Deshabilitar servicios de Solaris 10

Al instalar Solaris 10 por default e iniciar sesion por primera vez se inician varios
servicios que en algunos casos son innecesarios.
Escaneo utilizando nmap
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
513/tcp open login
514/tcp open shell
587/tcp open submission
898/tcp open sun-manageconsole
4045/tcp open lockd
6000/tcp open X11
6112/tcp open dtspc
7100/tcp open font-service
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
MAC Address: 00:03:BA:0F:37:49 (Sun Microsystems)
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
Para cerrar puertos innecesarios, deshabilitanmos los servicios que no vayamos a
emplear normalmente.
Primero observamos cuales se encuentran abiertos con
svcs -a | grep -i 'network' | grep -i 'online'
online
online
online
online
online
online
online
online
online
online
online

Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17

svc:/network/login:default
svc:/network/finger:default
svc:/network/telnet:default
svc:/network/pfil:default
svc:/network/tnctl:default
svc:/network/loopback:default
svc:/network/physical:default
svc:/network/ipfilter:default
svc:/milestone/network:default
svc:/network/initial:default
svc:/network/service:default

online
online
online
online
online

Apr_17
Apr_17
Apr_17
Apr_17
Apr_17

svc:/network/inetd:default
svc:/network/smtp:sendmail
svc:/network/ssh:default
svc:/network/routing-setup:default
svc:/network/routing/route:default

Deshabilitamos los servicios con

svcadm disable svc:/network/telnet:default
svcadm disable svc:/network/shell:default
svcadm disable svc:/network/login:rlogin
svcadm disable svc:/application/management/snmpdx:default
Comentamos el fichero /etc/services dejamos solo los servicios que utilizemos en este
caso solo ssh
bash-3.00# more /etc/services
#swat
901/tcp
# Samba Web Adm.Tool
##
## The following customer-specific entries were found in the services file
## prior to an upgrade. Note that service names and their corresponding
## port numbers must be registered with IANA, http://www.iana.org, and
## entries not registered as such may not be preserved automatically by
## future upgrades.
##
#tcpmux
1/tcp
#echo
7/tcp
#echo
7/udp
#discard
9/tcp
sink null
#discard
9/udp
sink null
#systat
11/tcp
users
#daytime
13/tcp
#daytime
13/udp
#netstat
15/tcp
#chargen
19/tcp
ttytst source
#chargen
19/udp
ttytst source
#ftp-data
20/tcp
#ftp
21/tcp
ssh
22/tcp
# Secure Shell
#telnet
23/tcp
#smtp
25/tcp
mail
#time
37/tcp
timserver
#time
37/udp
timserver
#name
42/udp
nameserver
#whois
43/tcp
nicname
# usually to sri-nic
#domain
53/udp
#domain
53/tcp
#bootps
67/udp
# BOOTP/DHCP server
#bootpc
68/udp
# BOOTP/DHCP client
#kerberos
88/udp
kdc
# Kerberos V5 KDC

