Disable Unnecessary Services (Compute Servers)

Language:

Log in to one of the compute servers and access the host console as superuser.
See Log into a Compute Server.

Disable the NFS server service on a system that is not an NFS file server.

Caution - Do NOT disable the NFS server service on the master control domain (the primary domain of the first PDomain), because this service is required for I/O domain creation.

The NFS server service handles client file system requests over NFS versions 2, 3, and 4. If this system is not an NFS server, disable the service.

# svcadm disable svc:/network/nfs/server

If you are either not using FedFS for DNS SRV records or LDAP-based referrals, disable the service.
The Federated file system (FedFS) client service manages defaults and connection information for LDAP servers that store FedFS information.
```
# svcadm disable svc:/network/nfs/fedfs-client
```

Disable the rquota service.
The remote quota server returns quotas for a user of a local file system which is mounted over NFS. The results are used by quota command to display user quotas for remote file systems. The rquotad daemon is normally invoked by inetd command. The daemon provides information about the network to potentially malicious users. For more information, refer to the Oracle Solaris quota(1M) man page, the rquotad(1M) man page, or the inetd(1M) man page.
```
# svcadm disable svc:/network/nfs/rquota
```

Disable the cbd service.
The cbd service manages communication endpoints for the NFS Version 4 protocol. The nfs4cbd daemon runs on the NFS Version 4 client and creates a listener port for callbacks. For more information, refer to the Oracle Solaris nfs4cbd(1M) man page.
```
# svcadm disable svc:/network/nfs/cbd
```

Disable the mapid service if you are not using NFSv4.
The NFS user and group ID mapping daemon service maps to and from NFS version 4 owner and owner_group identification attributes and local UID and GID numbers used by both the NFS version 4 client and server.
```
# svcadm disable svc:/network/nfs/mapid
```

Disable the ftp service.
The FTP service provides unencrypted file transfer service and uses plain text authentication. Use the secure copy scp program instead of ftp, because it provides encrypted authentication and file transfer. For more information, refer to the Oracle Solaris scp(1) man page.
```
# svcadm disable svc:/network/ftp:default
```

Disable the remote volume manager service.
The removable volume manager is a HAL-aware volume manager that can automatically mount and unmount removable media and hot-pluggable storage. Users might import malicious programs, or transfer sensitive data off the system. For more information, refer to the Oracle Solaris rmvolmgr(1M) man page.

This service only runs in the Oracle Solaris global zone.
```
# svcadm disable svc:/system/filesystem/rmvolmgr
```

Disable the smserver service.
The smserver service is used to access removable media devices.
```
# svcadm disable rpc/smserver:default
```

Specify pam_deny.so.1 as the module for the authentication stack for the r-protocol services in the /etc/pam.d directory.
By default, legacy services such as the r-protocols, rlogin and rsh, are not installed. These services, however, are defined in /etc/pam.d file. If you remove the service definitions from the /etc/pam.d file, the services use the other services (SSH, for example) in the event that the legacy services are enabled. For more information, refer to the Oracle Solaris rlogin(1) man page or the rsh(1) man page.
```
# cd /etc/pam.d
# cp rlogin rlogin.orig
# pfedit rlogin
auth definitive pam_deny.so.1
auth sufficient pam_deny.so.1
auth required pam_deny.so.1
# cp rsh rsh.orig
# pfedit rsh
auth definitive pam_deny.so.1
auth sufficient pam_deny.so.1
auth required pam_deny.so.1
```

Edit the /etc/default/keyserv file to change the value of ENABLE_NOBODY_KEYS to NO.
The keyserv service cannot use the nobody user key. The value of ENABLE_NOBODY_KEYS is YES by default.
```
# pfedit /etc/default/keyserv
. . .
ENABLE_NOBODY_KEYS=NO
```

Add users to the ftpusers file to restrict ftp access.
FTP file transfers must not be available to all users, and must require qualified users to supply their names and password. In general, system users should not be allowed to use FTP. This check verifies that system accounts are included in the /etc/ftpd/ftpusers file, so that they are not allowed to use FTP.

The file /etc/ftpd/ftpusers is used to prohibit users from using the FTP service. As a minimum, include all system users, such as root, bin, adm, and so on.
```
# pfedit /etc/ftpd/ftpusers
....
root
daemon
bin
...
```

Set a strong default file creation mask for files created by the FTP server.
The FTP server does not necessarily use the user's system file creation mask. Setting the FTP umask ensures that the files transmitted over FTP use a strong file creation umask.
```
# pfedit /etc/proftpd.conf
Umask          027
```

Disable responses to network topology queries.
It is important to disable responses to echo requests. ICMP requests are managed using the ipadm command.

These settings prevent the dissemination of information about the network topology.
```
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
# ipadm set-prop -p _respond_to_echo_broadcast=0 ip
```

Disable redirect ICMP messages.
Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message can result in a man-in-the-middle attack.
```
# ipadm set-prop -p _ignore_redirect=1 ipv4
```

Disable the messaging to prevent access to remote terminals.
```
# mesg -n
```
For more information, refer to the Oracle Solaris mesg(1) man page, the talk(1) man page, and the write(1) man page.

(Optional) Review and disable unnecessary services listening on the network.
By default, ssh is the only network service that can send and receive network packets. For more information, refer to the Oracle Solaris ssh(1) man page.
```
# svcadm disable FMRI_of_unneeded_service
```