Archive for 'Solaris Security'

Using TCP Wrappers to protect Linux and Solaris services

I have been using tcp wrappers for years, and it’s a very simple way to allow and deny network access to applications. TCP wrapper functionality is built into the system libwrap.so module, which various applications are linked against. To see if a given application supports tcp wrappers, you can use the ldd utility: $ ldd […]

The case of the missing SSH keys

I built a couple of new Solaris 10 hosts today using a stripped down image, and was greeted with the following error when I tried to log in: $ ssh 192.168.1.20 Unable to negotiate a key exchange method The server was spitting out “no kex alg” errors, which appear to be due to key exchange […]

Logging su attempts and failed logins

As a conscientious Solaris administrator, I make every attempt possible to protect my servers from malicious users. This includes disabling all unneeded services, enabling strong password policies, configuring system auditing, enabling strong network defaults, applying system patches and configuring system logging. When I configure system logging, I like to configure the syslogd daemon to log […]

LDAP client deficiencies

I have been spending a bit of time lately configuring Solaris and Linux hosts to authenticate against LDAP. Authentication works well on the surface, but the actual client implementations are somewhat lacking. Let’s take the Linux pam_ldap module for instance. To authenticate a single session, the pam_ldap module performs thirty-three operations, which includes 7 TCP […]

Checking the integrity of Solaris binaries

One new feature in Solaris 10 that doesn’t get much press is the basic auditing and reporting tool (bart). Bart allows you to generate integrity checks for one or more files on a server. This allows you to compare two groups of file integrity checks (groups of file integrity checks are referred to as manifests […]

Solaris secure by default initiative!

While perusing the latest Nevada build notes, I came across the following PSARC case: PSARC case 2004/368 : Secure By Default BUG/RFE:4875624 *syslogd* turn off UDP listener by default BUG/RFE:5004374 Ship with remote services disabled by default BUG/RFE:5016956 By default rpcbind should not listen for remote requests BUG/RFE:5016975 By default snmpd/dx should not be enabled. […]

« Older Entries