Tuesday August 08, 2006

Securing my X2100 I've been getting paranoid. Me-thinks too paranoid for my own good. I've been spending a bit of time securing my server. This is a good thing to do when there are thousands of bad, bad dudes (and dudettes) trying to hack into systems. What have I done so far?

First off, I unplugged the server from the network. Next, I powered it off. I am just now starting to feel safe. Wait, this is going to make writing network services pretty difficult. Sigh. Power it on. Plug it in to the network. Now what?

First, I didn't plumb any interfaces. Setup begins while logged in to the console.

Step #1 was to disable a good chunk unnecessary-for-my-needs services in the global zone (svccfg apply /var/svc/profile/generic_limited_net). We're not quite Secure by Default yet, so I had to disable some additional services as well, such as sendmail.

Step #2: Configure IP Filter.  Block all incoming traffic ("block in all"). Then enable traffic on an as-needed basis. For the global zone, block all if you can.

Step #3: Create a user for me and assign some roles to myself. On my system, I'm a stud. But not too studly. Can't let it go to my head. Or weaken security.

Step #4: Plumb the interface. Set up the Sun Update Connection to get security patches pushed down. Reboot (kernel patch).  Instead of waiting for the polling interval, I opened up a can of /usr/lib/patch/swupas on my system to sync the files I selected in the Sun Update Connection portal. I'll follow up with more on the Sun Update Connection later. Some patches had to be installed manually :( Wish I could use the Sun Update Connection in it's acronym form, but I don't think marketing accounted for that ...

Step #5: Create a zone. As I've mentioned before, the default configuration should utilize zones with no services running in the global zone. Just my opinion.

Step #5.1: Apply Step #1 in context of Step #5.

Step #6: Installed a name server in the local zone. named -t [directory] -u [user]. By specifying the "chroot" directory and user, there's a bit more security, not to mention the SMF script limits the privileges available to the service.

Step #7: TBD. I am not done with security and I am open to suggestions to take it a step further. Security is not my forte. Some thoughts are additional minimization and potentially BART.

Note sure what I want to install first. Web Server ? Portal Server? Java CAPS? N1 SPS? Sigh, too many choices. I'm a kid in a bit-candy store. I'm leaning Portal. That will front-end everything else.
(2006-08-08 21:40:09.0) Permalink