| File: | 124_firewall-install.txt |
|---|---|
| Last Modified: | 2000/08/02 18:55:12 |
| Author: | root |
| Document Title: | Firewall Install Instructions |
Firewall Install Notes
=======================
This document details the instructions required to take a basic core Solaris
operating system install, and install the Sun Screen firewall software. This
does not detail the SKIP install or the recovery of a crashed firewall. Each
of these has it's own instruction set.
Do not use these instructions to harden a non-core install! There are many
other operations that need to be done with a standard Solaris install
This document presupposes that you know how to install the Solaris operating
system. If this is not the case, please look at the document titled
118_hardsun.txt.
----------------------------------------------------------------
This document assume that you have installed the core version of the operating
system on to a machine with two 9GB drives partitioned in the following
manner:
Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 3900 6.68GB (3901/0/0) 14008491
1 swap wu 3901 - 4517 1.06GB (617/0/0) 2215647
2 backup wu 0 - 4923 8.43GB (4924/0/0) 17682084
3 unassigned wm 4811 - 4820 17.53MB (10/0/0) 35910
4 unassigned wm 4518 - 4810 513.75MB (293/0/0) 1052163
5 unassigned wm 0 0 (0/0/0) 0
6 unassigned wm 0 0 (0/0/0) 0
7 unassigned wm 0 0 (0/0/0) 0
In addition to the standard core install, add the following packages:
For the SunScreen software
SUNWscpu - Source Compatibility, (Usr)
SUNWsprot - Solaris Bundled tools
SUNWtoo - Programming Tools
SUNWvolr - Volume Management, (Root)
SUNWvolu - Volume Management, (User)
SUNWxwplt - X Window System platform software
SUNWmfrun - Motif RunTime Kit
SUNWjvrt - JavaVM run time environment
SUNWeuluf - UTF-8 L10N For Language Environment User Files
SUNWjvjit - Java JIT compiler
SUNWxwice - ICE components
SUNWxwrtl - X Window System & Graphics Runtime Library Links in /usr/lib
SUNWast - ASET security checking system
Miscellaneous packages:
SUNWlibC - for DiskSuite
SUNWntpu - for time sync
SUNWjvjit - non-mandentory for SunScreen
SUNWter - terminal emulator package
This install note will begin at the point where you have a new OS and all mirrors set
up on the /, /disksuite and /altboot file systems (215.16 in the original
118_hardsun.txt document).
----------------------------------------------------------------
----------------------------------------------------------------
1) Modify the syslogd services
1.1) To increase the granularity of the system logging, add the following lines to
the /etc/syslog.conf file (remember to use tabs and no spaces!):
user.info /var/adm/user
daemon.info /var/adm/daemon
auth.info /var/adm/auth
cron.info /var/adm/cron
local0.info /var/adm/wrapper.log
mail.debug /var/adm/mail
This will separate out each type of syslog data into it's own file. The local0 entry
will be made useful in the next section.
1.2) Touch the files referenced in the /etc/syslog.conf file:
touch /var/adm/user /var/adm/daemon /var/adm/auth ..etc
1.3) Restart the syslogd by :
kill -HUP
2) Modify inetd services
2.1) Limit inetd functionality.
2.1) Comment out ALL functionality of /etc/inetd.conf except for the telnet and ftp
services. We will need these services to continue the install process until a later
step. Restart the inetd by:
kill -HUP
2.2) Wrapperize the remaining inetd functionality.
2.2.1) FTP a clean copy of tcpd off of thames and place in the /usr/sbin directory.
Check permissions to make sure they are:
-r-xr-xr-x 1 root sys 30072 Sep 28 16:54 /usr/sbin/tcpd
If they are not, fix it.
2.2.2) Edit the /etc/inetd.conf file to use the tcpd instead of the in.ftpd and
in.telnetd:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
#ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
2.2.3) Create and edit the files /etc/hosts.allow and /etc/hosts.deny. These will
limit the hosts that can connect via inetd services. For example
ALL:208.19.64.0/255.255.255.0
in hosts.allow, and ALL: ALL: in hosts.deny to limit traffic to the real subnet
208.19.64.0/24 .
2.3.4) Restart the inetd for this to take effect (see 2.1).
3) Check /etc/default/login and make sure CONSOLE and UMASK are not commented out.
