Remote Access Services (rsh, rlogin, and rcp)
Access control and accountability are critical to the security of a system. Access control should involve strong authentication for system access, while accountability information should provide tracking data relative to system changes. The standard r* commands (for example, rsh, rlogin, and rcp) break both of these requirements. This is because most implementations of r* commands involve "zones of trust." Within a zone of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only gain access to one server in order to gain access to all the servers.
The default authentication mechanism of the r* daemons uses the hostname or IP address of a system in combination with the user ID for authentication. No additional authentication is required. Considering the ease with which an IP address and user ID can be stolen or misused, this is clearly not a secure mechanism. The r* commands should not be used in this manner and no servers should offer the service in this manner.
One way to secure r*daemons is with Kerberos. The Sun Enterprise Authentication Mechanism product provides the appropriate replacement for r*clients and servers.
Remote Execution Service (rexec)
The remote execution server daemon, in.rexecd, is started from
/etc/inetd.conf when a connection request is made. This daemon provides remote execution facilities based on user name and password information. Once authenticated, the daemon executes the command passed with the authentication information. As with the in.telnetddaemon, neither the user name nor password is encrypted while transmitted over the network. This exposes the in.rexecd daemon to the same man-in-the-middle, session hijacking, and network sniffing attacks as the in.telnetd daemon. For this reason, the in.rexecd entries in /etc/inetd.conf should be disabled.
The ftp daemon has many of the same problems as the telnet daemon. All authentication information transmitted over the network is in clear text, in much the same fashion as the telnet protocol. This exposes the ftp protocol to many of the same attack scenarios as telnet, including man-in-the-middle, session hijacking, and network sniffing. For these reasons, alternatives to FTP should be considered when FTP transport functionality is required.
There are several alternatives to FTP that provide strong encryption and authentication. Sun Enterprise Authentication Mechanism provides a secure version of FTP and SSH provides equivalent functionality.
If FTP is required, there are two features implemented by the in.ftpddaemon that can provide additional security. The first is the /etc/ftpusers file, which is used to restrict access to the system through FTP. A default /etc/ftpusers file is included with Solaris 8 OE. All accounts not allowed to use the incoming FTP service should be specified in this file. At a minimum, this should include all system accounts (for example, bin, uucp, smtp, sys, and so forth) in addition to the root account. Only intruders and individuals attempting to gain unauthorized access use FTP with these accounts. Frequently, root access to a server over telnet is disabled; however, root FTP access is not. This provides intruders a backdoor that may be used to modify the system's configuration by uploading modified configuration files.
The second security feature of the in.ftpd daemon is the ability of the daemon to log the IP addresses of all connections and commands issued to the ftp daemon through the syslogservice. Logging of IP addresses is enabled with the -loption. Commands issued to the ftp daemon are logged when the -d option is used. By logging FTP connection requests and commands to a log server for parsing, unauthorized access attempts can be tracked and resolved.
The trivial ftp (TFTP) service (in.tftpd) exists to provide diskless systems with a way to access files on the network. The in.tftpd daemon has no authentication and only allows clients to access publicly readable files in a restricted directory. Diskless workstations, X-terminals, and some printers use this service to load files needed to boot. The in.tftpd is managed by the inetd server process and is configured in /etc/inetd.conf. By default, it is not enabled in the Solaris OE.
If this service is necessary, it should be configured securely. The default entry in the Solaris OE /etc/inetd.conf is configured correctly. When enabled, in.tftpd will run as the user nobody and restrict client access to the /tftpboot directory (the internal default) or a specified directory. The - s option provides additional protection by requiring that the /tftpboot directory exist. If it does, in.tftpd changes the root directory, using chroot(), to /tftpboot. This option should always be used when TFTP functionality is required.
inetd Managed Services
The inetddaemon controls a majority of the minor network services available on a system. Its configuration file, /etc/inetd.conf, defines what services are managed by the inetd daemon. An ideal, secured server should have neither an / etc/inetd.confnor run inetd, as the daemons started in the /etc/inetd.conf are frequently not needed. To disable a service, edit the /etc/inetd.conffile and place a comment character ("#") in front of the line containing the service definition. Once this is completed, send an HUP signal to the inetdprocess. This will cause it to reread its configuration file.
Of the daemons started from the /etc/inetd.conf, the remote access services FTP, TFTP, and Telnet services have already been discussed. The RPC and print services are discussed later in this chapter. The remaining /etc/inetd.conf entries include:
in.tnamed supports the DARPA Name Server Protocol. This daemon should be disabled.
in.uucpd supports UUCP connections over networks. This service should be disabled unless UUCP is used.
in.fingerd provides information on local system accounts. This service should be disabled unless needed.
systat provides anyone connecting to the system with the output of ps -ef. This service should be disabled because it provides too much system information.
netstat provides a list of current network connections via the output of the netstat command. This service should be disabled because it provides system information that can be used to launch attacks against the system.
time prints out the current time and date. Because Solaris 2.6 OE xntp functionality has been included with the Solaris OE distribution for time synchronization, the xntp daemon offers additional security and functionality improvements over rdate and time. Whenever possible, xntp should be used instead of this service.
echo echoes back the incoming data stream. This service should be disabled.
discard discards the incoming data stream. This service should be disabled.
chargen generates a continuous stream of characters. This service should be disabled.
These entries in the /etc/inetd.conf file should be removed on most systems. Once removed, restart the system and test applications to verify that required functionality has not been affected.
For restricted access servers, all connections to services managed by inetd should be logged. This can be done by adding an additional option to the startup of inetd in /etc/rc2.d/S72inetsvc. By adding a -t option, the inetd daemon logs the IP address of all systems requesting inetd based services. The IP addresses are logged through the syslog service.