Solaris Network Hardening: First Steps

Reg Quinton

There is a security principle that says you should "configure computers to provide only selected network services" (CERT Coordination Centre: http://www.cert.org/security-improvement/practices/p038.html). The idea is that every network service you offer is an opportunity for hackers and a risk to your system. That's not to say that you shouldn't offer any services -- a mail server that doesn't offer mail services isn't very useful. Instead, you should have a good understanding of network services and you should not offer any unnecessary service. This paper is a discussion of tools you'll need to determine services offered by a Solaris server. As such it's a first step in hardening a Solaris server.

Baseline -- What's There?

Before hardening a system you need to know what's on the system and, better yet, how to find that out. There are three valuable tools:

• netstat and rpcinfo, as provided by the vendor
• lsof, a public domain add on

All can be used to identify network services that your system offers to clients on the network -- services that might be exploited.

You can find lsof at several sites. The home location is:

ftp://vic.cc.purdue.edu/pub/unix/lsof

The netstat Command

To determine the services that your system offers, try this command:

[2:20pm wally] netstat -a

UDP
Local Address         Remote Address     State
------------------- -------------------- -------
   *.sunrpc                              Idle
   *.*                                   Unbound
   *.32771                               Idle
   *.n