The network router (in.routed) and router discovery (in.rdisc) daemons are used by a Solaris OE system to dynamically determine network routing requirements. Both in.routed and in.rdisc functionality are discussed in Chapter 2.
Multicast is a method to send network data to many systems at the same time with only a single address. Unless the system must participate in a multicast application, it is recommended to disable the code that enables the multicast route assignment. For Solaris 7 OE and earlier, the following lines in /etc/init.d/inetsvc should be commented out:
mcastif=´/sbin/dhcpinfo Yiaddr´ if [ $? -ne 0 ]; then mcastif=´uname -n´ fi echo "Setting default interface for multicast: \c" /usr/sbin/route add -interface -netmask "240.0.0.0" \ "220.127.116.11" "$mcastif"
For Solaris 8 OE, comment out the following lines in /etc/init.d/inetsvc:
( if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then mcastif='/sbin/dhcpinfo Yiaddr' || mcastif=$_INIT_UTS_NODENAME else mcastif=$_INIT_UTS_NODENAME if echo "Setting default IPv4 interface for multicast:" \ "add net 224.0/4: gateway $mcastif" /usr/sbin/route -n add -interface "224.0/4" "$mcastif" \ >/dev/null) &
After the appropriate lines are commented out, the system should be restarted.
Based on the recommendations made in this chapter, it is possible to construct a minimized /etc/init.d/inetsvc file that contains only the essential components. Quite a few sections of this file can be commented out including:
named startup support
By commenting out all of these entries, the number of active lines in the inetsvc file decreases from 152 to 3 lines. The following is what the resulting script looks like:
#!/bin/sh usr/sbin/ifconfig -au netmask + broadcast + usr/sbin/inetd -s -t
Network Service Banners
Some Solaris OE network services provide information on the operating system version when connections are made. This information usually includes a text string indicating the name of the OS and its version. This information may be useful to attackers with exploit programs for specific OS releases. The Solaris OE provides a method to change these messages in an attempt to hide OS information.
To change banner messages for incoming Telnet and FTP connections, create the /etc/default/telnetd and /etc/default/ftpd files.
Add a line similar to the following:
Insert the appropriate message for your environment.
It is possible to change the banner message that the sendmail process presents for incoming mail delivery connections. Search the /etc/mail/sendmail.cf file for the following line:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
Change it to:
O SmtpGreetingMessage=Mail Server Ready
These techniques provide only minor additional security. There are methods to determine a system's operating system type and version on a network. Several network auditing tools use a technique called TCP/IP stack fingerprinting to determine the operating system and version.