#kerberos

88/tcp

kdc

# Kerberos V5 KDC

Con esto se cierran los puertos en Solaris 10 pero si algunos servicios no se pueden
deshabilitar o cerrar se pueden filtrar estos puertos con ipfilter.
El fichero de configuracin se encuentra en /etc/ipf/ipf.conf ah agregamos las reglas
para que ipfilter empiece a filtrar los puertos abiertos.
bash-3.00# more /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass in quick on dmfe0 proto icmp from 192.168.60.60 to any icmp-type echorep
pass out quick on dmfe0 proto icmp from any to 192.168.60.60 icmp-type echorep
#block in quick on dmfe0 proto icmp from any to any
block out quick on dmfe0 proto icmp from any to any
pass in quick proto tcp from 192.168.60.60 to any port = 22
block in quick proto tcp from any to any port = 22
block in quick proto tcp from any to any port = 161
block in quick proto udp from any to any port = 161
block in quick proto udp from any to any port = 177
block in quick proto udp from any to any port = 520
block in quick proto tcp from any to any port = 6788
block in quick proto tcp from any to any port = 6789
block in quick proto tcp from any to any port = 32770
block in quick proto tcp from any to any port = 32771
block in quick proto tcp from any to any port = 32772
block in quick proto tcp from any to any port = 32775
block in quick proto tcp from any to any port = 32776
block in quick proto tcp from any to any port = 32777
block in quick proto tcp from any to any port = 32778
block in quick proto tcp from any to any port = 32779
Para cargar las reglas se utilice el comando /lib/svc/method/ipfilter reload
Verificar si se cargaron correctamente con este otro comando
bash-3.00# ipfstat -iol
pass out quick on dmfe0 proto icmp from any to 192.168.60.60/32 icmp-type echorep
block out quick on dmfe0 proto icmp from any to any
pass in quick on dmfe0 proto icmp from 192.168.60.60/32 to any icmp-type echorep
pass in quick proto tcp from 192.168.60.60/32 to any port = ssh
block in quick proto tcp from any to any port = ssh
block in quick proto tcp from any to any port = 161
block in quick proto udp from any to any port = 161
block in quick proto udp from any to any port = 177
block in quick proto udp from any to any port = 520
block in quick proto tcp from any to any port = 6788

block in quick proto tcp from any to any port = 6789

block in quick proto tcp from any to any port = 32770
block in quick proto tcp from any to any port = 32771
block in quick proto tcp from any to any port = 32772
block in quick proto tcp from any to any port = 32775
block in quick proto tcp from any to any port = 32776
block in quick proto tcp from any to any port = 32777
block in quick proto tcp from any to any port = 32778
block in quick proto tcp from any to any port = 32779
Si no se presentan estos tipos de reglas hay que verificar los logs para encontrar las
posibles causas.
Las primeras 4 reglas indican que solo el equipo con la ip 192.168.60.60 puede hacer
ping al servidor.
Las siguientes tres reglas que solo la ip 192.168.60.60 puede hacer conexin mediante
ssh al servidor.
Las restantes reglas indican que el puerto esta bloqueado o en su caso un analizador de
puertos como nmap indica que esos puertos estn filtrados.
Despues de haber realizado lo anterior se procede a verificar con nmap, Nessus y GFI
LANguard Network Security Scanner 7.0 que fallas podremos encontrar en nuestro
servidor.
Nmap
C:\nmap-4.76>nmap -O 192.168.60.31
Starting Nmap 4.76 ( http://nmap.org ) at 2009-04-21 17:40 Hora de verano central
(Mexico)
Interesting ports on 192.168.60.31:
Not shown: 988 closed ports
PORT STATE SERVICE
22/tcp open ssh
161/tcp filtered snmp
6788/tcp filtered unknown
6789/tcp filtered unknown
32770/tcp filtered sometimes-rpc3
32771/tcp filtered sometimes-rpc5
32772/tcp filtered sometimes-rpc7
32775/tcp filtered sometimes-rpc13
32776/tcp filtered sometimes-rpc15
32777/tcp filtered sometimes-rpc17
32778/tcp filtered sometimes-rpc19
32779/tcp filtered sometimes-rpc21
MAC Address: 00:03:BA:0F:37:49 (Sun Microsystems)
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
OS detection performed. Please report any incorrect results at http://nmap.org/submit/.

Nmap done: 1 IP address (1 host up) scanned in 34.92 seconds

Indica un solo Puerto abierto ssh. Al realizar pruebas se comprueba que solo la ip
192.168.60.60 es la nica que puede hacer sesion en el servidor.
Nessus (software libre con costo en el servicio de asesoria y otros productos)
En su escaneo Nessus no detecta puertos abiertos

GFI LANguard Network Security Scanner 7.0

En su escaneo no detecto al equipo

Por ultimo un escaneo realizado con SolarWinds LANsurveyor no detecto al equipo.