SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-16-2008, 07:52 AM
| ||||
| ||||
 inetd.conf security In my group we've tried to tighten up security on our Solaris systems... I was wondering if anyone had any trouble commenting everything (almost) out of /etc/inetd.conf... Could this cause instablility in the system? the only things uncommented on our systems are: # smserverd to support removable media devices 100155/1 tli rpc/ticotsord wait root /usr/lib/smedia/rpc.smserverd # printer daemon... printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd # RWALLD - rwall daemon (allows others to post messages to users) walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld Thanks, -Roy      |
|
01-16-2008, 07:52 AM
| |||
| |||
| Re: inetd.conf security Roy Nielsen wrote: > In my group we've tried to tighten up security on our Solaris systems... > > I was wondering if anyone had any trouble commenting everything (almost) > out of /etc/inetd.conf... > > Could this cause instablility in the system? > > the only things uncommented on our systems are: > > # smserverd to support removable media devices > 100155/1 tli rpc/ticotsord wait root > /usr/lib/smedia/rpc.smserverd > > # printer daemon... > printer stream tcp nowait root /usr/lib/print/in.lpd > in.lpd > > # RWALLD - rwall daemon (allows others to post messages to users) > walld/1 tli rpc/datagram_v wait root > /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld > > > Thanks, > -Roy Which version of Solaris? You should consider using tcpwrappers unless your version already includes this by default). -fjb -- Colorless Green Ideas Sleep Furiously, and so do I.... |
|
01-16-2008, 07:52 AM
| |||
| |||
| Re: inetd.conf security Roy Nielsen <rsn@lanl.gov> writes: > >Could this cause instablility in the system? > ># printer daemon... >printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd > Is the machine in question a print server? (I.e. does it receive print jobs from other machines on the network to give to the printer?) If the answer is yes, then you should not comment out the in.lpd line. Instead, consider using TCP wrappers to control access to in.lpd. If the answer is no, then you can comment out the in.lpd line with little or no trouble. -Greg -- Do NOT reply via e-mail. Reply in the newsgroup. |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security Greg Andrews wrote: > Roy Nielsen <rsn@lanl.gov> writes: > >>Could this cause instablility in the system? >> >># printer daemon... >>printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd >> > > > Is the machine in question a print server? (I.e. does it receive > print jobs from other machines on the network to give to the printer?) > > If the answer is yes, then you should not comment out the in.lpd line. > Instead, consider using TCP wrappers to control access to in.lpd. > > If the answer is no, then you can comment out the in.lpd line with > little or no trouble. > > -Greg Same comment applies to the RPC services - do you really need walld? I don't remember rpc.smserverd (is that the Sun admin tool?) but I always disable it on my sparcs. -fjb -- Colorless Green Ideas Sleep Furiously, and so do I.... |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security "Fred J. Bourgeois, III" <fjb3@sbcglobal.net> wrote in news:415DE050.2040706@sbcglobal.net: > I don't remember rpc.smserverd (is that the Sun admin tool?) but I > always disable it on my sparcs. With Solaris >=9, it's used to recognise mounted media, i.e. floppy, CD or DVD. Life sucks without it and it's not exposed to the network. |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security Fred J. Bourgeois, III wrote: > Greg Andrews wrote: > >> Roy Nielsen <rsn@lanl.gov> writes: >> >>> Could this cause instablility in the system? >>> >>> # printer daemon... >>> printer stream tcp nowait root >>> /usr/lib/print/in.lpd in.lpd >>> >> >> >> Is the machine in question a print server? (I.e. does it receive >> print jobs from other machines on the network to give to the printer?) >> >> If the answer is yes, then you should not comment out the in.lpd line. >> Instead, consider using TCP wrappers to control access to in.lpd. >> >> If the answer is no, then you can comment out the in.lpd line with >> little or no trouble. >> >> -Greg > > > Same comment applies to the RPC services - do you really need walld? > I don't remember rpc.smserverd (is that the Sun admin tool?) but I > always disable it on my sparcs. > -fjb > -- > Colorless Green Ideas Sleep Furiously, and so do I.... > Nevermind. smserverd is the media management server. I disable that from way back because it was buggy (in SunOS 5.6). Maybe it is fixed now? Anyway, if you don't need to manage removeable media via RPC then disable it. -fjb -- Fred J. Bourgeois, III FREDNET Corporation Colorless Green Ideas Sleep Furiously, and so do I.... FREDNET is a registered service mark of FREDNET