4) Disable unecessisary services
4.1) In /etc/rc2.d, rename the following services to NO_S##ServiceName
S71rpc
S73nfs.client
S74autofs
S88sendmail
4.2) In /etc/rc3.d, rename the following services to NO_S##ServiceName
S15nfs.server
5) Rename the following files to NO_filename:
/etc/hosts.equiv
/.rhosts
/etc/dfs/dfstab
/etc/auto_*
6) Edit /etc/shadow and set password to "NP" for:
sys
uucp
nuucp
listen
7) Enable logging of failed login attempts
touch /var/adm/loginlog
chown root /var/adm/loginlog
chgrp sys /var/adm/loginlog
(or, chown root:sys /var/adm/loginlog)
chmod 600 /var/adm/loginlog
8) Turn on system auditing. Note, the audit files generated are not human readable.
The praudit(1M) command can be used to convert audit data into several ASCII formats.
8.1) Enable the Basic Security Module by running /etc/security/bsmconv
8.2) Configure the classes of events to log in /etc/security/audit_control:
dir:/var/audit
flags:lo,ad,fc,fd,fm
naflags:lo,ad
#
# lo - login/logout events
# ad - administrative actions: mount, exportfs, etc.
# pc - process operations: fork, exec, exit, etc.
# fc - file creation
# fd - file deletion
# fm - change of object attributes: chown, flock, etc.
#
In this case I did not set to log the 'pc' option. If the firewall is in an
extremely sensitive area, this would be a good idea.
8.3) Create /etc/security/newauditlog.sh:
#!/sbin/sh
#
# newauditlog.sh - Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit"
/usr/sbin/audit -n
cd $AUDIT_DIR # in case it is a link
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
-exec rm {} > /dev/null 2>&1 \;
8.4) Run the script nightly from cron:
0 0 * * * /etc/security/newauditlog.sh
8.5) Run the Automated Security Enhancement Tool (ASET) to check and modify the settings
for system files:
/usr/aset/aset -l high
9) Enable hardware protection for buffer overflow exploits in /etc/system:
* Foil certain classes of bug exploits
set noexec_user_stack = 1
* Log attempted exploits
set noexec_user_stack_log = 1
10) Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.
touch /etc/init.d/nddconfig
ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
10.1) Add the following lines to the /etc/init.d/nddconfig file:
#!/bin/sh
#
# /etc/init.d/nddconfig
#
# Fix for broadcast ping bug
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
# Block directed broadcast packets
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
# Prevent spoofing
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
# No IP forwarding
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
# Drop source routed packets
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
# Shorten ARP expiration to one minute to minimize ARP
# spoofing/hijacking
# [Source: Titan adjust-arp-timers module]
/usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60
11) Deny services executed by inetd(3) the ability to create core files and
enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc:
# Run inetd in "standalone" mode (-s flag) so that it doesn't have
# to submit to the will of SAF. Why did we ever let them change inetd?
ulimit -c 0
/usr/sbin/inetd -s -t&
12) Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:
TCP_STRONG_ISS=2
13) Require authentication for remote commands by commenting out the following line
in /etc/pam.conf:
#rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
and changing the rsh line to read:
rsh auth required /usr/lib/security/pam_unix.so.1
14) Create an /etc/ftpusers file:
cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
chown root /etc/ftpusers
chmod 600 /etc/ftpusers
Remove any users that require ftp access from the /etc/ftpusers file.
15) Set the default umask so that it does not include world access.
Add "umask 027" to the following files:
/etc/.login
/etc/profile
/etc/skel/local.cshrc
/etc/skel/local.login
/etc/skel/local.profile
16) Create an /etc/cron.d/cron.allow file:
echo "root" > /etc/cron.d/cron.allow
chown root /etc/cron.d/cron.allow
chmod 600 /etc/cron.d/cron.allow
17) Create an /etc/cron.d/at.allow file:
cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
18) Create an /etc/cron.d/cron.deny file:
cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
chown root /etc/cron.d/cron.deny
chmod 600 /etc/cron.d/cron.deny
19) Create an /etc/cron.d/at.deny file:
cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
20) Time Synchronization. Add the following line to the crontab:
12 0,12 * * * /usr/sbin/ntpdate -s ntp.ucsd.edu clock.tricity.wsu.edu
21) Create a user account and directory for yourself (ex: /home/scottc). This will
be separate from the NIS account shared by the development group.
22) Add secure shell
22.1) Create a /usr/sbin/security directory and change the permissions to 700.
22.2) FTP the ssh-2.0.13.compiled.tar file to the box and install in the
/usr/sbin/security directory. Untar the file in the directory.
