Closing Potential Security Holes (Solaris for ISPs Administration Guide)

Solaris for ISPs Administration Guide

Closing Potential Security Holes

We recommend disabling of the following services to ensure protection for passwords and to restrict access to hosts for unauthorized individuals.

Note -

If you accept the default setting, you will no longer be able to access the host with these disabled "r" commands.

rexecd: Disable this service to discontinue support for remote command execution via the rexec(3N) function, which passes passwords in the clear.
rlogind: Disable this service to ensure security for passwords because it relies on .rhosts and hosts.equiv for password-less authentication during remote logging.
rshd: Disable this service to protect password because it relies on .rhosts and hosts.equiv for password-less authentication during remote command execution.

Note -
If you accept the default setting, the following services will be enabled. You must review and may modify the setting.
telnetd: If you accept the default installation setting, note that this service is enabled as this enables remote login mechanisms.
ftpd: If you accept the default installation setting, note that this service is enabled because it provides support for file transfer to and from remote network sites in the least insecure manner. This service will be disabled if you select Sun Internet FTP Server for installation.

Note -
If you require security for telnet and FTP services, set up your network such that file transfer requests are made within the network.

We recommend disabling the following services to protect information from unauthorized users. Disabling these services will enhance system security and will restrict access to system information by preventing host responses to these network requests.

fingerd: Disable this service to safeguard information from a network-based finger request.
netstat: Disable this service to ensure that the contents of the various network-related data structures are not exposed by remote invocation of netstat.
rstatd: Disable this service to prevent access to system statistics.
rusersd: Disable this service to protect information about logged-in users.
systat: Disable this service to discontinue support for remotely running ps on the host.
routing: Disable this service to ensure that the host is not operated as a router. If disabled, the file /etc/notrouter is created.
sendmail: Disable this service to protect against denial of service attacks and to disable support for receiving and sending mail. S88sendmail is modified.
sprayd: Disable this service to discontinue support to test the network and record packages sent by spray.