Setup Guidelines

This chapter discusses the guidelines for configuring your network host for the installation of Solaris ISP Server software. This configuration information is essential for successful installation. Please read carefully.

Install Scenario

You must design your network before installing Solaris ISP Server. This section discusses two examples of a Solaris ISP Server network hosts setup. Use the network hosts setup example that most closely suits your environment.

Sample Network Configurations

This section describes a sample base and expanded network setup, and the requirements and recommendations for the hardware configuration of the setups.

---

Note -

We do not assume the existence of a firewall in our example network configurations. If you are using an Internet firewall product to control network traffic to or from any Solaris ISP Server software host, you should examine the security policy controlling the host to make sure the relevant types of communication are allowed. This document does not offer recommendations related to Internet firewalls.

---

Figure 2-1 Sample Base Setup

Figure 2-2 Sample Expanded Setup

To setup a Solaris ISP Server network, you require high-end workstations and primary and secondary DNS servers. You need not install Solaris ISP Server extensions and services on a host acting as a DNS server. Most extensions and services only require the ability to perform name lookups regularly. The hosts must be on a network connected to the Internet and you can use any server on the network to act as a client host.

While preparing a host for the installation of Solaris ISP Server software, we recommend you reserve:

• 2 MB disk space in /.

• 69 MB disk space in /opt.

• 51 MB disk space in /usr.

• 33 MB disk space in /var.

Changes to Solaris

This section discusses the reconfigurable changes that may be made to Solaris services during host configuration. The installation of Solaris ISP Server platform extensions and services with their default configuration will override the default service behavior on the hosts where they are installed. This procedure creates a more secure server by disabling Solaris network utilities that are not essential to the Solaris ISP Server software installed on the system.

---

Note -

You must review and may modify, if necessary, the default settings during host configuration.

---

If you accept the default installation setup, these Solaris services will be disabled, unless noted otherwise. Disabling of these services is not required, but we recommend disabling these services to avoid potential security holes and to conserve resources. To change the value of these services, inetd.conf will be modified, unless stated otherwise.

Closing Potential Security Holes

We recommend disabling of the following services to ensure protection for passwords and to restrict access to hosts for unauthorized individuals.

---

Note -

If you accept the default setting, you will no longer be able to access the host with these disabled "r" commands.

---

• rexecd: Disable this service to discontinue support for remote command execution via the rexec(3N) function, which passes passwords in the clear.

• rlogind: Disable this service to ensure security for passwords because it relies on .rhosts and hosts.equiv for password-less authentication during remote logging.

• rshd: Disable this service to protect password because it relies on .rhosts and hosts.equiv for password-less authentication during remote command execution.

  ---

  Note -

  If you accept the default setting, the following services will be enabled. You must review and may modify the setting.

  ---

• telnetd: If you accept the default installation setting, this service is enabled to support remote login mechanisms.

• ftpd: If you accept the default installation setting, this service is enabled to provide support for file transfer to and from remote network sites in the least insecure manner. This service will be disabled if you select Sun Internet FTP Server for installation.

  ---

  Note -

  If you require security for telnet and FTP services, set up your network such that file transfer requests are made within the network.

  ---

We recommend disabling the following services to protect information from unauthorized users. Disabling these services will enhance system security and will restrict access to system information by preventing host responses to these network requests.

• fingerd: Disable this service to safeguard information from a network-based finger request.

• netstat: Disable this service to ensure that the contents of the various network-related data structures are not exposed by remote invocation of netstat.

• rstatd: Disable this service to prevent access to system statistics.

• rusersd: Disable this service to protect information about logged-in users.

• systat: Disable this service to discontinue support for remotely running ps on the host.

• routing: Disable this service to ensure that the host is not operated as a router. If disabled, the file /etc/notrouter is created.

• sendmail: Disable this service to protect against denial of service attacks and to disable support for receiving mail. However, the system checks for queues and pushes outgoing mails. S88sendmail will be modified.

• sprayd: Disable this service to discontinue support to test the network and record packages sent by spray.

Conserving Resources

We recommend disabling of the following CDE and OpenWindows services unless they are required in your environment. Disabling these services will enhance system performance.

