Solaris Safety Manual

zhaozj2021-02-11  217

Solaris Safety Manual

Release Date: 1999-12-8

content:

1, Preparation

2, Initial OS Installation

3, stripping / configuring OS: 1st Pass

4, Connect to Test NetWork

5, Installing Tools & Sysadmin Software

6, stripping / configuring os: 2nd pass

7, Create Tripwire Image, Backup, Test

8, INSTALL, TEST, HARDEN Applications.

9, INSTALL ON Live Network, Test

PREPARATION

Minimage to ensure safety method is to run one or two services on the host. Make

With a machine than only one machine with all rights, because this

It can be isolated and easy to find the problem. Summary: Run you on your machine

Some necessary services. Consider removing the keyboard and screen, so you can avoid using X11

And know that the command line is tested in a network segment of an isolated trust. Bright

What kind of result can be made by your system and hardware configuration, such as installing Sun

Consider when disksuite

Do you need an RPC service, because DiskSuite must use RPC services. Clear

What is the application of how to use: What ports and files are used.

2, initialize the installation operating system.

Connect the serial port console, boot, send STOP-A information when the OK prompt appears

(~ #, ~% B, or F5, mainly depending on the TIP, CU or VT100 terminal),

Post-start installation process - "Boot CDROM - Install"

Use minimum installation END User bundle (unless you want extra

Server / Developer Tools, set host name, terminal, IP parameters, time zone, etc.

Wait, do not activate NIS or NFS and do not activate power management. Select hand division division

District: Separate / USR and / OPT and ROOT to these partitions can be read-only

Plug up (MOUNT). Consider putting large / var file systems and has more data volume

Such as (web, ftp) is divided into independent partitions.

If the hard disk is 2GB recommended 200MB / ( var), 200MB SWAP, 600MB / USR

1GB to / OPT

If the hard disk is 2GB recommended 300MB / ( VAR OPT), 200MB SWAP, 500MB

/ usr

Set up a 7 to 8-character case in a 7 to 8-character case, and then restart

move.

Then the safety patch is secured by Sun. Generally, these security patches are included on the CD

package. After restarting and as root restart, you can use showrev -p to view

Ding list.

3, configure the operating system

Disk Sharing (MOUNT): In order to reduce Trojans and unauthorized modifications,

/ etc / vfstab, please use the "Remount, Nosuid" option when mount / when

/ VAR, please bring the "Nosuid" option; add it after / TMP

"size = 100m, nosuid" option (Allow / TMP can only use 100M space and not allow

Execute the SUID program);

If the floppy disk is not required, then the "/ dev / fd" is released off.

(The following command assumes that you are using the c-shell)

Enable NFS:

Rm /etc/rc2.d/{s73nfs.client ,k28nfs.server}

/etc/rc3.d/s15nfs.server / etc / dfs / dfstab makes the sendmail daemon, although Sendmail is not run as a daemon, but two into

The procedure still exists, Email can also be sent by it (but not connected

Affected. Set as long as a host accepts Email, you must use SMAP or other et al.

The same order is reduced to the bottom of the senedmail.

Rm /etc/rc2.d/s88sendmail

In addition, add commands to process the mail queue in the CRON row:

0 * * * * / usr / lib / sendmail -q

Close some other services:

RM

/etc/rc2.d/ (s74autofs ,s30sysid.net, s71sysid.sys, s72autoinstall)

RM

/etc/rc2.d/ (s93cacheos.finish, s73cachefs.daemon ,s80preserve}

Rm /etc/rc2.d/{s85power ,k07dmi}

Rm /etc/rc3.d/s77dmi

IF you have server / wevelPer Packages:

Rm /etc/rc2.d/{s47asppp, s89bdconfig, s70uucp}

To make RPC: this is generally recommended to turn off this feature, but some programs such as

Disksuite will turn on the RPC service, so it is generally recommended not to use Disksuite.

. If you don't want RPC to be invalid, you must use the packet filter.

Rm /etc/rc2.d/s71rpc

Keep the print service (unless there is a local printer exists):

Rm /etc/rc2.d/}}

Make Naming Services Caching Daemon (Name Service Buffer Progress)

Invalidity:

mv /etc/rc2.d/s76nscd /etc/rc2.d/.s76nscd

Make the CDE program (unless you insist on using a graphic console):

Rm /etc/rc2.d/s99dtlogin

Enables NTP-NetWork Time Protocol (NTP increase bandwidth and unsafe)

Factors, recommended use

RDATE to a machine using NTP to get exact time):

Rm /etc/rc2.d/s74xntpd

Make SNMP ineffective:

Rm /etc/rc2.d/k07snmpdx /etc/rc3.d/s76snmpdx

In inetinit is IP Forwarding and Soureg Routing (Source) by invalid

(If there is more than a network interface). Increase in /etc/init.d/inetinit

Add the settings shown in:

NDD -SET / DEV / IP IP_FORWARD_DIRECTED_BROADCASTS 0

NDD -SET / DEV / IP IP_FORWARD_SRC_ROUTED 0

NDD -SET / DEV / IP IP_FORWARDING 0

According to RFC1948, it is recommended to increase the following production in / etc / default / inetinit.

The sequence number setting is initiated to prevent TCP serial number prediction attack (IP spoof):

TCP_STRONG_ISS = 2

Increasing the following settings in / etc / system to prevent certain buffer attacks. These ones

Protection is the way of attacks that need to be performed in the stack. But need hardware support (only

Valid in the Sun4U / Sun4D / Sun4M system):

SET NOEXEC_USER_STACK = 1

SET NOEXEC_USER_STACK_LOG = 1

Use the default route: add IP addresses in / etc / defaultrouter, or use

"Route" establishes a startup file in /etc/rc2.d/s99static_routes. in order to

Make the dynamic route ineffective:

Touch / etc / notrouter In order to make multiple broadcasts, please in /tc/init.d/inetsvc

Injury

A few lines around Route Add 224.0.0.0.

In order to record all the information connected in inetd, increase in the starting line of inetd low-end

"-t" parameters,

That is: / usr / sbin / inetd -s -t

Configuring some hosts you want to pay in / etc / hosts (some you don't want to solve DNS

Analysis.

/etc/inetd.conf:

First make all services are invalid;

Configure your truly needs, but you must use fwtk netaacl or tcp

Wrappers to allow minimal IP address access and various records

4, connection and test network

The system must be properly working by the system through the safety peel and screening above.

Connect it to a secure isolated network. Round and log in as root

Taiwan, check the error message when the console starts and modifies as needed.

5, install system management tool software

This part will install standard tools and utilities. The most important thing is SSH, these work

It must be compiled and carefully tested on other machines.

surroundings:

DNS client: add domain name and DNS service in /etc/resolv.conf;

The host of the DNS entry is added to /etc/nsswitch.conf.

Email: If the host does not need to send Email outside the subnet, you don't need to use it.

Mailhost alias. Otherwise, you must edit / etc / mail / aliases, in

/ etc / hosts Set Mailhost, cancel DJ in /etc/mail/sendmail.cf

The comment of the row and set it to DJ $ W.YOOOOS.

If DNS is not configured, add this too machine alias in / etc / hosts

Hostname.Yourdomain.com.

Now send a test Email: Mailx -V -S Test_Email root

转载请注明原文地址:https://www.9cbs.com/read-3535.html

New Post(0)