I. System Services Port Off 1, Overview A) System Environment Sun Fire 280 Server, Main Uses: Web Applications Server Database Server B) Solaris System has many unique service automatic in an enabled state. The vulnerabilities that may exist in them will allow an attacker to control your machine without an account. Close these unwanted services to protect the system. 2. Implement Step A) Installing NMAP Scanning Software B) Scanning the entire system C) Determine the port to be turned off (port only Telnet, FTP, and XINDOWS) 3, implement process a) /etc/inetd.conf below the port below Turn off the Telnet and FTP Other All Off B) / etc / Services The following ports are closed: only all the Telnet and FTP other close (if you feel the trouble, make a backup, all other deletes, only leave the two Row) FTP 21 / TCP Telnet 23 / TCP C) /etc/rc3.d The following service Close the beginning of the beginning of the X-head XS34DHCP XS76SNMPDX XS80MIPAgent XS15NFS.Server XS50Apache XS77DMI D) /etc/rc2.d The following service Close # mv S70uucp xS70uucp # mv S71ldap.client xS71ldap.client # mv S72autoinstall xS72autoinstall # mv S73cachefs.daemon xS73cachefs.daemon # mv S73nfs.client xS73nfs.client # mv S74autofs xS74autofs # mv S74xntpd xS74xntpd # mv S80lp xS80lp # mv S94Wnn6 xS94Wnn6 e) Close XWindows needs to stop the following services (for easy debugging, no XWINDOWS port) # mv s99dtlogin xs99dtlogin II, software firewall installation: 1. Software firewall Overview a) Firewall version: TCP_WrapPers-7.6 b) Installation Directory: / usr / local / bin / tcpd C) Software Description: By default, Solaris allows all service requests. Use TCP_WrapPers to protect the security of the server from external attacks 2, installation procedure a) Download Software: TCP_WrapPERS-7.6-SOL8-SPARC-LOCAL B) Installation Command: Use root privilege: #pkgadd -d tcp_wrappers-7.6- SOL8-SPARC-LOCAL 3, Policy Development A) Policy Description Policy is divided into two parts, reject all Telnet and FTP connections, open service for specific IP addresses and network segments B) policy Specify: All Connections Allow: IP Address : ×××. ×××. ××× .120 (company export public network IP address) network segment: 192.0.0. (Company IP) 4, security policy implement a) use root users: vi hosts.deny In.Telnetd: All: Deny In.ftpd: All: Deny Vi Hosts.allow in.telnetd: ×××. ×××. ××× .120 192.0.0. In.ftpd: ×××. ××× ××× .120 192.0.0. 5, Safety Test A) From the intranet 192.0.0.0.0.0.0.0.0. ×××. ×××. ××× .120 can Telnet and FTP systems. b) No Telnet and FTP systems from the IP address other from the external network.