From the authors of the bes-selling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK Protect Your Solaris Network from Attack • Complete Coverage of Solaris 8 C2 and Trusted Solaris 8 • Hundreds of Damage & Defense,Tools & Traps,and Notes from the Underground Sidebars,Security Alerts,and FAQs • Step-by-Step Instructions for Making the Most of Solaris 8 Security Enhancements Wyman Miles Ed Mitchell F. William Lynch Randy Cook Technical Editor 158_hack_sun_FC 11/11/01 2:46 PM Page 1 solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 158_HPsun_FM 10/5/01 5:07 PM Page i 158_HPsun_FM 10/5/01 5:07 PM Page ii Wyman Miles Ed Mitchell F. William Lynch Randy Cook Technical Editor ™ 1YEAR UPGRADE BUYER PROTECTION PLAN 158_HPsun_FM 10/5/01 5:08 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,” are registered trademarks of Syngress Media, Inc. “Ask the Author UPDATE™,” “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 EAFRET4KDG 002 23PVFDAT5Q 003 VZPE43GHBA 004 MNFT6Y456F 005 QL3R3BNM65 006 KMXV94367H 007 NSE4T63M5A 008 P3JR9DF9GD 009 XP93QNFTY6 010 VK495YDR45 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Sun Solaris 8 Copyright © 2001 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-44-X Technical Editor: Randy Cook Freelance Editorial Manager: Maribeth Corona-Evans Technical Reviewer: Ryan Ordway Cover Designer: Michael Kavish Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copy Editors: Alexandra Kent and Darlene Bordwell Developmental Editor: Jonathan Babcock Indexer: Claire A. Splan Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 158_HPsun_FM 10/5/01 5:08 PM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying, and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. 158_HPsun_FM 10/5/01 5:08 PM Page v 158_HPsun_FM 10/5/01 5:08 PM Page vi vii Contributors Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of Security Intelligence Services for Business. Hal functions as a Senior Analyst, performing research and analysis of vulnerabilities, malicious code, and network attacks. He provides the SecurityFocus team with UNIX and network expertise. He is also the manager of the UNIX Focus Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and Focus-GeneralUnix mailing lists. Hal has worked the field in jobs as varied as the Senior Systems and Network Administrator of an Internet Service Provider, to contracting the United States Defense Information Systems Agency, to Enterprise-level consulting for Sprint. He is also a proud veteran of the United States Navy Hospital Corps, having served a tour with the 2nd Marine Division at Camp Lejeune, NC as a Fleet Marine Force Corpsman. Hal is mobile, living between sunny Phoenix,AZ and wintry Calgary,Alberta, Canada. Rooted in the South, he currently calls Montgomery,AL home. Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a member of Cisco’s Secure Consulting Services in Austin,TX. He cur- rently conducts security posture assessments for clients as well as provides technical consulting for security design reviews. His strengths include Cisco routers and switches, PIX firewall, Solaris systems, and freeware intrusion detection systems. Ido holds a bachelor’s and a master’s degree from the University of Texas at Austin and is a member of USENIX and SAGE. He has written several articles covering Solaris security and net- work security for Sysadmin magazine as well as SecurityFocus.com. He lives in Austin,TX with his family. Drew Simonis (CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is co- author of Hack Proofing Your Web Applications (ISBN: 1-928994-31-8) and is a Senior Security Engineer with the RL Phillips Group, LLC. He cur- rently provides senior level security consulting to the United States Navy, working on large enterprise networks. He considers himself a security 158_HPsun_FM 10/5/01 5:08 PM Page vii viii generalist, with a strong background in system administration, Internet application development, intrusion detection and prevention, and penetra- tion testing. Drew’s background includes a consulting position with Fiderus, serving as a Security Architect with