Solaris Security

Patching Solaris

Any machine connected to the Internet should have security-related patches applied on a frequent basis. Patches for Solaris are available from sunsolve.sun.com: follow the link to PatchPortal. The simplest policy is simply to install the Recommended Patch Clusters (found under Recommended and Security Patches). To do this, download the cluster zip file, unzip it in a directory which user nobody has access to and run the install script.

Turning Off Services

A service cannot be hacked if it is not running! So don't start services you do not require --- by default, Solaris starts some you probably won't need. To stop this behaviour, remove the startup script from /etc/init.d/, or from /etc/rc?.d (where ? is usually 2. (A better policy might be to rename the file like this:

    cd /etc/rc2.d
    mv S88sendmail hiddenS88sendmail
  

so that it is ignored.

TCP Wrappers

Any services that you require, e.g., Telnet, can be "wrapped" so that access-control lists can be used: one can restrict access to the Telnet (or other) service on a host-by-host basis --- if a machine tries to connect and its IP address does not match the configured list of "approved" machines access is denied (the connection is broken).

TCP Wrappers can be freely downloaded from the Net. More details can be found here.

Packet Filter (Firewall): IP Filter

In addition to wrapping services, machines that are up 24/7 and networked should have a packet-filter (firewall) installed. IP Filter can be freely downloaded from the Net, though configuration is non-trivial.

More details can be found here.