不要なサービスとポートの停止

Dell Optiplex GXa Solaris^TM 9 x86 12/02

不要なサービスとポートの停止

セキュリティ向上のため、不必要なサービスを停止し、不必要なポートを塞ぐ。ルーターや、FireWall等で不要なポートは外界からは閉じてあるので、安全と言えば安全なのだが、 2重のセキュリティを確保するという意味と、不要なサービスを起動させないようにすることで、不要なCPU使用の防止と、メモリの節約も目的の一つである。 調　　査：

Port番号	プロトコル	名前	起動指定場所	判断	コメント
7	TCP/UDP	echo	/etc/inetd.conf	不要
9	TCP/UDP	discard	/etc/inetd.conf	不要
13	TCP/UDP	daytime	/etc/inetd.conf	不要
19	TCP/UDP	chargen	/etc/inetd.conf	不要
21	TCP	ftp	/etc/inetd.conf	要
22	TCP	ssh	/etc/inetd.conf	要
23	TCP	telnet	/etc/inetd.conf	不要	全てsshで行うので、不要。
25	TCP	smtp	/etc/rc2.d/S88sendmail	要
37	TCP	time	/etc/inetd.conf	不要
37	UDP	time	/etc/inetd.conf	不要
42	UDP	nameserver	/etc/rc2.d/S72inetsvc	要
53	TCP/UDP	domain	/etc/rc2.d/S72inetsvc	要
79	TCP	finger	/etc/inetd.conf	不要
80	TCP	http	/etc/rc2.d/S78httpd	要
110	TCP	pop3	/etc/inetd.conf	要
111	TCP/UDP	sunrpc	/etc/rc2.d/S71rpc	不要	NFS等は使わないので不要。
123	UDP	ntp	/etc/rc2.d/S74xntpd	要
137	UDP	netbios-ns	/etc/rc2.d/S99samba.server	要	sambaでLAN内のWindowsからアクセスする。決して外からは入れないようにしている。
138	UDP	netbios-dgm	/etc/rc2.d/S99samba.server	要	同上
139	TCP	netbios-ssn	/etc/rc2.d/S99samba.server	要	同上
161	UDP	snmp	/etc/rc3.d/S76snmpdx	不要
443	TCP	https	/etc/rc2.d/S78httpd	要
512	TCP	exec	/etc/inetd.conf	不要
512	UDP	biff	/etc/inetd.conf	不要
513	TCP	login	/etc/inetd.conf	不要
514	TCP	shell	/etc/inetd.conf	不要
514	UDP	syslog	/etc/rc2.d/S74syslog	要	ルーターのsyslogを受信しているので、必要。
515	TCP	printer	/etc/inetd.conf	不要
517	UDP	talk	/etc/inetd.conf	不要
540	TCP	talk	/etc/inetd.conf	不要
587	TCP	submission	/etc/rc2.d/S88sendmail	不要	止めるには、後述のようにsendmailのcf を書き換える必要がある。
898	TCP	webm	/etc/rc2.d/S90wbem	不要
901	swat	TCP	/etc/rc2.d/S99samba.server	要	sambaでLAN内のWindowsからアクセスする。決して外からは入れないようにしている。

inetd.confの設定変更：

赤字

# # Syntax for TLI-based Internet services: # # tli # # IPv6 and inetd.conf # By specifying a value of tcp6 or udp6 for a service, inetd will # pass the given daemon an AF_INET6 socket. The following daemons have # been modified to be able to accept AF_INET6 sockets # # ftp telnet shell login exec tftp finger printer # # and service connection requests coming from either IPv4 or IPv6-based # transports. Such modified services do not normally require separate # configuration lines for tcp or udp. For documentation on how to do this # for other services, see the Solaris System Administration Guide. # # You must verify that a service supports IPv6 before specifying as # tcp6 or udp6. Also, all inetd built-in commands (time, echo, discard, # daytime, chargen) require the specification of as tcp6 or udp6 # # The remote shell server (shell) and the remote execution server # (exec) must have an entry for both the "tcp" and "tcp6" values. # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # #systat stream tcp nowait root /usr/bin/ps ps -ef #netstat stream tcp nowait root /usr/bin/netstat netstat -f inet # # Time service is used for clock synchronization. # #time stream tcp6 nowait root internal #time dgram udp6 wait root internal # # Echo, discard, daytime, and chargen are used primarily for testing. # #echo stream tcp6 nowait root internal #echo dgram udp6 wait root internal #discard stream tcp6 nowait root internal #discard dgram udp6 wait root internal #daytime stream tcp6 nowait root internal #daytime dgram udp6 wait root internal #chargen stream tcp6 nowait root internal #chargen dgram udp6 wait root internal # # # RPC services syntax: # /