Corporation, Scotts Valley, CA. [E-mail address in header intentionally mangled ... remove "bonzo" part] |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security Roy, the following lines are left uncommented in my inetd.conf file; all the rest have been commented out. # # Time service is used for clock synchronization. # time stream tcp6 nowait root internal time dgram udp6 wait root internal # # Echo, discard, daytime, and chargen are used primarily for testing. # echo stream tcp6 nowait root internal echo dgram udp6 wait root internal discard stream tcp6 nowait root internal discard dgram udp6 wait root internal daytime stream tcp6 nowait root internal daytime dgram udp6 wait root internal chargen stream tcp6 nowait root internal chargen dgram udp6 wait root internal You may also want to turn off the starting of various services by the scripts in the /etc/rc*.d directories. I rename the scripts by appending zz_ to them to disable them. Here's my list of zz'd files: # ls rc*.d/zz_* rc2.d/zz_S71rpc* rc2.d/zz_S90wbem* rc3.d/zz_S81volmgt* rc2.d/zz_S72slpd* rc2.d/zz_S99dtlogin* rc3.d/zz_S84appserv* rc2.d/zz_S73nfs.client* rc3.d/zz_S15nfs.server* rc3.d/zz_S90samba* rc2.d/zz_S74autofs* rc3.d/zz_S34dhcp* rcS.d/zz_S50devfsadm* rc2.d/zz_S74xntpd* rc3.d/zz_S50apache* rcS.d/zz_S95picld* rc2.d/zz_S76nscd* rc3.d/zz_S76snmpdx* rc2.d/zz_S85power* rc3.d/zz_S77dmi* |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security Rusty Wright wrote: > Roy, the following lines are left uncommented in my inetd.conf file; > all the rest have been commented out. > > # > # Time service is used for clock synchronization. > # > time stream tcp6 nowait root internal > time dgram udp6 wait root internal > # > # Echo, discard, daytime, and chargen are used primarily for testing. > # > echo stream tcp6 nowait root internal > echo dgram udp6 wait root internal > discard stream tcp6 nowait root internal > discard dgram udp6 wait root internal > daytime stream tcp6 nowait root internal > daytime dgram udp6 wait root internal > chargen stream tcp6 nowait root internal > chargen dgram udp6 wait root internal > > You may also want to turn off the starting of various services by the > scripts in the /etc/rc*.d directories. I rename the scripts by > appending zz_ to them to disable them. Here's my list of zz'd files: > > # ls rc*.d/zz_* > rc2.d/zz_S71rpc* rc2.d/zz_S90wbem* rc3.d/zz_S81volmgt* > rc2.d/zz_S72slpd* rc2.d/zz_S99dtlogin* rc3.d/zz_S84appserv* > rc2.d/zz_S73nfs.client* rc3.d/zz_S15nfs.server* rc3.d/zz_S90samba* > rc2.d/zz_S74autofs* rc3.d/zz_S34dhcp* rcS.d/zz_S50devfsadm* > rc2.d/zz_S74xntpd* rc3.d/zz_S50apache* rcS.d/zz_S95picld* > rc2.d/zz_S76nscd* rc3.d/zz_S76snmpdx* > rc2.d/zz_S85power* rc3.d/zz_S77dmi* I wrote a little C utility to disable lots of stuff on Solaris boxes, but I haven't touched it in years - I only ported it to Solaris 7 and 8 (and maybe 6 also). If anyone is interested in a copy, let me know. It isn't very "smart" and I only used it a few times to setup freshly installed machines with most of the big security holes plugged. -fjb -- Fred J. Bourgeois, III FREDNET Corporation Colorless Green Ideas Sleep Furiously, and so do I.... FREDNET is a registered service mark of FREDNET Corporation, Scotts Valley, CA. [E-mail address in header intentionally mangled ... remove "bonzo" part] |
|
01-16-2008, 07:53 AM
| |||
| |||
| Re: inetd.conf security "Fred J. Bourgeois, III" <fjb3@sbcglobal.net> writes: >Same comment applies to the RPC services - do you really need walld? >I don't remember rpc.smserverd (is that the Sun admin tool?) but I >always disable it on my sparcs. rpc.smserverd is required for vold to work; the service is defined as follows: 100155/1 tli rpc/ticotsord wait root /usr/lib/smedia/rpc.smserverd rpc.smserverd Pay special attention to the 3rd field: "rpc/ticotsord" means that all it supports are connections over the TLI loopback device "ticotsord". It cannot be called remotely so it does not pose any kind of remote security risk. But you are indeed better off not running sadmind or admind. Casper |
|
01-16-2008, 07:53 AM
| ||||
| ||||
| Re: inetd.conf security "Fred J. Bourgeois, III" <fjb3@bonzo.sbcglobal.net> writes: >Nevermind. smserverd is the media management server. I disable that >from way back because it was buggy (in SunOS 5.6). Maybe it is fixed >now? Anyway, if you don't need to manage removeable media via RPC then >disable it. The service did not exist in Solaris 2.6; it was introduced in Solaris 9. You don't "manage removable media via RPC"; rpc.smserverd is an internal service used by vold. You can only disable it if you also disable vold as the latter does not work without it. Casper -- Expressed in this posting are my opinions. They are in no way related to opinions held by my employer, Sun Microsystems. Statements on Sun products included here are not gospel and may be fiction rather than truth. |
Linear Mode
