- My Original Question --------
Subject: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:45:03 -0400
From: Chris Hoogendyk <choogend@library.umass.edu>
To: Sun Managers <sunmanagers@sunmanagers.org>

Why does Solaris (e.g. 8) have so many ports open even when I've gone
through inetd.conf and commented out virtually everything?

I've got several web guides to securing Solaris. I've seen the SysAdmin
Magazine articles on locking down Solaris. I've done all that stuff. But
I still have ports open whose purposes and sources I don't understand.

Does anyone know where there is a guide or discussion of the absolute
minimum necessary and what you lose or don't lose by shutting down
everything else? I don't want to use a port blocking mechanism. I use
tcpwrappers to regulate access to ports that I do want open. It seems I
should find the source of excess ports and actually shut down the
processes that are opening them. I presume a lot of them come from rc2.d
or rc3.d.

I'm getting hammered by some folks who think I should only have about 2 
ports open.

TIA





-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:55:15 -0400
From: Chris <kingsqueak@kingsqueak.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

Couple tips for you.  It takes forever to manually go figure out all
the processes that are running with listening ports.  To save a TON of
time, check www.sun.com/security and get the "JASS" script they have
there for free.  Take a moment to read through it and then run it.  It
will lock the box down but good.  Actually just a heads up, it will
leave NO means to connect to the box over the network and lock out
root login from anything but the console.  That is the default.  You
can customize your own 'profile' to chose what it leaves running or
not once you get used to how the script works.

Another tip, www.sunfreeware.com , get 'lsof' it's there as a sun
package.  lsof 'lists open files' including network connections.  You
can find out what user/process owns any open files or network sockets
on a running system.  It's handy for what you're doing, it's also
handy to figure out what process is hanging on to a mounted filesystem
when you try to unmount it (CD or floppy in particular).

For general box security, there's a mildly useful utility called ASET,
check into that as well, it handles locking down the ridiculously wide
open file permissions on a system.  It is a script as is JASS.







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:02:21 +0100
From: Simon Crowther <SCrowthe@msxi-euro.com>
To: choogend@library.umass.edu

Chris,

You have to consider that the Solaris target audience is very broad,
from workstation users through developers to large server environments.
Some of these users will not have a great Sys Admin background or
knowledge, and these users especially will want a more no hassle
approach to installations where products and services are installed and
running that might be integral to a 3rd party application,
With so many 3rd party apps out there having differing dependancies,
its no wonder there is an "all lights on" approach...

Solaris does address this to a degree, by having different install
options, packages are clustered in the following fashion:

Core install
End User System Support
Developer System Support
Entire Distribution
Entire Distribution + OEM

The core install is considered A minimum package set required which is 
supported by SUN (this may have changed now, since the popularity of the 
Sun Blueprints Minimisation Document which describes hardening 
techniques and further package removal)

The Entire Distribution + OEM installs a great deal of product and
services.

The considerations for what should be running and what should not are 
dependant on the intended end use of the machine. For instance, a 
back-end server that runs a database which serves a web site may only 
have SSH and Oracle related daemons listening.

The folk you speak of are right in principal, as you should attempt to 
configure your servers to serve only the services that make up it's 
intended use. some people achieve this by placing a host based firewall 
on the server or by setting TCP Wrappers and editing inetd.conf (which 
is similar to installing a host based firewall) and others will go for a 
"Defense in depth" approach...

So the big Qn is HOW?

This has been covered by many Docs and articles out on the web, but 
limiting factors are so often time and/or experience.

A good starting point is Suns Blueprints which can be found here:

http://www.sun.com/solutions/blueprints/browsesubject.html

In particular....(this one is solaris 9)

http://www.sun.com/blueprints/1102/816-5241.pdf

Other examples of minimisation work can be found here:

http://www.spitzner.net/

also there are many varied documents here:

http://www.securityfocus.com/infocus/unix

Good resources to be found here:

http://www.stokely.com/unix.sysadm.resources/faqs3.sun.html#perf.tun

and a good step by step document here:

http://www.filibeto.org/sun/lib/security/hardening_solaris_v0.86.pdf

It will take time for you to develop safe and solid techniques, but the 
more you put in, the more you will get out ;-)

Hope this helps,

Simon Crowther.







