IP Filter

Technology

Solaris ipfilter broken by Patch 125503-02

October 1, 2008 by 0 Comments

We recently installed a number of patches onto a T1000 server running Solaris 10 U3, only to discover that the ipfilter service was broken thereafter. The service itself appeared to be configured correctly with no visible signs of error but we discovered that many ports that we had configured to be blocked from certain sources were not.

After some careful analysis of the patches applied, we discovered that Patch 125503-02 had replaced a number of the files associated with the SUNWipfilter package, resulting in the main network interface for our system no longer being plumbed for use with the pfil driver.

Here is how we recovered from this situation:

1. Back out the patch and reboot

# smpatch remove –i 125503-02
# reboot

2. Replumb the appropriate network interface

# ifconfig bge0 modinsert pfil@2
# autopush -f /etc/ipf/pfil.ap
# ifconfig bge0 unplumb
# ifconfig bge0 plumb

Note: Replace bge0 with e1000g0 for a T2000 and ensure your pfil.ap has the correct entry in it.

Thanks to derkeiler.com for assistance.

Technology

Locking down your Solaris system

June 8, 2007 by 1 Comment

In preparation for a forthcoming public trial of a new web service powered by Solaris, we recently spent some time investigating some different ways to lock down the system down. Here is an overview of our findings.

Solaris Installation

If you have the option of (re)installing Solaris, then take it. And in doing so, be sure to choose the Solaris Core installation cluster (SUNWCreq) as this is the most secure (mainly due to reduced number of packages that it includes). Of course this cluster will almost certainly not provide you with everything that you need (and you will have to manually install several packages thereafter) but it is generally worth while as you will know exactly what is and is not installed on your system.

Useful Tools and Utilities

I found the following utilities very useful:

  • netstat
  • nmap
  • lsof

The first is natively available on Solaris and the other two can be downloaded from the sunfreeware.com website. The combination of these utilities make it very to diagnose which ports are open (by which process) on a system. Refer to some of the articles below to see some good ways in which you can do this.

Solaris Security Toolkit

If you want to, you can manually lock down your system using the netstat, svcs and svcadm commands but you really need to know what you are doing. However, there is a far simpler way to do this and that is to use the Solaris Security Toolkit (SUNWjass). This is a very powerful (and extremely well documented) utility that is pretty easy to use, to very good effect. It is also free.

All you need to do is run one simple command (there are 16 variations to choose from depending on paranoid you are) and the SST will do the rest – disabling all the appropriate services, setting file permissions, creating hosts.allow and hosts.deny files and even invalidating non-root user passwords in certain cases. So be sure that you have console access to your system before you run it.

You can even run it again in analyse mode to ensure that the system is still locked down the same degree as it was when you first ran it (although I have not tested this).

Useful Links
Here are some good postings on the Solaris Security Toolkit