BANNER=""
set
noexec_user_stack=1
set noexec_user_stack_log=1
set nfssrv:nfs_portmon=1
set priority_paging=1
/usr/sbin/ndd -set
/dev/ip ip_forwarding 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
/usr/sbin/ndd -set /dev/ip ip_ire_pathmtu_interval 300000
/usr/sbin/ndd -set /dev/tcp tcp_mss_def 546
/usr/sbin/ndd -set /dev/tcp tcp_smallest_nonpriv_port 2050
/usr/sbin/ndd -set /dev/udp udp_smallest_anon_port 8192
/usr/sbin/ndd -set /dev/udp udp_largest_anon_port 32767
/usr/sbin/inetd -s
-t &
in /etc/init.d :
mkdir NO
mv audit NO/NOaudit
mv autoinstall NO/NOautoinstall
mv cachefs.daemon NO/NOcachefs.daemon
mv cachefs.root NO/NOcachefs.root
mv cacheos NO/NOcacheos
mv cacheos.finish NO/NOcacheos.finish
mv init.dmi NO/NOinit.dmi
mv init.snmpdx NO/NOinit.snmpdx
mv initpcmcia NO/NOinitpcmcia
mv pcmcia NO/NOpcmcia
mv sendmail NO/NOsendmail
mv sysid.net NO/NOsysid.net
mv tsquantum NO/NOtsquantum
mv xntpd NO/NOxntpd
in /etc/rc0.d , and /etc/rc1.d :
mkdir no
mv K07dmi no/noK07.dmi
mv K07snmpdx no/noK07snmpdx
mv K33audit no/noK33audit
mv K36sendmail no/noK36sendmail
mv K40xntpd no/noK40xntpd
in /etc/rc2.d :
mkdir no
mv K07dmi no/noK07.dmi
mv K07snmpdx no/noK07snmpdx
mv S30sysid.net no/noS30sysid.net
mv S72autoinstall no/noS72autoinstall
mv S73cachefs.daemon no/noS73cachefs.daemon
mv S74xntpd no/noS74xntpd
mv S88sendmail no/noS88sendmail
mv S93cacheos.finish no/noS93cacheos.finish
mv S99audit no/noS99audit
mv S99tsquantum no/noS99tsquantum
in /etc/rc3.d :
mkdir no
mv S76snmpdx no/noS76snmpdx
mv S77dmi no/noS77.dmi
in /etc/rcS.d :
mkdir no
mv K07dmi no/noK07.dmi
mv K07snmpdx no/noK07snmpdx
mv K33audit no/noK33audit
mv K36sendmail no/noK36sendmail
mv K40xntpd no/noK40xntpd
mv S10initpcmcia no/noS10initpcmcia
mv S35cacheos.sh no/noS35cacheos.sh
mv S41cachefs.root no/noS41cachefs.root
The resulting directories should now read:
/etc/init.d:
ANNOUNCE
coreadm
keymap
power
syslog
MOUNTFSYS
cron
lp
rc.vnmr
ufs_quota
NO
devfsadm
mcd
rootusr
utmpd
PRESERVE
devlinks
mkdtab
rpc
volmgt
README
drvconfig nfs.client savecore
RMTMPFILES
dtlogin nfs.server
standardmounts
autofs
inetinit
nscd sysetup
buildmnttab inetsvc
spc
sysid.sys
/etc/rc0.d:
K00ANNOUNCE
K35volmgt K39spc
K41autofs K43inet
K10dtlogin
K36utmpd K40cron
K41nfs.client K83devfsadm
K19rc.vnmr
K37power K40nscd
K41rpc
no
K28nfs.server
K39lp
K40syslog K42inetsvc
/etc/rc1.d:
K00ANNOUNCE
K36utmpd K40cron
K41rpc no
K10dtlogin
K37power K40nscd
K42inetsvc
K28nfs.server
K39lp K40syslog
K43inet
K35volmgt
K39spc K41autofs
S01MOUNTFSYS
/etc/rc2.d::
K28nfs.server
S71rpc
S75cron S85power
README
S71sysid.sys S75savecore
S88utmpd
S01MOUNTFSYS
S72inetsvc
S76nscd S92volmgt
S05RMTMPFILES S73nfs.client
S80PRESERVE S99dtlogin
S20sysetup
S74autofs S80lp no
S69inet
S74syslog
S80spc
/etc/rc3.d:
README S15nfs.server
S19rc.vnmr no
/etc/rcS.d:
K10dtlogin
K39spc
K42inetsvc
S42coreadm
K28nfs.server K40cron
K43inet
S50devfsadm
K35volmgt
K40nscd
README
S70buildmnttab.sh
K36utmpd
K40syslog
S30rootusr.sh
no
K37power
K41autofs S33keymap.sh
K39lp
K41rpc
S40standardmounts.sh
Note that all of this will have
to be checked whenever a Solaris patches are installed because some of
these patches add new versions of the scripts that were removed
above.