AT&T and as a Technical Team Lead with IBM. Drew has a bachelor’s degree from the University of South Florida and is also a member of American MENSA. Drew cur- rently lives in Suffolk,VA with his wife Kym and daughters Cailyn and Delaney. Mike Lickey is a Senior Engineer for IPC Technologies in Richmond, VA. He has 20 years experience in systems administration working with the real-time production server environment, specializing in critical up- time systems. He has worked for IPC Technologies for almost ten years, providing broad support for all platforms.As a consultant, he has worked almost exclusively with Fortune 100 companies working with multiple systems and networking architectures. He has extensive experience with system security starting in 1985 when he got his first systems administra- tion position. Mike has lived in Richmond with his wife Deborah for almost 25 years. He received his bachelor’s degree in English from Virginia Commonwealth University. F. William Lynch (SCSA, CCNA, MCSE, MCP,A+) is an Independent Security and Systems Administration consultant in Denver, CO. His spe- cialties include firewalls,VPNs, security auditing, documentation, systems performance analysis, Solaris and open source operating systems such as OpenBSD, FreeBSD, and Linux. He has served as a consultant to multina- tional corporations and the Federal government including the Centers for Disease Control and Prevention headquarters in Atlanta, GA as well as various airbases of the United States Air Force.William is also the founder and director of the MRTG-PME project, which uses the MRTG engine to track systems performance of various UNIX operating systems.William holds a bachelor’s degree in Chemical Engineering from the University of Dayton in Dayton, OH and a master’s degree in Business Administration from Regis University in Denver, CO. 158_HPsun_FM 10/5/01 5:08 PM Page viii ix Edward Mitchell is the Network Operations Manager for ADC Telecommunication’s Enhanced Services Division in San Jose, CA. He oversees a large multi-platform UNIX environment with a Cisco-based infrastructure and is responsible for all aspects of network and system security. Prior to ADC, Edward spent time with the State of California as an independent consultant for a variety of network security projects. Edward also provides security and disaster recovery consulting services for a variety of clients and actively participates in various incident response teams and events. He currently resides in California’s Central Valley and appreciates the patience and understanding his wife displayed during his contribution to this book. Wyman Miles is the Senior Systems Administrator and Technical Manager for Educational Technology at Rice University. In this role, Wyman handles Solaris security for a large, distributed network. He also advises on security matters for other divisions within Information Technology. Some of his developments in security technology, including Kerberos deployment tools, SSL proxies, and wireless network security have been presented at academic conferences around the country.Though the focus of his work has been cryptography,Wyman handles all aspects of network and host-based security for the academic network.Wyman holds a bachelor’s degree in Physics with a minor in English. He resides in Houston,TX with his wife Erica. 158_HPsun_FM 10/5/01 5:08 PM Page ix [...]... /etc/user_attr user:qualifier:res1:res2:attr xiii 67 68 71 76 77 79 81 82 83 86 88 93 94 96 99 10 0 10 1 10 3 10 4 10 7 10 9 11 5 12 2 12 2 12 5 12 7 12 8 12 9 13 2 13 5 13 6 15 8_HPsun_toc xiv 10 /8/ 01 10:56 AM Page xiv Contents /etc/security/auth_attr authname:res1:res2:short_desc:long_ desc:attr /etc/security/prof_attr profname:res1:res2:desc:attr /etc/security/exec_attr name:policy:type:res1:res2:id:attr Changing Default... unauthorized hosts 13 7 13 7 13 7 13 8 14 2 14 3 14 5 14 7 15 1 15 4 15 4 15 6 Chapter 6 Securing Your Network 15 9 Introduction 16 0 Configuring Solaris as a DHCP Server 16 0 Using the dhcpmgr GUI Configuration Tool 16 1 Using the dhcpconfig Command-Line Tool 17 0 Securing DNS Services