« SCSA10-1 Objective 4.3 - Solaris security switching users, becoming root, monitoring su attempts
SCSA10-1 Objective 4.5 - Solaris restrict access to files, group membership, special file permissions »

SCSA10-1 Objective 4.4 - Solaris security, restricting ftp access, SSH fundamentals

Aleve For Sale Zocor No Prescription Buy Cafergot No Prescription Buy Online Gyne-lotrimin Buy Calan Online Tramadol For Sale Diflucan No Prescription Buy Grifulvin No Prescription Buy Online Toprol Xl Buy Plendil Online Vantin For Sale Brafix No Prescription Buy Atacand No Prescription Buy Online Lasix Buy Medrol Online Zocor For Sale Plendil No Prescription Buy Stretchnil No Prescription Buy Online Noroxin Buy Accutane Online 36 Beauty For Sale Zerit No Prescription Buy Reosto No Prescription Buy Online Inderal Buy Micardis Online

Securing computers that are connected in any way to other computers has become critical, which is to say vaulable. While Solaris is less vulnerable to many common attacks, there are still vulnerabilities that can bring tears to the staunchest sysadmin. This objective covers some basic, common sense approaches including stronger access services and limiting access to legitimate users.

Control system security through restricting ftp access and using /etc/hosts.equiv and $HOME/ .rhosts files, and SSH fundamentals.

FTP access may be a necessary evil in some environments if users need to transfer files from systems that don’t (ahem) come with sftp. In the interests of “least privilege,” only users who need to FTP should have that capability. The system users like uucp, bin, and lp, for example, never need to start an FTP session. To prevent a user from connecting to the system with FTP, add their username to the file /etc/ftpd/ftpusers — This seems counterintuitive, but users listed in the ftpusers file cannot access FTP. By default, all of the system users are included in this file under Solaris 10.

The /etc/hosts.equiv and ~/.rhosts files provide system and user level control over remote systems and users that are considered “trusted” and therefore do not need to provide passwords when using rlogin, rsh, rcp, and rcmd. Misconfigurations in theses files can be disastrous. The Solaris 10 man page combines both files and provides the definitive resource for these files. Important to note that these files do not apply for remote attempts to access the system as root.

SSH (secure shell) is a more secure replacement for telnet and is installed by default on Solaris 10 systems. While telnet is still enabled, many admins prefer to disable telnet which send all traffic in clear text (including passwords) in favor of SSH which encrypts all traffic. SSH has many amazing capabilities beyond being a telnet replacment. It can perform certificate-based authentication, can tunnel TCP ports between the two networks, forward X-windows sessions, and perform secure file transfers using the sftp or scp commands providing a secure replacement for FTP.

In the simplest usage, replacing telnet to connect to a remote host as the current user, SSH is used as

ssh remotehost

To login to a remote host as a different user:

ssh -l otheruser remotehost

While not explicitly described in this objective, the basic use of sftp is simple to remember. To start a remote secure file transfer session with the system remotehost as the user fred, use:

sftp fred@remotehost

A more comprehensive reference for SSH is available from Sun.

This entry was posted on Thursday, January 19th, 2006 at 4:49 pm and is filed under SCSA I Solaris 10. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.