Softpanorama May the source be with you, but remember the KISS principle ;-)	Home	Switchboard	Unix Administration	Red Hat	TCP/IP Networks	Neoliberalism	Toxic Managers
	(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix

Solaris Security Tips

News	Solaris	Recommended Books	Recommended Links	Shell Tips and Tricks	AWK one liners	DNS tricks and tips
Resetting root password	How to reject remote logging in syslogd	Core files creation blocking in Solaris	using hostbyname to block unwanted visitors	New options in solaris 10 ftpd	New options in Solaris 10 TELNETD	Enabling TCP Wrappers in Solaris 10
					Humor	Etc

One simple way to make Solaris a little bit more secure is to create /root directory with permissions 700 like in Red Hat. In this case anything you put into this directory is visible only to root and even wrong permissions are not visible to outsiders.

NEWS CONTENTS

200229 : Sun Solaris 10 - How to Let Root Login Directly to the System via SSH - c03647591 - HP Business Support Center ( Sun Solaris 10 - How to Let Root Login Directly to the System via SSH - c03647591 - HP Business Support Center, )
200229 : Everything Solaris Filesystem Tips and Tricks ( Everything Solaris Filesystem Tips and Tricks, )
200229 : My Solaris page ( My Solaris page, )
200229 : Solaris SUMMARY sendmail with TCPWRAPPERs ( Solaris SUMMARY sendmail with TCPWRAPPERs, )
200229 : Solaris SUMMARY How to prevent Root login via Xterm ( Solaris SUMMARY How to prevent Root login via Xterm, )
200229 : Security - Home Page ( Security - Home Page, )
200229 : Solaris Security Tips - searchSolaris.com ( Solaris Security Tips - searchSolaris.com, )

Old News ;-)

Sun Solaris 10 - How to Let Root Login Directly to the System via SSH - c03647591 - HP Business Support Center

Information
Environment :

Solaris 10

Description :
How to let root login, directly to the system, via ssh?
uname -a SunOS castor1 5.10 Generic_147440-01 sun4u sparc SUNW,Sun-Fire-V240 cat /etc/release Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. Assembled 23 August 2011 host castor1 is a sparc sunfire v240. OS installed, solaris 10 update 10.
Trying to login via ssh results in a access denied.
login as: root Using keyboard-interactive authentication. Password: Access denied Dec 5 23:48:13 castor1 sshd[2302]: Failed keyboard-interactive for root from 16.56.232.242 port 49887 ssh2
On the console of the host, the message "failed keyboard-interactive for root from 16.56.232.242 port 49887 ssh2 is logged ."
Details

