Java Solaris Communities About Sun How to Buy My Sun Connection Cart United States Worldwide

BigAdmin System Administration Portal
Community Submitted Article
Print-friendly VersionPrint-friendly Version
This content is submitted by a BigAdmin user. It has not been reviewed for technical accuracy by Sun Microsystems, though it may have been lightly edited to improve readability. If you find an error or would like to comment on the article, please contact the submitter or use the comment field at the bottom of the article. Community submissions may not follow Sun trademark guidelines. For information on Sun trademarks, please see http://www.sun.com/suntrademarks/.
 
 

Hardening the Solaris 9 OS and NcFTP for an FTP Bastion Host

David Double, December 2004

Contents:


Introduction

This document provides details of the build, configuration, and subsequent hardening of the UNIX servers that constitute a secured FTP solution. The article describes the steps for building each server component, as well as the process of ensuring that the systems remain as secure as possible during each phase of configuration, including promotion to production.

The hardware used is a Sun Fire V120 server running the Solaris 9 OS and using NcFTP as the FTP application. NcFTP is available from NcFTP Software. You may download the Solaris Security Toolkit software from Sun Microsystems.


Building FTP Bastion Host

The server should be built on a completely separate test network and should not be promoted to the live network or placed within the DMZ until build and configuration have been completed.

  1. The FTP Bastion server is jumpstarted using the end user package cluster (SUNWCuser) for the Solaris OS 9.
  2. Remove packages that are not required for configuration of system (see Appendix A).
  3. Boot disk is mirrored using Sun Solstice DiskSuite (SDS)/Logical Volume Manager (LVM).
  4. Install FTP server (ncftpd-2.7.3).
  5. Install FTP client (ncftp-3.1.6).
  6. Install Security Tool Kit (4.0.0).
  7. Remove packages that are not required for operation of system.


Hardening NcFTPd Server

The two main configuration files for NcFTPd are General.cf and Domain.cf. While most of the default values are sufficient, I'm including several changes I made and some additional options, with the aim of providing a more secure environment.

Edit the /usr/local/etc/ncftpd/general.cf file and add the license key to the head of the file, for example:

Serial-number=xxxxxxxxxx

Change the following entries from default:

u-restricted-groups=all except sysadmin

log-sessions=yes

max-users-per-ip=1

u-ls-names=no

Add the following entries that by default are not present.

banner=Microsoft FTP Service (Version 5.0)

This option makes it look like the FTP server is a Microsoft one, whereas it is in fact still the NcFTP. This is a form of security through obscurity. Although generally accepted to not be particularly effective, it may help to prevent "fingerprint" attacks. I like to use this option -- I believe it's a nice touch! Note: You need the infinite license to use this according to NcFTP documentation; however, it seemed to work with my 50-user license.

max-login-failures=1

print-user-number=no

Edit the /usr/local/etc/ncftpd/domain.cf file and add the following values.

Set-name=GUESS_ME

Server-address=(ip address of server)

Server-name=@SETNAME@

u-vchroot-restricted-users=yes

Server-type=non-anonymous-only

passwd=/usr/local/etc/ncftpd/pwd/virt.db

Running Solaris Security Toolkit Software

Ensure that you are logged in via the console as root. All network connections will be dropped during the hardening phase.

Run the toolkit using the hardening driver.

#jass-execute -d ../Drivers/hardening.driver

Remove all backed up files modified by the toolkit (see Appendix B).


Appendix A

Packages to be removed prior to build and configuration of the bastion host:

 NSCPcom   
 SUNW1251f      
 SUNW5xmft      
 SUNWGtkr       
 SUNWGtku       
 SUNWTcl        
 SUNWTiff       
 SUNWTk         
 SUNWadmap      
 SUNWarrf       
 SUNWauda      
 SUNWaudd       
 SUNWauddx      
 SUNWaudf       
 SUNWbzip       
 SUNWciu8       
 SUNWciu8x      
 SUNWciu8       
 SUNWctlu       
 SUNWctpls      
 SUNWctplx      
 SUNWcxmft      
 SUNWdoc        
 SUNWcxmft      
 SUNWdtbas      
 SUNWdtbax      
 SUNWdtcor      
 SUNWdtct       
 SUNWdtdmn      
 SUNWdtdst      
 SUNWdtdte      
 SUNWdtezt      
 SUNWdthe       
 SUNWdthev      
 SUNWdthez      
 SUNWdticn   
 SUNWdtim       
 SUNWdtjxt      
 SUNWdtlog      
 SUNWdtnsc      
 SUNWdtscm      
 SUNWdtwm       
 SUNWeuxwe      
 SUNWfdl        
 SUNWfns        
 SUNWfnsx       
 SUNWfwdcu      
 SUNWfwdcx      
 SUNWgsdhx      
 SUNWgss        
 SUNWgssc
 SUNWgssdh      
 SUNWgssk       
 SUNWgsskx      
 SUNWgssx       
 SUNWhiu8       
 SUNWhiu8x      
 SUNWi13rf      
 SUNWi15cs      
 SUNWi15rf      
 SUNWi1cs       
 SUNWi1of       
 SUNWi2rf       
 SUNWi4rf       
 SUNWi5rf       
 SUNWi7rf       
 SUNWi8rf       
 SUNWi9rf       
 SUNWiniu8      
 SUNWiniu8x     
 SUNWislcc      
 SUNWislcx    
 SUNWj2pi       
 SUNWj3irt      
 SUNWj3rt      
 SUNWjcom       
 SUNWjcomx      
 SUNWjib        
 SUNWjiu8       
 SUNWjiu8x      
 SUNWjmfp
 