cd /usr/sbin
mv keyserv NOkeyserv
This is another thing that has to
be checked when Solaris patches are applied because some patches add
new versions of this file.
grep -v
/usr/lib/saf/sac /etc/inittab > /etc/inittab.new
mv /etc/inittab.new /etc/inittab
chown root:sys /etc/inittab
chmod 644 /etc/inittab
#
#ident "@(#)inetd.conf 1.33 98/06/02 SMI" /* SVr4.0 1.5 */
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags>
<user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user>
<server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -l
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
#name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
#exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
#comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
#talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in
utmp/wtmp.
#
#uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run
this
# only on machines acting as "boot servers."
#
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to
disable
# some or all of these services to improve security.
#
#finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
#time stream tcp nowait root internal
#time dgram udp wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for
testing.
#
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <endpoint-type> rpc/<proto>
<flags> <user> \
# <pathname> <args>
#
# <endpoint-type> can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket
descriptor.
# <proto> can be either a nettype or a netid or a "*". The value
is
# first treated as a nettype. If it is not a valid nettype then it
is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the
"visible"
# nettype. The syntax for <proto> is:
#
*|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
#rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad
rquotad
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
#rusersd/2-3 tli rpc/datagram_v,circuit_v wait root
/usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
#sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd
rpc.sprayd
#
# The rwall server allows others to post messages to users on this
machine.
#
#walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld
rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
rstatd/2-4 tli rpc/datagram_v wait root
/usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not
run
#
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
#100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server
kcms_server
#
# Sun Font Server
#
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd
cachefsd
#
# Kerbd Daemon
#
#kerbd/4 tli rpc/ticlts wait root /usr/sbin/kerbd kerbd
#
# Print Protocol Adaptor - BSD listener
#
printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
#100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
#dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd
#100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
#536870916/1 dgram rpc/udp wait root /opt/SUNWvts/bin/sunvts
/opt/SUNWvts/bin/sunvts -g
If you do not have a printer or
plotter connected directly to the NMR host computer, you should also
comment out the line that reads:
printer stream tcp
nowait root /usr/lib/print/in.lpd in.lpd
If you are not running CDE, you
should also comment out the line that reads:
rstatd/2-4 tli
rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd
rpc.rstatd
Regrettably, the CDE services bar
starts stdperfmeter which depends on rpc.rstatd . I have not yet found a way
around that problem.