Checking PermitRootLogin value in file /etc/ssh/sshd_config .
cat /etc/ssh/sshd_config # Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
ident "@(#)sshd_config 1.10 10/10/19 SMI"
Configuration file for sshd(1m)
Protocol versions supported
The sshd shipped in this release of Solaris has support for major versions 1 and 2. It is recommended due to security weaknesses in the v1 protocol that sites run only v2 if possible. Support for v1 is provided to help sites with existing ssh v1 clients/servers to transition.
Support for v1 may not be available in a future release of Solaris.
To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they do not already exist, RSA1 keys for protocol v1 are not automatically created.
Uncomment ONLY ONE of the following Protocol statements.
Only v2 (recommended )
Protocol 2
Both v1 and v2 (not recommended)
Protocol 2,1
Only v1 (not recommended)
Protocol 1
Listen port (the IANA registered port number for ssh is 22)
Port 22
The default listen address is all interfaces, this may need to be changed if user wishes to restrict the interfaces sshd listens on for a multi homed host.
Multiple ListenAddress entries are allowed.
IPv4 only
ListenAddress 0.0.0.0
IPv4 & IPv6
ListenAddress ::
Port forwarding
AllowTcpForwarding no
If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
This allows the local port forwarding to work when connections are received from any remote host.
GatewayPorts no
X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
The maximum number of concurrent unauthenticated connections to sshd.
start:rate:full see sshd(1) for more information.
The default is 10 unauthenticated clients.
MaxStartups 10:30:60
Banner to be printed before authentication starts.
Banner /etc/issue
Should sshd print the /etc/motd file and check for mail.
On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no
KeepAlive specifies whether keep alive messages are sent to the client.
See sshd(1) for detailed description of what this means.
Note that the client may also be sending keep alive messages to the server.
KeepAlive yes
Syslog facility and level
SyslogFacility auth
LogLevel info
Authentication configuration
Host private key files
Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
Length of the server key
Default 768, Minimum 512
ServerKeyBits 768
sshd regenerates the key every KeyRegenerationInterval seconds.
The key is never stored anywhere except the memory of sshd.
The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600
Ensure secure permissions on users .ssh directory.
StrictModes yes
Length of time in seconds before a client that hasn't completed
authentication is disconnected.
Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600
Maximum number of retries for authentication
Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 6
MaxAuthTriesLog 3
Are logins to accounts with empty passwords allowed.
If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK to pam_authenticate(3PAM).
PermitEmptyPasswords no
To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes
Use PAM via keyboard interactive method for authentication.
Depending on the setup of pam.conf(4) this may allow tunneled clear text passwords even when PasswordAuthentication is set to no. This is dependent on what the individual modules request and is out of the control of sshd or the protocol.
PAMAuthenticationViaKBDInt yes
Are root logins permitted using sshd.
Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user maybe denied access by a PAM module regardless of this setting.
Valid options are yes, without-password, no.
PermitRootLogin no
sftp subsystem
Subsystem sftp internal-sftp
SSH protocol v1 specific options
The following options only apply to the v1 protocol and provide some form of backwards compatibility with the very weak security of /usr/bin/rsh. Their use is not recommended and the functionality will be removed when support for v1 protocol is removed.
Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no
Rhosts RSA Authentication
For this to work user will also need host keys in /etc/ssh/ssh_known_hosts.
If the user on the client side is not root then this won't work on Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no
Uncomment if user does not trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes
Is pure RSA authentication allowed.
Default is yes
RSAAuthentication yes
PermitRootLogin variable is on the default value of no.

Change PermitRootLogin to yes, to allow root remote logins via ssh.
vi /etc/ssh/sshd_config
[change file from]
PermitRootLogin no
[to]
PermitRootLogin yes

After change
cat /etc/ssh/sshd_config|grep PermitRootLogin
PermitRootLogin yes
PermitRootLogin value is indeed successfull changed to yes.

Restart sshd daemon and check if sshd is in online state, after restart.
svcadm restart svc:/network/ssh:default
svcs|grep ssh
online 23:47:45 svc:/network/ssh:default

Try to remote login root, via ssh
login as: root
Using keyboard-interactive authentication.
Password:
Last login: Wed Dec 5 23:49:30 2012 from vm44.xp.emea.hp
Oracle Corporation SunOS 5.10 Generic Patch January 2005
root can remote login via ssh.

Everything Solaris Filesystem Tips and Tricks

General Filesystem Layout
The "noatime" Option
The "logging" Option
The "forcedirectio" Option
Important Links

My Solaris page

Some scripts I have written for Solaris that you may find interesting:

netlink, a script to set duplex/media option settings.

fix.sh, a script to strip down services in Solaris systems + do network tuning & hardening. Currently for Solaris 8 and 9. Using nddconfig and fixmodes from www.sun.com/security/ somewhere and nettune from http://www.sean.de/Solaris/, the rest of the stuff by me. Run like this: ./fix.sh auto. Run it again if you patch your system, in case the patches re-enables scripts previously set up to not run. Fix-modes and friends are left in /opt/fixit for your convinience, should you need to reverse its actions. I recommend copying fix.sh there as well. Adjust what services you want turned on by editing /etc/startup.conf. Also walk through /etc/inetd.conf to see if there is anything you want on (requires INETD=YES in startup.conf). The script is intended to be run once to do "all" basic security tweaking in one shot. Script requires Perl with MIME::Base64 in your PATH, trying /usr/local/bin first. Your comments, ideas etc. are very welcome!