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 21:27:38 -0700
From: Ric Anderson <ric@Opus1.COM>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

Depends on the use of the machine.  rpcbind services (like
ttdbserver) run on workstations, but are not needed on servers.

Make darn sure you have * Security fix - prevent execution on stack...

   set noexec_user_stack=1
   set noexec_user_stack_log=1

in /etc/system, and you rebooted since you put those lines there; that
will stop most of the crap (if you are running on Sparc hardware).  The
Intel lovers have no hardware equivalent protection, as the pentium and
lower chips don't differentiate between stack read and stack execute on
a per-page basis.  Itaniums might have fixed that, but I don't know for
sure.

Sort of normal open ports are 22(ssh), 25 (smtp), 111 (RPC), 4045 
(lockd), and 3277x (rpc services, like statd and dtlogin).  If a 
windowing server is running, port 6000 (X11) will show up also.

This is about as far as I trim my machines.  I could, with more work, 
turn off sendmail, and run it from cron to make sure no outbound 
messages get queued up for any length of time, and kill off dtlogin. 
However, since all my boxes are either NFS clients (to mount home dirs) 
or NFS servers (or both), I can't get rid of rpcbind, statd, and lockd.

In a non-NFS, non-console windowing world you could hack the startup 
scripts to eliminate those boxes, but you'll then have to deal with 
patch installs unding your work, or failing because you touched those 
scripts in some cases, so approach with caution.

Cheers,
Ric Anderson (ric@opus1.com)







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 09:56:33 +0100
From: Simon Burr <simes@bpfh.net>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

I tend to just comment out all of inetd before sending it the HUP.

You have two options; one is to install IP-Filter which provides 
router-like ACLs on a per network interface. That will guarentee that 
even if a port is open, no one can reach it; this assumes that IP-Filter 
is configured correctly tho; you can get IP-Filter from 
http://coombs.anu.edu.au/~avalon/

I've got a couple of scripts which I run on servers which lock them down 
quite nicely. The first job I do is remove a gaggle of packages which I 
don't need or replace with others - a good example of this is removing 
the sendmail packages (replaced by PostFix) as sendmail has a habit of 
being re-enabled after patch clusters have been applied. The other job 
is to then disable certain startup scripts in /etc/rc2.d and /etc/rc3.d; 
personally I do this by prepending "no." to the start of the file names.

The scripts are:

   ## Remove certain packages
   cat > /tmp/pkgrm-admin <<EOF
   mail=
   instance=unique
   partial=quit
   runlevel=nocheck
   idepend=nocheck
   rdepend=nocheck
   space=quit
   setuid=nocheck
   conflict=nocheck
   action=nocheck
   basedir=default
   EOF
   for rempkg in SUNWpppdt SUNWpppdu SUNWpppdr SUNWbnur SUNWbnuu SUNWsndmr \
                 SUNWsndmu SUNWdialh SUNWdialx SUNWdial SUNWkdcu SUNWkdcr \
                 SUNWapchd SUNWapchu SUNWapchr SUNWsshu SUNWsshr SUNWsshdu \
                 SUNWsshdr SUNWsshcu SUNWsmbau SUNWsmbac SUNWsmbar 
SUNWntpr \
                 SUNWntpu SUNWpsu SUNWpsr SUNWpcu SUNWpcr SUNWppm 
SUNWscplp \
                 SUNWmp SUNWwbcor SUNWwbcou
   do
     pkginfo -q ${rempkg}
     if [ $? -eq 0 ]; then
       echo "Removing ${rempkg}"
       pkgrm -n -a /tmp/pkgrm-admin ${rempkg}
     fi
   done
   rm /tmp/pkgrm-admin