on Solaris 17 3 Using BIND 17 4 Setting Up a chroot Jail for BIND 17 4 Securing Zone Transfers in BIND 8 18 0 Configuring Solaris to Provide... Together What to Do Once You’ve Detected a Hack What’s a Honeypot? How to Build a Honeypot on a Sun System Commercial Honeypots for Solaris Monitoring Solaris Log Files Solaris Log Files to Review 325 326 326 326 328 330 3 31 313 314 316 316 318 319 3 21 335 335 337 338 340 340 340 343 346 347 15 8_HPsun_toc 10 /8/ 01 10:56 AM Page xix Contents Creating Daily Reports There are many excellent ways to automate... The Sports Page Local Events Start the Presses! Summary Solutions Fast Track Frequently Asked Questions xix 347 347 349 349 350 350 3 51 3 51 352 353 357 358 359 Hack Proofing Sun Solaris 8 Fast Track 3 61 Index 3 81 158_HPsun_toc 10 /8/ 01 10:56 AM Page xx 15 8_HPsun_fore 10 /4/ 01 5:38 PM Page xxi Foreword Many years ago, my father decided to put a birdfeeder in our backyard It was great From our breakfast table... variants, including Solaris Figure 1. 3 details an Nmap scan of a default Solaris host from a Linux-based host (Scanning from a Solaris host would yield an identical output.) Figure 1. 3 An Nmap Scan of a Default Solaris Host from a Linux-Based Host www.syngress.com 9 15 8_HPsun_ 01 10 10 /4/ 01 5:06 PM Page 10 Chapter 1 • Introducing Solaris Security: Evaluating Your Risk As you can see, Solaris includes a... Monitoring Solaris Systems Using the sdtprocess and sdtperfmeter Applications Monitoring Solaris Logfiles Monitoring the Access Logs Monitoring the sulog Validating the System Logs Testing Security Testing Passwords Testing File Permissions Securing against Physical Inspections Securing OpenBoot Documenting Security Procedures and Configurations xxi 1 2 2 2 4 4 5 7 9 9 11 14 14 16 16 17 17 18 18 20 21 21 22... Configuring Solaris to Provide Anonymous FTP Services 18 1 Using X-Server Services Securely 18 2 Using Host-Based Authentication 18 3 Using User-Based Authentication 18 3 Using X-Windows Securely with SSH 18 6 Using Remote Commands 18 7 Using Built-In Remote Access Methods 18 7 Using SSH for Remote Access 18 9 Enabling Password Free Logins with 15 8_HPsun_toc 10 /8/ 01 10:56 AM Page xv Contents Answers to Your Frequently... 266 266 266 267 267 269 2 71 272 274 274 274 275 276 277 Chapter 10 Dissecting Hacks Introduction Securing against Denial of Service Hacks Ping of Death Syn Flood E-Mail Flood 287 288 288 289 290 294 277 278 279 279 2 81 2 81 282 282 283 284 284 286 15 8_HPsun_toc xviii 10 /8/ 01 10:56 AM Contents Securing against Brute Force Hacks Like other System VR4 UNIX operating systems, Solaris keeps account information... Trusted Solaris 8 Solaris 8 Security Enhancements Using SunScreen Secure Net Utilizing SunScreen SKIP Utilizing SKIP’s VPN Capabilities Using the Solaris Security Toolkit Working with the Solaris Security Toolkit’s System Files Using OpenSSH Summary Solutions Fast Track Frequently Asked Questions 33 34 35 38 40 42 43 44 45 47 48 50 53 54 55 55 56 56 58 58 59 61 61 63 15 8_HPsun_toc 10 /8/ 01 10:56 AM... Minimal Users Minimal Dynamic Information Minimal Cleartext Communication xv 19 1 19 3 19 4 19 5 19 9 200 2 01 203 206 206 209 213 215 218 218 220 223 224 224 225 225 226 227 229 229 233 233 233 234 235 235 235 15 8_HPsun_toc xvi 10 /8/ 01 10:56 AM Page xvi Contents Steps to Ensure the System Isn’t Routing Traffic 1 Check for the /etc/ notrouter file If it does not exist, create it 2 Check the value of ip_forwarding . Most of Solaris 8 Security Enhancements Wyman Miles Ed Mitchell F. William Lynch Randy Cook Technical Editor 15 8 _hack_ sun_ FC 11 /11 / 01 2:46 PM Page 1 solutions@syngress.com With more than 1, 500,000. listening. www.syngress.com/solutions 15 8_HPsun_FM 10 /5/ 01 5:07 PM Page i 15 8_HPsun_FM 10 /5/ 01 5:07 PM Page ii Wyman Miles Ed Mitchell F. William Lynch Randy Cook Technical Editor ™ 1YEAR UPGRADE BUYER PROTECTION PLAN 15 8_HPsun_FM. hosts 15 8_HPsun_toc 10 /8/ 01 10:56 AM Page xiv Contents xv SSH 19 1 Summary 19 3 Solutions Fast Track 19 4 Frequently Asked Questions 19 5 Chapter 7 Providing Secure Web and Mail Services 19 9 Introduction