rpc/ \ # # # can be either "tli" or "stream" or "dgram". # For "stream" and "dgram" assume that the endpoint is a socket descriptor. # can be either a nettype or a netid or a "*". The value is # first treated as a nettype. If it is not a valid nettype then it is # treated as a netid. The "*" is a short-hand way of saying all the # transports supported by this system, ie. it equates to the "visible" # nettype. The syntax for is: # *||{[,]} # For example: # dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc # # Solstice system and network administration class agent server #100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind # # rpc.cmsd is a data base daemon which manages calendar data backed # by files in /var/spool/calendar # # # Sun ToolTalk Database Server # #100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd # # Sun KCMS Profile Server # #100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server # # Sun Font Server # #fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs # # CacheFS Daemon # #100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd cachefsd #dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd #100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd # METAD - SLVM metadb Daemon #100229/1 tli rpc/tcp wait root /usr/sbin/rpc.metad rpc.metad # METAMHD - SLVM HA Daemon #100230/1 tli rpc/tcp wait root /usr/sbin/rpc.metamhd rpc.metamhd # METAMEDD - SLVM Mediator Daemon #100242/1 tli rpc/tcp wait root /usr/sbin/rpc.metamedd rpc.metamedd # LPD - Print Protocol Adaptor (BSD listener) #printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd # RSHD - rsh daemon (BSD protocols) #shell stream tcp nowait root /usr/sbin/in.rshd in.rshd #shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd # RLOGIND - rlogin daemon (BSD protocols) #login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind # REXECD - rexec daemon (BSD protocols) #exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd #exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd # COMSATD - comsat daemon (BSD protocols) #comsat dgram udp wait root /usr/sbin/in.comsat in.comsat # TALKD - talk daemon (BSD protocols) #talk dgram udp wait root /usr/sbin/in.talkd in.talkd # FINGERD - finger daemon #finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd # RSTATD - rstat daemon #rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd # RUSERSD - rusers daemon (gives out user information) #rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd # RWALLD - rwall daemon (allows others to post messages to users) #walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld # SPRAYD - spray daemon (used for testing) #sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd # GSSD - GSS Daemon #100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd # TFTPD - tftp server (primarily used for booting) #tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot # TNAMED - tname server (it is an obsolete IEN-116 name server protocol) #name dgram udp wait root /usr/sbin/in.tnamed in.tnamed # TELNETD - telnet server daemon #telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd #telnet stream tcp6 nowait root /usr/local/sbin/tcpd in.telnetd # smserverd to support removable media devices #100155/1 tli rpc/ticotsord wait root /usr/lib/smedia/rpc.smserverd rpc.smserverd # FTPD - FTP server daemon #ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -a ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/proftpd # REXD - rexd server provides only minimal authentication #rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd # KTKT_WARND - Kerberos V5 Warning Messages Daemon #100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd # RQUOTAD - rquotad server supports UFS disk quotas for NFS clients #rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad # OCFSERV - OCF (Smart card) Daemon #100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv # UUCPD - uucp daemon (must run as root to read /etc/shadow) #uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd # Kerberos V5 DB Propagation Daemon #krb5_prop stream tcp nowait root /usr/lib/krb5/kpropd kpropd # #POP3D pop3 stream tcp nowait root /usr/sbin/in.pop3d in.pop3d -s # # SSH ssh stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/sshd -i # # samba SWAT swat stream tcp nowait.400 root /usr/local/sbin/tcpd /usr/local/samba/bin/swat

# pkill -HUP inetd

不要なデーモンの停止と起動禁止処置：

# cd /etc/rc2.d/

# ./S47pppd stop # ./S71ldap.client stop # ./S71rpc stop # ./S72slpd stop # ./S73nfs.client stop # ./S74autofs stop # ./S76nscd stop # ./S80lp stop # ./S80spc stop # ./S85power stop # ./S90wbem stop # ./S94Wnn6 stop # ./S95IIim stop # ./S99atsv stop # ./S99audit stop

# mv ./S47pppd ./_S47pppd # mv ./S71ldap.client ./_S71ldap.client # mv ./S71rpc ./_S71rpc # mv ./S72slpd ./_S72slpd # mv ./S73nfs.client ./_S73nfs.client # mv ./S74autofs ./_S74autofs # mv ./S76nscd ./_S76nscd # mv ./S80kdmconfig ./_S80kdmconfig # mv ./S80lp ./_S80lp # mv ./S80spc ./_S80spc # mv ./S85power ./_S85power # mv ./S90wbem ./_S90wbem # mv ./S94Wnn6 ./_S94Wnn6 # mv ./S95IIim ./_S95IIim # mv ./S99atsv ./_S99atsv # mv ./S99audit ./_S99audit

sendmail.cfの書き換え:

# cd /opt/src/sendmail-1.12.11/sendmail-8.12.11/cf/cf

# vi sendmail.mc

FEATURE(`no_default_msa')dnl

# ./Build sendmail.cf

# cp ./sendmail.cf /etc/mail/sendmail.cf

# /etc/rc2.d/S88sendmail restart

確　　認:

Port番号	プロトコル	名前	起動指定場所	判断
21	TCP	ftp	/etc/inetd.conf	要
22	TCP	ssh	/etc/inetd.conf	要
25	TCP	sendmail	/etc/rc2.d/S88sendmail	要
53	TCP/UDP	domain	/etc/rc2.d/S72inetsvc	要
80	TCP	http	/etc/rc2.d/S78httpd	要
110	TCP	pop3	/etc/inetd.conf	要
123	UDP	ntp	/etc/rc2.d/S74xntpd	要
137	UDP	netbios-ns	/etc/rc2.d/S99samba.server	要
138	UDP	netbios-dgm	/etc/rc2.d/S99samba.server	要
139	TCP	netbios-ssn	/etc/rc2.d/S99samba.server	要
443	TCP	https	/etc/rc2.d/S78httpd	要
514	UDP	syslog	/etc/rc2.d/S74syslog	要
901	TCP	swat	/etc/rc2.d/S99samba.server	要