Solaris SUMMARY sendmail with TCPWRAPPERs

Solaris SUMMARY How to prevent Root login via Xterm

Security - Home Page -- Protecting From Within

Logs enabling Identify and enable system and network logging mechanisms

Solaris Security Tips - searchSolaris.com

***** Giving root your shell submitted by: Selwyn Schultz
Deciding which services in inetd can be disabled submitted by: Mike Myers
Server privileges submitted by: Mark Thacker
Listing Kerberos tickets submitted by: John P. Mulligan
Maintaining consistent group permissions submitted by: Ken Robson
Protecting the NIS Maps Directory submitted by: Gunther Vanaken
Third party security tools Role based access control (RBAC) submitted by: John P. Mulligan
Securing Solaris servers... submitted by: Ken Robson

Solaris Tips Hall of Fame - searchSolaris.com

New Options in Solaris 10 FTPD

docs.sun.com man pages section 1M System Administration Commands

-a Enables use of the ftpaccess(4) file.
-r rootdir chroot(2) to rootdir upon loading. Use this option to improve system security. It limits the files that can be damaged should a break in occur through the daemon. This option is similar to anonymous FTP. Additional files are needed, which vary from system to system.

New options in Solaris 10 Telnetd

-U: Refuses connections that cannot be mapped to a name through the getnameinfo(3SOCKET) function.

Enabling TCP Wrappers in Solaris 10

Glenn Brunette's Security Weblog Tip of the Month: Enabling TCP Wrappers in Solaris 10

Before answering this question, let's first provide a little background. TCP Wrappers has been around for many, many years. It is used to restrict access to TCP services based on host name, IP address, network address, etc. For more detailed on what TCP Wrappers is and how you can use it, see tcpd(1M). TCP Wrappers was integrated into Solaris starting in Solaris 9 where both Solaris Secure Shell and inetd-based (streams, nowait) services were wrapped. Bonus points are awarded to anyone who knows why UDP services are not wrapped by default.

TCP Wrappers support in Secure Shell was always enabled since Secure Shell always called the TCP Wrapper function host_access(3) to determine if a connection attempt should proceed. If TCP Wrappers was not configured on that system, access, by default, would be granted. Otherwise, the rules as defined in the hosts.allow and hosts.deny files would apply. For more information on these files, see hosts_access(4). Note that this and all of the TCP Wrappers manual pages a stored under /usr/sfw/man in Solaris 10. To view this manual page, you can use the following command:
$ man -M /usr/sfw/man -s 4 hosts_access
inetd-based services use TCP Wrappers in a different way. In Solaris 9, to enable TCP Wrappers for inetd-based services, you must edit the /etc/default/inetd file and set the ENABLE_TCPWRAPPERSparameter to YES. By default, TCP Wrappers was not enabled for inetd.

In Solaris 10, two new services were wrapped: sendmail and rpcbind. sendmail works in a way similar to Secure Shell. It always calls the host_access function and therefore TCP Wrappers support is always enabled. Nothing else needs to be done to enable TCP Wrappers support for that service. On the other hand, TCP Wrappers support for rpcbind must be enabled manually using the new Service Management Framework ("SMF"). Similarly, inetd was modified to use a SMF property to control whether TCP Wrappers is enabled for inetd-based services.

Let's look at how to enable TCP Wrappers for inetd and rpcbind...

To enable TCP Wrappers support for inetd-based services, you can simply use the following commands:
# inetadm -M tcp_wrappers=true
# svcadm refresh inetd
This will enable TCP Wrappers for inetd-based (streams, nowait) services like telnet, rlogin, and ftp (for example):
# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=TRUE
You can see that this setting has taken effect for inetd by running the following command:
# svcprop -p defaults inetd
defaults/tcp_wrappers boolean true
Note that you can also use the svccfg(1M) command to enable TCP Wrappers for inetd-based services.
# svccfg -s inetd setprop defaults/tcp_wrappers=true
# svcadm refresh inetd
Whether you use inetadm(1M) or svccfg is really a matter of preference. Note that you can also use inetadm or svccfg to enable TCP Wrappers on a per-service basis. For example, let's say that we wanted to enable TCP Wrappers for telnet but not for ftp. By default, both the global and per-service settings for TCP Wrappers are disabled:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=FALSE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
To enable TCP Wrappers for telnet, use the following command:
# inetadm -m telnet tcp_wrappers=TRUE
Let's check out settings again:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
         tcp_wrappers=TRUE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
As you can see, TCP Wrappers has been enabled for telnet but none of the other inetd-based services. Pretty cool, eh?

You can enable TCP Wrappers support for rpcbind by running the following command:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
This change can be verified by running:
# svcprop -p config/enable_tcpwrappers rpc/bind
true
That is all that there is to it! Quick, easy and painless! As always, let me know what you think!

Take care!

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019