   ## Disable certain startup scripts
   for file in /etc/rc2.d/S71ldap.client /etc/rc2.d/S71rpc \
               /etc/rc2.d/S73nfs.client /etc/rc2.d/S74autofs \
               /etc/rc2.d/S76nscd /etc/rc2.d/S80spc \
               /etc/rc2.d/S80lp /etc/rc2.d/S90wbem \
               /etc/rc2.d/S99dtlogin /etc/rc3.d/S15nfs.server \
               /etc/rc3.d/S16boot.server /etc/rc3.d/S34dhcp \
               /etc/rc3.d/S52imq /etc/rc3.d/S76snmpdx \
               /etc/rc3.d/S77dmi /etc/rc3.d/S80mipagent \
               /etc/rc3.d/S81volmgt /etc/rc3.d/S84appserv
   do
     if [ ! -f $file ]; then continue ; fi
     new=`dirname $file`/no.`basename $file`
     mv $file $new
     if [ $? -ne 0 ]; then echo "Failed to rename $file" ; fi
   done

Note that this is a fairly strict lockdown - for example volume 
management is disabled, along with dtlogin. The above works on Solaris 8 
and Solaris 9.

-- 
     Simon the stressed
     http://www.bpfh.net/
     simes@bpfh.net

     Chocolate is *not* a substitute for sleep








-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:05 -0400
From: Steve Sandau <ssandau@gwi.net>
Reply-To: ssandau@bath.tmac.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

If you never run CDE or any other GUI, you can have like 2 ports open. I
do this on an Oracle server on Sol 8. CDE, Gnome and so on open up
(need?) many ports to start with. In addition many other optional
services run out of scripts in /etc/rc2.d. I can't give you a list, but
I have tracked many down in the past by reading the script and looking
at the man page for the particular binary.

I think that KDE, Gnome and others open lots of ports on Linux as well.
Really minimal ports open is related to the window manager, not the OS.

My opinion anyway... ;)

SteveS







-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:31:30 -0400
From: William Enestvedt <William.Enestvedt@jwu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>

    Well, not everyuthing listening on a port gets started via inetd, if 
I recall correctly. (See the instructions for installing TCP Wrappers: 
the explanation of the two methods of installation might shed more light 
on this than I can.)

    Also, you restarted inetd after changing its conf file,right? :7)

    SANS publishes a book about securing Solaris that's quite good; if 
you read through it, it explains why certain services are being disabled 
-- but I must confess that it wants you to accet their assurances pretty 
blindly.

    I have taken to disabling a lot of the things in /etc/rc2.d and 
rc3.d, but I try to read the man pages to figure out whether I can get 
by without them (like picld, which I'd love to shut off but which I 
*think* is required by Solaris) before I kill them.

    Suns "JASS Toolkit" for securing Jumpstarting Solaris systems 
contains scripts for securing various services and ports. You could 
probably glean a lot from reading the supporting paper on the Sun 
Blueprints site.

    I think many Linux distributions use xinetd to start more 
services/deamons/processes than Solaris does, which is why they can rely 
on keeping more things disabled by default (feeling safe that the right 
stuff will get launched when it tickles xinetd). But I could be wrong.

-wde

--
Will Enestvedt
UNIX System Administrator
Johnson & Wales University -- Providence, RI
William.Enestvedt@jwu.edu







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:58:57 -0400
From: Andrew J Caines <A.J.Caines@halplant.com>
Reply-To: Andrew J Caines <A.J.Caines@halplant.com>
Organization: H.A.L. Plant
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

Chris,

You should have exactly as many ports open as are used by the network 
services you want offered by the system, no more.

inetd is just one handler of network services. Solaris comes with a 
bucketload of other server which start by default on install, or after 
patching which puts the start scripts back. You are expected to manually 
turn them off, or better not install the software in the first place.