22.3) Run the 'make install' from the ssh-2.0.13 directory. There will be some
errors, but they typically involve replacing old versions of ssh, and the
installation of the man pages.
22.4) Link the following files to /usr/bin
ln -s /usr/local/bin/ssh2 /usr/bin/ssh
ln -s /usr/local/scp2 /usr/bin/scp
ln -s /usr/local/bin/ssh-keygen2 /usr/bin/ssh-keygen
cp sshd2 /uar/sbin/sshd2
22.5) Take your public certificate from /home/USER_ID/.ssh2 on the NIS cluster
directory on thames, and FTP it to the new host in the user directory created in step
21. Make sure that it has a unique identifying name (such as scottc.thames.pub
instead of id_dsa_1024_a.pub).
22.6) Telnet to the new host as the new account created in step 21. Run ssh-keygen
to establish a new ssh identity on the new firewall.
22.7) Copy the public certificate to the ~/.ssh2 directory.
22.8) Validate the thames certificate by running:
echo "Key scottc.thames.pub" > authorization
22.9) Create the rc script to start the sshd on system start. Place the following
script in /etc/rc2.d as "S63SSH-Start":
# more S64SSH-Start
# start the sshd located in /usr/sbin
# is version 2.0.13
#
/usr/sbin/sshd2
DATE=`date`
if [ $? = "0" ]
then
logger -p daemon.info "SSH start on $DATE"
echo "SSH started"
else
logger -p daemon.info "SSH start ERROR on $DATE"
echo "SSH error starting"
fi
# end of script
Make sure the permissions on the script are 555.
22.10) Start the sshd with the script above and make sure that it is running.
22.11) Test the login with the account generated in step 21.
23) Comment out the remaining values in /etc/inetd.conf to remove telnet and ftp.
Restart the daemon as in step 2.1 .
24) Patch the box with the latest available jumbo patch from Sun.
25) Reboot the box. NOTE: when the box power cycles, use the -a and boot with a
boot -r in case device files were added in the patch.
26) After reboot, a netstat -an should look like this on the console:
UDP
Local Address Remote Address State
-------------------- -------------------- -------
*.514 Idle
*.* Unbound
TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 0 0 IDLE
*.22 *.* 0 0 0 0 LISTEN
*.* *.* 0 0 0 0 IDLE
There may be an additional port open if you are coming in from ssh:
*.6010 *.* 0 0 0 0 LISTEN
but this is a byproduct of the individual ssh connection and is not a real port on
the box.
If there are more ports open, then re-check the /etc/inetd.conf and the rc#.d files.
A typical process output looks something like:
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Sep 19 ? 0:01 sched
root 1 0 0 Sep 19 ? 0:01 /etc/init -
root 2 0 0 Sep 19 ? 0:00 pageout
root 3 0 0 Sep 19 ? 28:42 fsflush
root 324 1 0 Sep 19 ? 0:00 /usr/lib/saf/sac -t 300
root 264 1 0 Sep 19 ? 0:00 /usr/sbin/inetd -s -t
root 327 324 0 Sep 19 ? 0:00 /usr/lib/saf/ttymon
root 300 1 0 Sep 19 ? 0:00 /usr/lib/utmpd
root 271 1 0 Sep 19 ? 0:01 /usr/sbin/syslogd
root 321 1 0 Sep 19 ? 0:00 /usr/opt/SUNWmd/sbin/mdlogd
root 272 1 0 Sep 19 ? 0:02 /usr/sbin/cron
root 297 1 0 Sep 19 ? 0:00 /usr/sbin/vold
root 299 1 0 Sep 19 ? 0:05 /usr/sbin/nscd
root 12108 1 0 Sep 29 console 0:00 -sh
root 5908 1 0 Sep 25 ? 0:00 /usr/sbin/sshd2
----------------------------------------------------------------
Firewall Install!
The firewall software consists of two parts - the screen and an administrative
station. It also operates in two modes, stealth and routing. In this case the
install will be a routing firewall with local administration.
It is possible to install the firewall using a GUI or via the command line. In both
cases the questions asked are the same, but the GUI will make the install process
simpler. If you want to perform the install from another unix box using a GUI, do
the following:
1) SSH into the firewall as normal.
2) Export the display to the workstation that you are using:
export DISPLAY=208.19.64.10:0.0
(or whatever shell specific variant that you need).
3) On your client unix box type xhost + at the console (as
root).
Now any X-windows traffic will show up on your client machine.
Install:
1) Configure all network interfaces that you will be using. In this case there are
two cards, a single standard ethernet card (hme0), and a quad ethernet card (qfe0-3).