 SUNWjpg        
 SUNWjsnmp
 SUNWjxmft      
 SUNWkey        
 SUNWkiu8       
 SUNWkiu8x      
 SUNWkoi8f      
 SUNWkxmft      
 SUNWlpmsg      
 SUNWm64        
 SUNWm64cf      
 SUNWm64w       
 SUNWm64x       
 SUNWmfrun      
 SUNWmgapp      
 SUNWmp         
 SUNWpamsc      
 SUNWpamsx      
 SUNWpdas       
 SUNWplow       
 SUNWplow1
 SUNWpng        
 SUNWppm        
 SUNWrmodu      
 SUNWrmwbr      
 SUNWrmwbu      
 SUNWrmwbx      
 SUNWrsg        
 SUNWrsgk       
 SUNWrsgx       
 SUNWscgui      
 SUNWsmbac      
 SUNWsmbar      
 SUNWspl        
 SUNWsregu      
 SUNWssad       
 SUNWssadx      
 SUNWtiu8       
 SUNWtiu8x      
 SUNWtltk       
 SUNWtltkx      
 SUNWtxfnt      
 SUNWuxlcf      
 SUNWuxlcx      
 SUNWvid        
 SUNWwbapi      
 SUNWwbcor      
 SUNWwbcou      
 SUNWwbpro      
 SUNWxcu4       
 SUNWxi18n      
 SUNWxi18x      
 SUNWxildh      
 SUNWxilow      
 SUNWxilrl      
 SUNWxilvl      
 SUNWxim        
 SUNWximx       
 SUNWxwacx      
 SUNWxwcft      
 SUNWxwcsl      
 SUNWxwdem      
 SUNWxwdim      
 SUNWxwdv       
 SUNWxwdvx      
 SUNWxwdxm      
 SUNWxwfa       
 SUNWxwfnt      
 SUNWxwfs       
 SUNWxwhl       
 SUNWxwice      
 SUNWxwicx      
 SUNWxwmod      
 SUNWxwmox      
 SUNWxwoft      
 SUNWxwopt      
 SUNWxwpft      
 SUNWxwplt      
 SUNWxwplx      
 SUNWxwpsr      
 SUNWxwrtl      
 SUNWxwrtx      
 SUNWxwsrv

Appendix B

Files to be removed following hardening of the bastion host with the Solaris Security Toolkit:

/var/adm/loginlog.JASS.20031118170728
/var/spool/cron/crontabs.JASS
/var/spool/cron/crontabs.JASS/lp.JASS.20031118170713
/etc/cron.d/cron.deny.JASS.20031118170713
/etc/cron.d/at.allow.JASS.20031118170728
/etc/cron.d/at.deny.JASS.20031118170741
/etc/cron.d/cron.allow.JASS.20031118170742
/etc/cron.d/cron.allow.JASS.20031118170743
/etc/cron.d/cron.deny.JASS.20031118170744
/etc/default/keyserv.JASS.20031118170712
/etc/default/syslogd.JASS.20031118170718
/etc/default/inetd.JASS.20031118170726
/etc/default/inetinit.JASS.20031118170727
/etc/default/telnetd.JASS.20031118170734
/etc/default/login.JASS.20031118170735
/etc/default/power.JASS.20031118170735
/etc/default/sys-suspend.JASS.20031118170738
/etc/default/passwd.JASS.20031118170739
/etc/default/login.JASS.20031118170740
/etc/inet/inetd.conf.JASS.20031118170726
/etc/inet/inetd.conf.JASS.20031118170729
/etc/inet/inetd.conf.JASS.20031118170745
/etc/init.d/inetsvc.JASS.20031118170707
/etc/init.d/nddconfig.JASS.20031118170707
/etc/init.d/set-tmp-permissions.JASS.20031118170707
/etc/mail/sendmail.cf.JASS.20031118170717
/etc/mail/sendmail.cf.JASS.20031118170734
/etc/rc0.d/_K41autofs.JASS.20031118170711
/etc/rc0.d/_K39lp.JASS.20031118170713
/etc/rc0.d/_K41nfs.client.JASS.20031118170714
/etc/rc0.d/_K28nfs.server.JASS.20031118170714
/etc/rc0.d/_K41rpc.JASS.20031118170716
/etc/rc0.d/_K39spc.JASS.20031118170718
/etc/rc1.d/_K41autofs.JASS.20031118170711
/etc/rc1.d/_K39lp.JASS.20031118170713
/etc/rc1.d/_K28nfs.server.JASS.20031118170714
/etc/rc1.d/_K41rpc.JASS.20031118170716
/etc/rc1.d/_K39spc.JASS.20031118170718
/etc/rc2.d/_S71sysid.sys.JASS.20031118170710
/etc/rc2.d/_S72autoinstall.JASS.20031118170710
/etc/rc2.d/_S30sysid.net.JASS.20031118170710
/etc/rc2.d/_S74autofs.JASS.20031118170711
/etc/rc2.d/_S80lp.JASS.20031118170713
/etc/rc2.d/_S73nfs.client.JASS.20031118170714
/etc/rc2.d/_K28nfs.server.JASS.20031118170714
/etc/rc2.d/_S89PRESERVE.JASS.20031118170715
/etc/rc2.d/_S71rpc.JASS.20031118170716
/etc/rc2.d/_S80spc.JASS.20031118170718
/etc/rc3.d/_S15nfs.server.JASS.20031118170714
/etc/rcS.d/_K41autofs.JASS.20031118170711
/etc/rcS.d/_K39lp.JASS.20031118170712
/etc/rcS.d/_K28nfs.server.JASS.20031118170714
/etc/rcS.d/_K41rpc.JASS.20031118170716
/etc/rcS.d/_K39spc.JASS.20031118170718
/etc/skel/local.login.JASS.20031118170740
/etc/skel/local.profile.JASS.20031118170740
/etc/snmp/conf/_snmpdx.rsrc.JASS.20031118170718
/etc/dt/config/Xaccess.JASS.20031118170707
/etc/dmi/ciagent/_ciinvoke.JASS.20031118170711
/etc/dmi/conf/_dmispd.conf.JASS.20031118170711
/etc/dmi/conf/_snmpXdmid.conf.JASS.20031118170711
/etc/ssh/sshd_config.JASS.20031118170734
/etc/ftpd/ftpusers.JASS.20031118170728
/etc/ftpd/ftpaccess.JASS.20031118170733
/etc/ftpd/ftpaccess.JASS.20031118170735
/etc/motd.JASS.20031118170708
/etc/notrouter.JASS.20031118170708
/etc/syslog.conf.JASS.20031118170709
/etc/nscd.conf.JASS.20031118170715
/etc/_power.conf.JASS.20031118170715
/etc/pam.conf.JASS.20031118170716
/etc/passwd.JASS.20031118170719
/etc/passwd.JASS.20031118170723
/etc/shadow.JASS.20031118170723
/etc/_vold.conf.JASS.20031118170725
/etc/coreadm.conf.JASS.20031118170725
/etc/system.JASS.20031118170726
/etc/system.JASS.20031118170727
/etc/shells.JASS.20031118170729
/etc/passwd.JASS.20031118170730
/etc/shadow.JASS.20031118170730
/etc/passwd.JASS.20031118170736
/etc/vfstab.JASS.20031118170739
/etc/logadm.conf.JASS.20031118170744
/sbin/noshell.JASS.20031118170719
/noautoshutdown.JASS.20031118170715

About the Author

David J. Double, SCSA, SCNA, SCDME, has eight years of experience working with the Solaris Operating System. He is employed as a UNIX system and storage administrator for a bank in London.

 

The information and links on this page have been provided by a BigAdmin user. The submitter is solely responsible for such information and links. Sun is not responsible for the availability of external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources. Sun will not be responsible or liable, directly or indirectly, for any actual or alleged damage or loss caused by or in connection with use of or reliance on the information posted here, or goods or services available on or through any external site or resource.


 BigAdmin
  
»  Search the HCL
 
BigAdmin Subscriptions
»   BigAdmin Newsletter
»   BigAdmin Blog
»   BigAdmin Wiki
»   RSS Feeds
BigAdmin Areas
»   All Topics/Sections
»   Articles and FAQs
»   Blogs and Wikis
»   Discussions
»   Documentation
»   Features
»   HCL
»   Multilingual
»   Patches
»   Products and Tech
»   Resources
»   Scripts
»   Solaris 10 Apps
»   ShellCmds
»   Submit Content
»   Suggestions
»   SysAdmin Topics
»   Tech Tips
BigAdmin Sun Center
»   Register Your System
»   Sun Support
»  Sun Doc Highlights
»  Sun Tech Days
»   Sun Advisory Panel for System Admins
»   Training and Certification
BigAdmin Topics
»   DST
»   DTrace
»   Interoperability
»   Networking
»   Predictive Self-Healing
»   ZFS
»  Zones
 
 
Would you recommend this Sun site to a friend or colleague?
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc.