How to turn off RSH at Solaris 10 server
underh20.s...@gmail.com
how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
Thanks,
Humphrey
Nomen Publicus
> We need to turn off RSH at our Solaris 10 server. Does anyone know
> how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
# svcadm disable svc:/network/login:rlogin
You may also want to disable eklogin, klogin and telnet :-)
But if you want a secure system, start with just ssh by getting a root
console session that doesn't depend on the services being switched off and
running the command
# /usr/sbin/netservices limited
and then enable only those network services that are needed.
(why the svc system doesn't provide aliases for well known services is a bit
of a mystery. Using "system-log" for syslog is especially annoying.)
Franco
svcadm disable inetd
And use ssh
Casper H.S. Dik
>underh20.s...@gmail.com wrote:
>> We need to turn off RSH at our Solaris 10 server. Does anyone know
>> how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
># svcadm disable svc:/network/login:rlogin
While rsh without arguments falls back to the rlogin protocol, it typically
uses "rsh" protocol and for that you need to disable:
svc:/network/shell:default
and possible the Kerberos one also (not enabled by default)
svc:/network/shell:kshell
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
Casper H.S. Dik
>svcadm disable inetd
That's a bit of a big hammer.
(First run "ientadm" to see whether any of the services it runs need
to continue to run)
Canuck57
"Casper H.S. Dik" <Caspe...@Sun.COM> wrote in message
news:477401d6$0$85789$e4fe...@news.xs4all.nl...
Big hammer, but one of the things I do when building very secure hosts is to
by default is to disable all unknown services. Gets a lot of unneccessary
services disabled for sure.
If your building a secure host, what in inetd do you need?
svc:/application/x11/xfs:default
svc:/application/font/stfsloader:default
svc:/application/print/rfc1179:default
svc:/network/rpc/ocfserv:default
svc:/network/rpc/smserver:default
svc:/network/rpc/gss:default
svc:/network/rpc/rex:default
svc:/network/rpc/mdcomm:default
svc:/network/rpc/meta:default
svc:/network/rpc/metamed:default
svc:/network/rpc/metamh:default
svc:/network/rpc/rstat:default
svc:/network/rpc/rusers:default
svc:/network/rpc/spray:default
svc:/network/rpc/wall:default
svc:/network/tname:default
svc:/network/security/ktkt_warn:default
svc:/network/security/krb5_prop:default
svc:/network/telnet:default
svc:/network/nfs/rquota:default
svc:/network/apocd/udp:default
svc:/network/uucp:default
svc:/network/chargen:dgram
svc:/network/chargen:stream
svc:/network/daytime:dgram
svc:/network/daytime:stream
svc:/network/discard:dgram
svc:/network/discard:stream
svc:/network/echo:dgram
svc:/network/echo:stream
svc:/network/time:dgram
svc:/network/time:stream
svc:/network/ftp:default
svc:/network/comsat:default
svc:/network/finger:default
svc:/network/login:eklogin
svc:/network/login:klogin
svc:/network/login:rlogin
svc:/network/rexec:default
svc:/network/shell:default
svc:/network/shell:kshell
svc:/network/talk:default
svc:/network/rpc-100235_1/rpc_ticotsord:default
svc:/network/rpc-100083_1/rpc_tcp:default
svc:/network/rpc-100068_2-5/rpc_udp:default
svc:/network/swat/tcp:default
Gary Mills
>"Casper H.S. Dik" <Caspe...@Sun.COM> wrote in message
>news:477401d6$0$85789$e4fe...@news.xs4all.nl...
>> Franco <franco_...@yahoo.com> writes:
>>
>>>On Dec 27, 6:29 pm, underh20.scubadiv...@gmail.com wrote:
>>>> We need to turn off RSH at our Solaris 10 server. Does anyone know
>>>> how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
>>
>>>svcadm disable inetd
>>
>> That's a bit of a big hammer.
>>
>> (First run "ientadm" to see whether any of the services it runs need
>> to continue to run)
>Big hammer, but one of the things I do when building very secure hosts is to
>by default is to disable all unknown services. Gets a lot of unneccessary
>services disabled for sure.
>If your building a secure host, what in inetd do you need?
Many services run from inetd only listen on local transports. There's
no need to disable these when you are attempting to prevent access
from outside.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
ITguy
> In <8VTcj.22019$vd4.11842@pd7urf1no> "Canuck57" <dave-no_s...@unixhome.net> writes:
>
>
>
> >"Casper H.S. Dik" <Casper....@Sun.COM> wrote in message
> >news:477401d6$0$85789$e4fe...@news.xs4all.nl...
> >> Franco <franco_spen...@yahoo.com> writes:
>
> >>>On Dec 27, 6:29 pm, underh20.scubadiv...@gmail.com wrote:
> >>>> We need to turn off RSH at our Solaris 10 server. Does anyone know
> >>>> how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
>
> >>>svcadm disable inetd
>
> >> That's a bit of a big hammer.
>
> >> (First run "ientadm" to see whether any of the services it runs need
> >> to continue to run)
> >Big hammer, but one of the things I do when building very secure hosts is to
> >by default is to disable all unknown services. Gets a lot of unneccessary
> >services disabled for sure.
> >If your building a secure host, what in inetd do you need?
>
> Many services run from inetd only listen on local transports. There's
> no need to disable these when you are attempting to prevent access
> from outside.
>
> --
> -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Some other related security steps would be to get rid of the rsh lines
in pam.conf, and enable TCP wrappers on inetd. TCP wrappers are built
in to the SMF properties of inetd. You can use 'svccfg' to enable TCP
wrappers - remember to 'svcadm refresh inetd' after modifying the
service properties.
Casper H.S. Dik
>Big hammer, but one of the things I do when building very secure hosts is to
>by default is to disable all unknown services. Gets a lot of unneccessary
>services disabled for sure.
>If your building a secure host, what in inetd do you need?
Depends on what the secure host is supposed to do.
(E.g., you may want to use lvm and you will need to enable its
services; etc)
Casper H.S. Dik
>Some other related security steps would be to get rid of the rsh lines
>in pam.conf, and enable TCP wrappers on inetd. TCP wrappers are built
>in to the SMF properties of inetd. You can use 'svccfg' to enable TCP
>wrappers - remember to 'svcadm refresh inetd' after modifying the
>service properties.
I'm not sure if removing the "rsh" lines in pam.conf improves
security; at best it doesn't influence it when rsh/rlogin aren't
enabled; at worst, I can't really tell because I'm not sure what
"rsh" does when it finds no PAM service.
Doug Freyburger
> underh20.scubadiv...@gmail.com wrote:
>
> > We need to turn off RSH at our Solaris 10 server. Does anyone know
> > how ? We don't seem to find "rsh" in svcs or in the inetd.conf file.
>
> # svcadm disable svc:/network/login:rlogin
A tutorial guide to svcadm and its friends would be very nice. I
searched on Sun's big-admin site and didn't find anything that
fit the bill. As usual man pages teach details of how to use a
command but are light on the principles behind the command.
Richard B. Gilbert
There is more to it than the man pages. The man pages will tell you
about all 600 switches for the C compiler without telling you how to
compile your program. They are great if you just want to look up what
the "-whiz" switch does. . . .
I think you probably want the "System Administration" manuals.
Doug Freyburger
> Doug Freyburger wrote:
>
> > A tutorial guide to svcadm and its friends would be very nice. I
> > searched on Sun's big-admin site and didn't find anything that
> > fit the bill. As usual man pages teach details of how to use a
> > command but are light on the principles behind the command.
>
> docs.sun.com
And? Been there, searched that, didn't find anything remotely
like a tutorial that teaches the why of the service commands.
During my search I did find a good tutorial on the new ZFS (I
still can't figure out how to get it to list mirror status like
"metastat" but near as I can tell ZFS doesn't do mirroring) and
two very nice tutorials on Solaris 10 containers. But service
commands? Zot.
> There is more to it than the man pages. The man pages will tell you
> about all 600 switches for the C compiler without telling you how to
> compile your program. They are great if you just want to look up what
> the "-whiz" switch does. . . .
Sure. I learned that back in the days of BSD 4.1 on VAXen.
The man pages teach the how; the tutorials teach the why. It's
why a book like "UNIX Power Tools" makes for a poor teaching
tool but it rules as a reference on the desk of someone already
familiar with toolsmithing. To this day I still think "A tutorial
introduction to the vi editor" is the best document on the
SysAdminss-vicegrip.
> I think you probably want the "System Administration" manuals.
Sure. Does anyone have a URL to an actual tutorial on the
topic? I searched to no effect, though I liked the side effects I
mentioned above.
rjoh...@youcantmailme.com
there wouldn't be much to a svcadm tutorial. it's bascially a wrapper
for turning off and turning on services. one of those things meant to
make like easier, but personally don't use it being old school and
doing stuff manually. if you're familiar with services and know how to
turn them off and on, you don't need a svcadm tutorial, imho...
Ron!
Doug Freyburger
> Doug Freyburger <dfrey...@yahoo.com> said:
> > Nomen Publicus <n...@buffy.sighup.org.uk> wrote:
>
> >> # svcadm disable svc:/network/login:rlogin
>
> > A tutorial guide to svcadm and its friends would be very nice. I
> > searched on Sun's big-admin site and didn't find anything that
> > fit the bill. As usual man pages teach details of how to use a
> > command but are light on the principles behind the command.
>
> there wouldn't be much to a svcadm tutorial. it's bascially a wrapper
> for turning off and turning on services.
Except it has a hierarchical naming scheme that at this point
is no more obvious to me than the random placement of
functions in AIX's smitty. I do a list, fail to find anything with
grep, scan up and down looking for a synonym, find one that
might be what I want, turn it off. That's far too haphazard for
an important tool.
> one of those things meant to
> make like easier, but personally don't use it being old school and
> doing stuff manually. if you're familiar with services and know how to
> turn them off and on, you don't need a svcadm tutorial, imho...
When I edit /etc/inietd.conf I get entries in /var/adm/messages
telling me that mechansim is now obsolete.
Casper H.S. Dik
>there wouldn't be much to a svcadm tutorial. it's bascially a wrapper
>for turning off and turning on services. one of those things meant to
>make like easier, but personally don't use it being old school and
>doing stuff manually. if you're familiar with services and know how to
>turn them off and on, you don't need a svcadm tutorial, imho...
You can't turn services on or off wihtout using svcadm in Solaris 10
and later. It's not a wrapper; it's the control mechanism.