See the setup_rc script[1], which makes the process of removing all 
unwanted startup scripts. Run it after install and patching.

Consider removing the packages containing the software you don't use.

Since you didn't mention any details, you need to find out what's 
listening on those ports. I suggest using "lsof -i" and looking for 
processes in a LISTEN state on each port. You can look for the process 
listening on a particular port by specifying it, eg.

# lsof -i :22
COMMAND PID USER FD  TYPE	 DEVICE SIZE/OFF NODE NAME
sshd    257 root  3u IPv6 0x30001e54638      0t0  TCP *:ssh (LISTEN)
sshd    257 root  4u IPv4 0x30001e547b8      0t0  TCP *:ssh (LISTEN)

A good reference is Alex Noordergraaf's Sun Blueprints, "Minimizing the 
Solaris Operating Environment for Security"[2] and "Solaris Operating 
Environment Minimization for Security: A Simple, Reproducible and Secure 
Application Installation Methodolgy"[3]. Other Blueprints will probably 
be of interest to you, too.


[1] http://halplant.com:88/software/Solaris/scripts/setup_rc
[2] http://www.sun.com/blueprints/1102/816-5241.pdf
[3] http://www.sun.com/blueprints/1100/minimize-updt1.pdf


-Andrew-

  _______________________________________________________________________
| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines@halplant.com






-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:34:05 +0200
From: Gandalf el gris <gandalf@tierramedia.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

Hi Chris

By default Sun Soalris come with a lot of open services. If you want to 
close these services you can use a Security tool like JASS or Titan, or 
make it by your self with a guide, a very good book about that is 
syngress Hard Proffig Sun Solaris.

With JASS you can harden your sistem clossing almost all open ports, or 
  securizing them. JASS is a Sun developed software and is the tool that 
SUN use to harden their systems.

I hope this can help you.

Cheers
     MArcos






-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 10:25:14 -0400 (EDT)
From: Mark Montague <markmont@umich.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

You can install a copy of lsof.  It doesn't come standard with Solaris 
8, but you can get it from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof

Running "lsof -i" will tell you what processes are using which ports. 
This will tell you which /etc/init.d scripts to disable.

If you are not actually using a port, you should not have it open, in my 
opinion.  A common mistake is to leave a port open because you might 
need it.  Turn off the service, and if you ever wind up needing it, turn 
it on (permanently) then.

                 Mark Montague
                 LS&A Information Technology
                 The University of Michigan
                 markmont@umich.edu







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 13:19:04 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

On Tue, Apr 27, 2004 at 09:45:03PM -0400, Chris Hoogendyk wrote:
 > Why does Solaris (e.g. 8) have so many ports open even when I've gone
 > through inetd.conf and commented out virtually everything?

The glib answer:

Because Sun ships systems that way in order to minimize support costs to 
them: otherwise they'd be fielding an endless stream of "Why doesn't FOO 
work?" calls.  Compare/contrast with OpenBSD, which ships with darn near 
everything turned off by default.

The more useful answer:

Because while inetd "listens on behalf of other daemons" and thus opens 
those ports that those daemons provide services on, some daemons and 
other processes do their own listening: thus any ports that they choose 
to open are, uh, open.

 > Does anyone know where there is a guide or discussion of the absolute
 > minimum necessary and what you lose or don't lose by shutting down
 > everything else? I don't want to use a port blocking mechanism. I use
 > tcpwrappers to regulate access to ports that I do want open. It seems I
 > should find the source of excess ports and actually shut down the
 > processes that are opening them. I presume a lot of them come from rc2.d
 > or rc3.d.

The best answer to this is "it depends", because which ones you can turn 
off without disabling a vital service depends on which services are 
vital to you.

I can offer three bits of guidance:

	1. Get lsof, as mentioned in the Sun-Manager's FAQ, because
	running lsof will enable you to figure who has which port(s)
         open.