1.1) Use ifconfig to plumb and configure the following:
hme0: flags=863 mtu 1366
inet 208.19.64.254 netmask ffffff00 broadcast 208.19.64.255
ether 8:0:20:a9:88:46
qfe1: flags=863 mtu 1500
inet 10.10.20.1 netmask ffffff00 broadcast 10.10.20.255
ether 8:0:20:a9:88:46
qfe0: flags=863 mtu 1500
inet 10.10.10.1 netmask ffffff00 broadcast 10.10.10.255
ether 8:0:20:a9:88:46
qfe2: flags=863 mtu 1500
inet 10.10.30.1 netmask ffffff00 broadcast 10.10.30.255
ether 8:0:20:a9:88:46
qfe3: flags=863 mtu 1500
inet 10.10.40.1 netmask ffffff00 broadcast 10.10.40.255
ether 8:0:20:a9:88:46
1.2) Add the following entrees in the /etc/hosts file if they are not there already:
208.19.64.254 yangtze.iengineer.com yangtze loghost
10.10.10.1 qfe0
10.10.20.1 qfe1
10.10.30.1 qfe2
10.10.40.1 qfe3
1.3) To make sure that the cards come up with the correct information, make sure that
the following files exist, and are of the form:
hostname.hme0
hostname.qfe0
hostname.qfe1
hostname.qfe2
hostname.qfe3
cat hostname.qfe0
qfe0
1.4) In the case of the 10.0.0.0 class A addresses, we need to modify the natural
subnet mask to enable the routing to behave in a manner that we would expect. This
is done with the /etc/netmasks file:
#
# The netmasks file associates Internet Protocol (IP) address
# masks with IP network numbers.
#
# network-number netmask
#
# The term network-number refers to a number obtained from the Internet
# Network
# Information Center. Currently this number is restricted to being a class
# A, B, or C network number. In the future we should be able to support
# arbitrary network numbers per the Classless Internet Domain Routing
# guidelines.
#
# Both the network-number and the netmasks are specified in
# "decimal dot" notation, e.g:
#
# 128.32.0.0 255.255.255.0
#
208.19.64.0 255.255.255.0
10.10.10.0 255.255.255.0
10.10.20.0 255.255.255.0
10.10.30.0 255.255.255.0
10.10.40.0 255.255.255.0
2) Insert and mount the cdrom. If a 'volcheck' does not mount the drive
successfully, use the following line:
mount -o ro -F hsfs /dev/dsk/c0t6d0s0 /cdrom
3) Install and configure the software by running:
GUI: /cdrom/cdrom0/screenInstaller
A series of questions will follow:
HA Designation: no
Screen Type: routing
Admin Type: Local
Install Type: Default
[files will load here ...]
Initial Security Level: Permissive*
Name Service: DNS
[Screen Build]
Reboot the machine.
Log in and set the PATH and the MANPATH variables
in the .profile or .login to:
PATH=/opt/SUNWicg/SunScreen/bin:$PATH
MANPATH=/opt/SUNWicg/SunScreen/man:$MANPATH
* If you select any other level than
permissive, you will be locked out when
the screen builds it's configuration!
prompt: pkgadd -d /cdrom/cdrom0/sparc
When the list of packages is presented, select 1-5,7-17
Answer all program prompts with a 'y'.
When the process is complete, the menu will return.
Quit with a 'q'.
Eject the cdrom and reboot.
Log back in and set the PATH and the MANPATH variables
in the .profile or .login to:
PATH=/opt/SUNWicg/SunScreen/bin:$PATH
MANPATH=/opt/SUNWicg/SunScreen/man:$MANPATH
Run ss_install and answer the questions based on
the information in the GUI section.
Reboot the machine.
4) Load perminant ARP entrys into OS for reverse NAT. For NAT to function
with perminant fixed translation, there needs to be set arp entrys for the
OS. This is best done with an rc script. Place the following in /etc/rc2.d/S99nat
#!/bin/sh
#
# arp entrys for NAT on the firewall
#
arp -s nile 08:00:20:a9:83:8c
arp -s thames 08:00:20:a9:bb:d4
# end of script
----------------------------------------------------------------
At this point the firewall is ready for configuration. Although it would be
possible to manually reconfigure the entire system, a number of configuration
archives and scripts have been written to enable this to be done in a timely
and efficient manner.
For these instructions, please see document "FirewallRecoveryDoc"
----------------------------------------------------------------
end of instructions
Back