Solaris 10 - Hardening - Part 1

March 31, 2008 – 3:50 pm

Solaris 10 provides a lot of network services running by default, which is unacceptable at the present.
This document describes how to disable these services and also tune some parameters of the TCP/IP stack in order to avoid DDoS network floods and globally increase network security.

1. Disable unrequested network services:

svcadm disable bind \
rpc_ticotsord \
rpc_tcp \
rpc_udp \
autofs \
sendmail \
telnet \
ftp \
finger \
svc:/network/login:rlogin \
svc:/network/shell:default \
xfs \
ktkt_warn \
stfsloader

2. Edit the file /lib/svc/method/net-init and add these lines after the ISS generation:

# Change this to 2, as it's probably set to 1 by default.
/usr/sbin/ndd -set /dev/tcp tcp_strong_iss 2

# Combat ARP DOS attacks by flushing entries faster.
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
/usr/sbin/ndd -set /dev/ip ip_ire_arp_interval 60000

# Combat ICMP DOS attacks by ignoring them.
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip6_respond_to_echo_multicast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0

# Ignore redirect requests. These change routing tables.
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip6_ignore_redirect 1

# Don't send redirect requests. This is a router function.
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
/usr/sbin/ndd -set /dev/ip ip6_send_redirects 0

# Don't respond to timestamp requests. This may break rdate on some systems.
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0

# If a packet isn't for the interface it came in on, drop it.
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip6_strict_dst_multihoming 1

# Don't forward broadcasts.
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0

# Don't forward source routed packets.
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip6_forward_src_routed 0

# Combat SYN flood attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192

# Combat connection exhaustion attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024

# Don't forward reverse source routed packets.
/usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0

# Combat IP DOS attacks by decreasing the rate at which errors are sent.
/usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 1000
/usr/sbin/ndd -set /dev/ip ip_icmp_err_burst 5

To apply the changes and update the system configuration restart the initial network service:

svcadm restart initial

3. ONLY on SPARC servers add these two lines to /etc/system to disallow execution of instructions in the stack. The changes are made effective only after a reboot:

set noexec_user_stack=1
set noexec_user_stack_log=1

4. Change the value of TCP_STRONG_ISS to 2 (/etc/default/inetinit file).

Post a Comment

errno’s blog is proudly powered by WordPress Entries (RSS) and Comments (RSS). Theme by Bob