	2. Resist the temptation to disable everything at once.  Again,
	this depends on what you're doing with your system, but even
         when I *know* that eventually I will probabbly end of turning
         off lots of things, I've found it better to take things one step
         at a time, and make sure -- after each change -- that everything
         I think should still be working IS still working.

	3. Things that I find that I can often disable without screwing
	things up (and these are from Solaris 9, so salt to taste):

		nfs.client
		nfs.server
		lp
		keymap
		sendmail
		volmgt
		autofs
		init.snmpdx
		init.dmi
		picld
		skipkey


---Rsk








-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:34:48 -0600
From: Colin Bigam <colin@west.gecems.com>
Reply-To: colin@west.gecems.com
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

Hi Chris;

First of all, if services are shut down in inetd, then you'll probably 
find about five remaining ports open. Sendmail(port 25) is one you can 
shut down in Solaris 8, and still mail out stuff from that machine. 
nfs.client can safely be shut down if the machine won't be NFS mounting 
anything.

The remaining few are probably RPC-related ports. It's close to 
impossible to shut down RPC entirely, so you'll have to look at 
deregistering them. Getting this far will eliminate nearly all of the 
open ports.

As for a guide, Sun has a whitepaper on hardening Solaris/Sparc. Look 
that up, and you'll get quite a few interesting bits of info.

Colin

--
Colin Bigam
Senior Unix Analyst, GEITS
colin@west.gecems.com
(403) 699-4584








-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 23:25:40 -0400
From: Roetman, Paul <PRoetman@csxwt.com>
To: Chris Hoogendyk <choogend@library.umass.edu>

Sun put out this doc:

   Minimizing the Solaris Operating Environment for Security

   816-5241.pdf

Which has some quite good reading!

Cheers

Paul







-------- Original Message --------
Subject: 	RE:why so many ports open on Solaris
Date: 	Wed, 28 Apr 2004 14:39:42 +0200
From: 	Pavic, Aleksander <Aleksander.Pavic@telekom.de>
To: 	choogend@library.umass.edu



Hi,
rpc Services are not handled with /etc/inetd.conf. If you really want to 
disable everything and open just the things you  need, you have to 
disable the S71rpc script in /etc/rc2.d.

But think about your needs, some services need rpc (like nis,nfs,)

There are probably some other services that are not controled by rpc or 
  inetd.conf. Then you have to disable the startscript for this service.

To find out the startscript for a service thats called "lala" you can 
mostly find all scripts with 'find /etc/rc?.d | xargs grep -i lala'.


HTH
Aleks







-------- Original Message --------
Subject: RE: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 08:40:15 -0400
From: Brent Mcdaniel <Brent.McDaniel@TheICE.com>
To: Chris Hoogendyk <choogend@library.umass.edu>

Chris,

We tie our boxes down to only ssh and whatever app is running on it, 
i.e. Weblogics, database, etc.... So if you have commented out almost 
everything in /etc/inetd.conf and HUP'd it, then the only other place 
would be in /etc/rc2.d and /etc/rc3.d

If you want to give me a list from a "netstat -an | grep LISTEN" and 
"netstat -an | grep Idle", I'd be happy to tell you what ports those are 
and how to stop that process.

Brent

  	I n t e r c o n t i n e n t a l E x c h a n g e	
  _____________________________________________
    Brent McDaniel  |  http://www.intcx.com |
    Senior Systems Administrator          cell








-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 09:31:56 -0400
From: Matt Clausen <mclausen@csit.fsu.edu>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

A lot of the inetd processes will hang around even after you restart the 
  inetd server (either by a kill -HUP to force it to reread its 
configuration file or killing it all together and restarting it). If you 
  reset the box you may find that a lot of the open ports will disappear.

You can also use tools like nmap to scan these ports and it will often 
give you some clues as to what the ports that are open are.