• cmsd: Disable this service as it is required only if CDE calendars are located on the host.

• dtspcd: Disable this service to discontinue support for CDE sessions.

• kcms_server: Disable this service to discontinue support for remote access to OpenWindows KCMS profiles.

• ttdbserverd: Disable this service to discontinue support for Tooltalk database server required for proper CDE operation.

We recommend disabling the following network (inetd) services unless required in your environment. Disabling these services will free resources and enhance system performance. Modify the default configuration if you require any network utilities listed below.

• chargen: Disable this service to discontinue support to test inetd and generate characters.

• discard: Disable this service to discontinue discarding all input from testing inetd.

• echo: Disable this service to discontinue support to echo back all input from testing inetd.

• fs.auto: Disable this service to disable the font server.

  ---

  Note -

  If you accept the default setting, the following services are enabled. You must review and may modify the setting.

  ---

• time: If you accept the default installation setting, this service is enabled. It returns machine-readable time.

• cachefsd: If you accept the default installation setting, this service is enabled. This is the cacheFS daemon.

We recommend disabling of the following services unless they are essential for your environment. Disabling these services will enhance system performance. Please modify the default configuration if you require any services listed below.

• automountd: Disable this service as this supports automounting only and not normal NFS mounts. S74autofs will be modified.

• comsat: Disable this service to discontinue biff(1) notification of new mail on the host.

• daytime: Disable this service to discontinue support to return the time of day remotely over the network.

• rquotad: Disable this service to discontinue support for quotas on export NFS file systems.

• sadmind: Disable this service to discontinue support for performing distributed system administration operations using Solstice AdminSuite.

• talkd: Disable this service to discontinue support for running the interactive talk program.

• tnamed: Disable this service to discontinue support for DARPA name server protocol.

• lpd: Disable this service to ensure that the host is not operated as a BSD print server. This does not disable the system V print server.

• uucpd: Disable this service to discontinue support for remote file transfer and remote command execution using the UUCP protocol.

• walld: Disable this service to discontinue support for sending messages by wall over the network.

• Xaserver: Disable this service to discontinue support for X-based audio over the network.

---

Note -

You can also refer to the on line help during host configuration for help in enabling or disabling the Solaris services.

---

Solaris ISP Server admin File

Solaris ISP Server uses an administration file that overrides your system default parameters. You must accept this administration file to install Solaris ISP Server software. If you are installing Solaris ISP Server 2.0 software:

• Using the host configuration software, you have the option of specifying whether or not you wish to accept Solaris ISP Server admin file before proceeding with the installation.

• From the command line, this admin file will override your system default admin file.

Please review the parameters discussed in this section before installing Solaris ISP Server software. See admin(4) man page in man Pages(4): File Formats for more information.

Table 2-1 Solaris ISP Server admin File

Parameters	Default	Will use
conflict	ask	nocheck
instance	unique	overwrite
setuid	ask	nocheck
mail	(none)	(your current setting)
space	ask	quit
runlevel	ask	nocheck
idepend	ask	quit
basedir	default	default
action	ask	nocheck
rdepend	ask	quit
partial	ask	quit

Creating User-defined Scripts

This section discusses certain installation and configuration updates you may provide for executing after installing Solaris ISP Server software. These parameters can be written as a shell script. For example, you can write a command similar to: echo "foo" >> /etc/ftpusers

The path to your script can be registered while configuring the host (Post-Configuration Command screen) for installation of Solaris ISP Server. Or, you may specify a sequence of commands separated by a semicolon. Your postconfiguration command will be executed during a batch install.

---

Note -

Creating this script is optional.

---

Some postinstallation system setup examples that you may address in your script to be executed after installation are illustrated in the following. For example:

• Write a program to verify and confirm changes to system setup.

• Write a program to notify or print disk space availability after installation.

• Write a program to reconfigure notification messages from syslog for failed authorization entries. See "Introducing Solaris ISP Server" in Solaris ISP Server 2.0 Administration Guide.

• Write a program to set interval values for the host configuration log file management daemon (hclfmd). See hclfmd(4m) man page for more information.

• Write a program to configure other independent software.