# /etc/ipf.rules # IPFilter rule set for Inova host computer with two ethernet interfaces # and unprotected by a firewall, a really bad idea, but this can help. # Assumes hme0 is the external interface and hme1 is the ethernet to # the Inova console. # Definitions: # $MYIP$ the exact internet ip address of the host computer # $MYNET$ the first three of the four sets of numbers in the # exact internet ip address of the host computer. # # default policy # block in all block out all # # allow loopback to work # pass in quick on lo0 all pass out quick on lo0 all # # Allow Inova console to have full access on hme1 # pass in quick on hme1 all pass out quick on hme1 all # # Now, block all sorts of problems from here on out. # # Block problem packet types # block in quick all with opt lsrr block in quick all with opt ssrr block in quick proto tcp all with short block in log quick proto tcp from any to any flags FUP # Block & log this OS fingerprinting # # Block usages that support the NMR console. These should never be # taken from the internet. # block in quick proto tcp/udp from any to any port = 67 #bootps block in quick proto tcp/udp from any to any port = 68 #bootpc block in quick proto tcp/udp from any to any port = 69 #tftp # # Block problematic services. # block in quick proto tcp/udp from any to any port = sunrpc #portmap block in quick proto tcp/udp from any to any port = msp #msp? block in quick proto tcp/udp from any to any port = 1109 #kpop block in quick proto tcp/udp from any to any port = 1127 #SUP debug block in quick proto tcp/udp from any to any port = 1495 #cvc block in quick proto tcp/udp from any to any port = 1524 #ingres lock block in quick proto tcp/udp from any to any port = 1525 #prospero block in quick proto tcp/udp from any to any port = 1645 #radius block in quick proto tcp/udp from any to any port = 1646 #radius acct. block in quick proto tcp/udp from any to any port = 1760 #www-ldap-gw block in quick proto tcp/udp from any to any port = 2049 #nfs block in quick proto tcp/udp from any to any port = 2105 #kerberos rlogin block in quick proto tcp/udp from any to any port = 2108 #k-init block in quick proto tcp/udp from any to any port = 2111 #k X block in quick proto tcp/udp from any to any port = 2112 #k ip block in quick proto tcp/udp from any to any port = 2120 #K auth block in quick proto tcp/udp from any to any port = 2627 #webster dict. block in quick proto tcp/udp from any to any port = 4045 #lockd block in quick proto tcp/udp from any to any port = 5002 #radio free ethernet block in quick proto tcp/udp from any to any port = 5680 #Kana-Kanji server block in quick proto tcp from any to any port 5999 >< 6010 # No X block in quick proto tcp/udp from any to any port = 6112 #dtspc block in quick proto tcp/udp from any to any port = 7100 #font server block in quick proto tcp/udp from any to any port = 7326 #internet CB block in quick proto tcp/udp from any to any port = 26740 #hunt (6) # # Rules for incoming traffic on hme0 # # Antispoofing incoming rules # block in quick on hme0 from 0.0.0.0/8 to any block in quick on hme0 from 2.0.0.0/8 to any block in quick on hme0 from 5.0.0.0/8 to any block in quick on hme0 from 10.0.0.0/8 to any block in quick on hme0 from 20.20.20.0/24 to any block in quick on hme0 from 23.0.0.0/8 to any block in quick on hme0 from 27.0.0.0/8 to any block in quick on hme0 from 31.0.0.0/8 to any block in quick on hme0 from 67.0.0.0/8 to any block in quick on hme0 from 68.0.0.0/6 to any block in quick on hme0 from 72.0.0.0/5 to any block in quick on hme0 from 80.0.0.0/4 to any block in quick on hme0 from 96.0.0.0/3 to any block in quick on hme0 from 127.0.0.0/8 to any block in quick on hme0 from 128.0.0.0/16 to any block in quick on hme0 from 128.66.0.0/16 to any block in quick on hme0 from 169.254.0.0/16 to any block in log quick on hme0 from 172.16.0.0/12 to any block in quick on hme0 from 191.255.0.0/16 to any