-------- Original Message --------
Subject: Solaris network ports open
Date: Wed, 28 Apr 2004 08:31:54 -0400
From: Schernau, Ed <Edward.Schernau@citizensbank.com>
To: 'choogend@library.umass.edu' <choogend@library.umass.edu>

Just install ipfilter, then they won't see any ports open.  I routinely 
do it here, to mask my machines from prying eyes.  Set up a policy to 
drop all but the stuff you know about.

Ed Schernau
Systems Management Specialist, ECC
Citizens Bank, East Providence Operations Center
401.282.1262 ed.schernau@citizensbank.com







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:47:36 -0500
From: Kelly Setzer <Kelly.Setzer@LiquidChicken.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>


  <snip>

In my crankier moods, I dream about just typing 'killall' and
pronouncing the system "secure".

Kelly

  < ;-) >






-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Wed, 28 Apr 2004 00:58:37 -0500 (EST)
From: J. Oquendo <sil@politrix.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>



You more than likely have some of the RPC services open.

Grab yourself a copy of lsof from Sunfreeware.com if you don't have it 
and lsof|grep -i listening to see what exactly is accessing what port 
using what.

Another thing you may want to do to really restrict the machine itself 
is looking into using ACL's if you have users, and running Titan on the 
machine. Titan is available for free via www.fish.com and is a pretty 
nifty tool.

TCP Wrappers if you ask me are rather obsolete I haven't used them since 
about 1998 or so. Currently on my personal machine I have it modified by 
Titan which resolves almost 95% of the problems, I've got most known 
patches I need, and I have a modified version of Pitbull running on ths 
machine. (www.argus-systems.com) Although Pitbull is not free, it is 
worth picking up if you have a budget.

Other tools I used are for deception. Modified DTK (Deception Tool Kit), 
Port Sentry. I used to run Snort to maintain awareness of who was doing 
what but too many false positives, and a high load on the system made me 
chuck it.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo








-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 19:03:06 -0700
From: Roy S. Rapoport <rsr@inorganic.org>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <408F0C9F.4030603@library.umass.edu>

*TWO* ports? These sort of naive fools are what makes security so hard! 
An open port is an invitation to hacking, which is why I prefer to keep 
my systems with all network ports closed, superglue gumming up the 
serial and network interfaces, power disconnected, and the machine 
itself embedded in half a ton of concrete.  That's the only way to be sure!

Sorry :)

You likely need exactly as many ports open as services you're offering, 
no more and no less.  This likely means 1 (remote access) + whatever 
public services you're offering.

For servers, this is quite easy -- if you've got a web server, you 
really should only have, say, 22 (for ssh) and 80 open.

For desktops it gets a bit ugly because every full-featured desktop 
system out there seems to rely on network ports for some of its 
communication.

Regardless, there are two sources for open ports on Solaris (well, and 
other systems):

inetd will spawn ports if it's configured to do so; and server processes 
will always be listening on a given port.

You *can* -- and *should* -- run through every process running on the 
machine, familiarize yourself with it, and know what it does.

You *can* -- and *should* -- then go and check out JASS, the Jumpstart 
Architecture and Security Scripts, AKA the Solaris Security Toolkit. 
JASS, when integrated with Jumpstart, will result in systems that come 
out of the jumpstart process nicely tight.  JASS is also a really nice 
architecture to manage Jumpstart, by the way.

Hope this helps,
-roy







-------- Original Message --------
Subject: Re: why so many ports open on Solaris
Date: Tue, 27 Apr 2004 20:57:19 -0500 (CDT)
From: Mike's List <mikelist@sky.net>
To: Chris Hoogendyk <choogend@library.umass.edu>


So list the ports so other can see what it is and tells you where it's
coming from.

Yes, some ports are open with some services are enable, in /etc/rc2.d
and /etc/rc3.d. ie. if you don't need /etc/rc3.d/S16boot.server, stop
the process and rename the file so it won't start.

www.sun.com/bigadmin --start here and search.
http://www.spitzner.net/
http://www.fish.com/titan/
http://www.yassp.org/


- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Apr 28 14:11:17 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:31 EST