The PCP script works on Solaris 10/9/8 and can be downloaded from here. Simply save the pcp.txt file to your Solaris Server as a Shell scripts (say pcp.sh) and change permissions to execute.

# chmod 755 pcp.sh

PIDs for TCP Port

Run PCP with “-p” option to show the PIDs of processes having a TCP port (say Port 22)

For instance, to find PIDs opening TCP port 22.

TCP Ports open by PIDs

Run PCP with “-P” option to show the TCP ports open by specific PID

For instance, here I try to find the TCP ports open by PID 18805

All PIDs for all open TCP Ports

Use the “-a” option to list all TCP ports open with all the PIDs

The default time that ARP entries are cached in a Sun Solaris system is 5 mins.

However, this can be reduced to lower level (say 3mins). This means that the number of ARP requests and ARP replies to and from the server will increase as a result. So, before modifying the caching time, check if this can cause andy congestion on your network.

To set the ARP cache time period

solaris# ndd -set /dev/arp arp_cleanup_interval 180000

The above command sets the interval to 3 minutes (1min is equal to 60000ms). Now, all the ARP entries are flushed at a faster rate (every 3mins)

For this change to persist across reboots, add this command onto the init scripts in /etc/rc2.d directory for your network interface (where all the required ndd commands are run).

Solaris Operating Environment by default is configured to both accept and send  the ICMP Redirect messages. According to RFCs, only a router or a gateway device should send an ICMP Redirect message and any other hosts should only be able to receive the ICMP Redirects. If the Solaris server is not acting as a Router or a Gateway then sending ICMP Redirect message should be disabled. The same applies to accepting ICMP Redirect messages if the solaris server is not required to receive ICMP Redirect messages (say a single Router/Gateway network/subnets scenario) as a malicous hacker could send fake ICMP redirect messages to modify the routing table on the host and potentialy cause a Denial of Service attack.

Show and Disable ICMP Redirect message accept option

To see if accepting ICMP Redirects are enabled in Solaris,

In IPv4

root@solaris# ndd -get /dev/ip ip_ignore_redirect
0

In IPv6 then

root@solaris# ndd -get /dev/ip ip6_ignore_redirect
0

The “0″ indicates that the host is configured to accept ICMP Redirect messages and “1″ indicates it is being disabled

To disable the ICMP Redirect accept option,

In IPv4

root@solaris# ndd -set /dev/ip ip_ignore_redirect 1

In IPv6

root@solaris# ndd -set /dev/ip ip6_ignore_redirect 1

Show and Disable ICMP Redirect message send option

To see if sending ICMP Redirects are enabled in Solaris,

If you are using IPv4

root@solaris# ndd -get /dev/ip ip_send_redirects
1

If you are using IPv6 then

root@solaris# ndd -get /dev/ip ip6_send_redirects
1

The “1″ indicates that the host is configured to send ICMP Redirect messages and “0″ indicates it is being disabled

To disable the option,

In IPv4

root@solaris# ndd -set /dev/ip ip_send_redirects 0

In IPv6

root@solaris# ndd -set /dev/ip ip6_send_redirects 0

The above ndd -set commands dynamically update the ICMP Redirect send/receive options on the host. However, to ensure that the settings are applied at the boot time (say the next time when the server reboots) then edit the startup script /etc/rc2.d/S69inet and modify values accordingly.

Alternatively, you can download the nddconfig script and install on your server. This script can be used to adjust most of the ndd parameters for security purpose.

The script can be downloaded here (need an Sunsolve account)

http://www.sun.com/blueprints/tools/

To install the nddconfig script

Untar the downloaded nddconfig.tar file

root@solaris# tar -xvf nddconfig.tar

Copy the nddconfig file to /etc/init.d/ directory

root@solaris# cp nddconfig /etc/init.d/nddconfig

Change the file permissions to 744

root@solaris# chmod 744 /etc/init.d/nddconfig

Change the file ownership to root(user) and sys (grooup)

root@solaris# chown root:sys /etc/init.d/nddconfig

Create a hard link as follows:

root@solaris# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

This should help.

IP packet forwarding is the process of routing packets between network interfaces on one system. A packet arriving on one network interface and addressed to a host on a different network is forwarded to the appropriate interface. While this is a job for the network router, Servers with multiple interfaces connected to different network can perform this action as well. This behaviour as a router is a default in Sun Solaris Operating Systems.

If your Sun Solaris server has multiple interfaces and is not intended to route packets between the networks it is connected to, then it is advisable to disable this option. This can be a potential target for a malicious hacker as this can potentially allow the hacker access to the network at the other side.

To disable this packet forwarding in Solaris, simply create the file

/etc/notrouter

and reboot the server. However, if reboot is not an option at this time, then usee the NDD command to disble the option:

To display the current status

# ndd /dev/ip ip_forwarding
1

0 is Disabled
1 is Enabled

To disable,

# ndd -set /dev/ip ip_forwarding 0

For IPv6

# ndd -set /dev/ip6 ip6_forwarding 0

This should disable. To confirm change,

# ndd /dev/ip ip_forwarding
0

# ndd /dev/ip6 ip6_forwarding
0

In Solaris 8 and later, IP forwarding can be enabled or disabled on a per interface basis. For example, if there are 3 hme NIC cards namely hme0,hme1,hme2 then assume, we allow IP Forwarding only from hme0 and disable on hme1 and hme2 then the following will help:

# ndd -set /dev/ip hme0:ip_forwarding 1
# ndd -set /dev/ip hme1:ip_forwarding 0
# ndd -set /dev/ip hme2:ip_forwarding 0

This should help

Network File System (NFS) security in Sun Solaris can be enhanced by restricting the source ports for the client connections for NFS to be only privileged ports. The privileged port range is from 512 to 1023. Enabling this security feature for NFS in solaris, checks if the source ports from the clients from privilege ports. This prevents malicious users from gaining access to files exported/shared by the NFS server by preventing custom RPC based scripts or applications being used on unprivileged ports.

In Sun Solaris 10 this is enabled by default. In Solaris 9 and earlier, this can be enabled by simply editing the /etc/system file and adding an entry for nfs_portmon.

Edit the /etc/system file

sunsolaris# vi /etc/system

Add the following line

set nfssrv:nfs_portmon = 1

If you by any chance run Solaris 2.5 or earlier then

set nfs:nfs_portmon = 1

This change requires a reboot of the server for it to take effect.

Reboot the server

sunsolaris# init 6

When the server reboots, the changes take effect.

In Solaris 8 and later, run the following to confirm the change:

sunsolaris# adb -k

nfs_portmon /D

If this returns “1″ indicates nfs_portmon is enabled else if it returns “0″ indicates nfs_portmon is not enabled.