===== How to secure a Solaris 10 server =====
Context: I received my AMD server few days ago, but since I don't have a jumpstart PXE aware, I decide to do a full install
(it's my first Solaris full install, I must confess I'm feeling a bit ashamed, I hope God will forgive me), which comes
with lot of useless packages, services, etc... That's I decide to take notes about my consolidation process.
==== Security ====
In order to avoid Unix crypt password and use MD5, edit the file **///etc/security/policy.conf//**
# uncomment the following line :
CRYPT_ALGORITHMS_DEPRECATE=__unix__
# edit this one :
CRYPT_DEFAULT=1
update your users password, and take a look in ///etc/shadow//, you'll see something like :
asyd:$1$vY6aWgP1$QbLM9FKPRrJPEXyoDYEK70:13193::::::
==== Network ====
===Enforce TCP sequence number randomization===
# ndd -set /dev/tcp tcp_strong_iss 2
==== Legacy services =====
Legacy services are not managed by SMF, that's why we need to remove some files in init
# cd /etc/rc3.d
# rm -f S*
# cd /etc/rc.2d
# rm -f S90wbem S90webconsole
==== SMF Profile ====
Warning :
* **my SMF profile disable things such autofs**, rpcbind, and nfs client/server
So, if you used to have autofs enabled, please be aware to move /export/home to /home
This profile is a hack from ///var/svc/profile/generic_limited_net.xml//
[[http://asyd.net/projects/solaris/restricted.xml|Download]] or copy/paste the following SMF profile, and do :
# svccfg apply restricted.xml
==== Result ====
Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-02-14 11:23 CET
Interesting ports on 192.168.3.202:
(The 1668 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 44.786 seconds
==== Attachment ====
~~DISCUSSION~~