block in quick on hme0 from 192.0.0.0/16 to any block in log quick on hme0 from 192.168.0.0/16 to any block in quick on hme0 from 197.0.0.0/8 to any block in quick on hme0 from 201.0.0.0/8 to any block in quick on hme0 from 204.152.64.0/23 to any block in quick on hme0 from 224.0.0.0/3 to any # # Anti-broadcast incoming rules # block in quick on hme0 from 255.255.255.255/32 to any # No broadcast. block in quick on hme0 from $MYNET$.255/32 to any block in quick on hme0 from $MYNET$.0/32 to any # # Anti-self masquerade rule # block in log quick on hme0 from $MYIP$/32 to any # You are not me! # # Make this, "Don't call us. We'll call you!" # Technically, we could have dispensed with the rules above, but you # may want to add some pass rules below to permit local usages. # Since you are without a firewall, you probably should only # allow ssh from outside. # # Any local policy rules for incoming traffic should go here. # block in quick on hme0 all # # Rules for outgoing traffic on hme0 # # Anti-spoofing outgoing rules. These make the system less desirable # and less useful to system crackers. # block out quick on hme0 from !$MYIP$/32 to any # Must be from my address block out quick on hme0 from any to 0.0.0.0/8 block out quick on hme0 from any to 2.0.0.0/8 block out quick on hme0 from any to 5.0.0.0/8 block out quick on hme0 from any to 10.0.0.0/8 block out quick on hme0 from any to 20.20.20.0/24 block out quick on hme0 from any to 23.0.0.0/8 block out quick on hme0 from any to 27.0.0.0/8 block out quick on hme0 from any to 31.0.0.0/8 block out quick on hme0 from any to 67.0.0.0/8 block out quick on hme0 from any to 68.0.0.0/6 block out quick on hme0 from any to 72.0.0.0/5 block out quick on hme0 from any to 80.0.0.0/4 block out quick on hme0 from any to 96.0.0.0/3 block out quick on hme0 from any to 127.0.0.0/8 block out quick on hme0 from any to 128.0.0.0/16 block out quick on hme0 from any to 128.66.0.0/16 block out quick on hme0 from any to 169.254.0.0/16 block out quick on hme0 from any to 172.16.0.0/12 block out quick on hme0 from any to 191.255.0.0/16 block out quick on hme0 from any to 192.0.0.0/16 block out quick on hme0 from any to 192.168.0.0/16 block out quick on hme0 from any to 197.0.0.0/8 block out quick on hme0 from any to 201.0.0.0/8 block out quick on hme0 from any to 204.152.64.0/23 block out quick on hme0 from any to 224.0.0.0/3 # # Anti-broadcast LAN rules # Must allow broadcast on $MYNET$.255/32 and on 255.255.255.255/32 for ARP. # block out quick on hme0 from any to $MYNET$.0/32 # # Anti-self masquerade LAN rules # block out quick on hme0 from any to $MYIP$/32 # Don't send to self. # # LAN out going rules which you may want to change to reflect your policy: # # 1. Allow tcp out to accepted address ranges as telnet, ftp, ssh, and http # # 2. Allow printing to approved printers ONLY. # # 3. Allow udp out to domain # # 4. Allow ping out. # # Note: Since our exact IP address was already required above, do not need # specify it here. # pass out quick on hme0 proto tcp from any to $MYNET$.0/24 port = 515 keep state block out log quick on hme0 proto tcp/udp from any to any port = 515 #lp only to ours pass out quick on hme0 proto tcp/udp from any to any port = 53 keep state pass out log first quick on hme0 proto tcp from any to any port = 80 keep state pass out log first quick on hme0 proto tcp from any to any port 19 >< 22 keep state # # This next allows active ftp out, along with telenet and ssh. # pass out log first quick on hme0 proto tcp from any port 19 >< 24 to any port > 1024 keep state # # This next allows passive ftp such as is done with web servers. # X already blocked and not a threat. # pass out log first quick on hme0 proto tcp from any port 32800 >< 36000 to any keep state # # ping is last # pass out quick on hme0 proto icmp from any to any icmp-type 8 keep state block out log quick on hme0 all # block everything else forever and log it!