This chapter is from the book
This chapter is from the book
This chapter is from the book
Network Routing
The network router (in.routed) and router discovery (in.rdisc) daemons are used by a Solaris OE system to dynamically determine network routing requirements. Both in.routed and in.rdisc functionality are discussed in Chapter 2.
Multicast Routing
Multicast is a method to send network data to many systems at the same time with only a single address. Unless the system must participate in a multicast application, it is recommended to disable the code that enables the multicast route assignment. For Solaris 7 OE and earlier, the following lines in /etc/init.d/inetsvc should be commented out:
mcastif=´/sbin/dhcpinfo Yiaddr´
if [ $? -ne 0 ]; then
mcastif=´uname -n´
fi
echo "Setting default
interface for multicast: \c"
/usr/sbin/route add -interface -netmask "240.0.0.0" \
"224.0.0.0" "$mcastif"
For Solaris 8 OE, comment out the following lines in /etc/init.d/inetsvc:
(
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
mcastif='/sbin/dhcpinfo Yiaddr' ||
mcastif=$_INIT_UTS_NODENAME
else
mcastif=$_INIT_UTS_NODENAME
if
echo "Setting default IPv4 interface for multicast:" \
"add net 224.0/4: gateway $mcastif"
/usr/sbin/route -n add -interface "224.0/4" "$mcastif" \
>/dev/null) &
After the appropriate lines are commented out, the system should be restarted.
Reducing inetsvc
Based on the recommendations made in this chapter, it is possible to construct a minimized /etc/init.d/inetsvc file that contains only the essential components. Quite a few sections of this file can be commented out including:
DHCP support
named startup support
Multicast support
By commenting out all of these entries, the number of active lines in the inetsvc file decreases from 152 to 3 lines. The following is what the resulting script looks like:
#!/bin/sh usr/sbin/ifconfig -au netmask + broadcast + usr/sbin/inetd -s -t
Network Service Banners
Some Solaris OE network services provide information on the operating system version when connections are made. This information usually includes a text string indicating the name of the OS and its version. This information may be useful to attackers with exploit programs for specific OS releases. The Solaris OE provides a method to change these messages in an attempt to hide OS information.
To change banner messages for incoming Telnet and FTP connections, create the /etc/default/telnetd and /etc/default/ftpd files.
Add a line similar to the following:
BANNER="Generic OS"
Insert the appropriate message for your environment.
It is possible to change the banner message that the sendmail process presents for incoming mail delivery connections. Search the /etc/mail/sendmail.cf file for the following line:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
Change it to:
O SmtpGreetingMessage=Mail Server Ready
These techniques provide only minor additional security. There are methods to determine a system's operating system type and version on a network. Several network auditing tools use a technique called TCP/IP stack fingerprinting to determine the operating system and version.