To add a Static Route in Sun Solaris operating system, you can use the route command. This will dynamically update the Kernel IP Routing table. However, when a server is restarted, these routes will be lost. To prevent this from happening, add a startup script S76static-routes with all the route commands for the static route that needs to persist. This will ensure that the route gets added at boot time.

To use the route command,

Syntax:

# route add [net|host] <Addr> netmask <Mask> [GatewayAddr|-interface ] <metric>

Example:

Add a network

# route add net 10.10.10.0 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 10.10.10.0/24 192.168.1.1 1

Add a host

# route add host 1.1.1.1 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 1.1.1.1/24 192.168.1.1 1

To route the traffic through an interface instead of an IP Gateway

# route add 1.1.1.1/24 -interface hme0

To check that the roots are added to Kernel IP Routing table,

# netstat -rn

Routing Table: IPv4
Destination           Gateway           Flags  Ref   Use   Interface
——————– ——————– —– —– —— ———
192.168.1.0          192.168.1.1        U         1    273  hme0
224.0.0.0            192.168.1.1         U         1      0   hme0
default              192.168.1.1          UG        1    196

Static Routes at boot time

To make the routes available at boot time so the next time when the server reboots, the routes are still available. Add a startup script named as

/etc/rc2.d/S76static-routes

and add the required route commands as above.

Change the permissions for the file so that the file is executable by root.

# chmod 744 /etc/rc2.d/S76static-routes

This should help.

IP packet forwarding is the process of routing packets between network interfaces on one system. A packet arriving on one network interface and addressed to a host on a different network is forwarded to the appropriate interface. While this is a job for the network router, Servers with multiple interfaces connected to different network can perform this action as well. This behaviour as a router is a default in Sun Solaris Operating Systems.

If your Sun Solaris server has multiple interfaces and is not intended to route packets between the networks it is connected to, then it is advisable to disable this option. This can be a potential target for a malicious hacker as this can potentially allow the hacker access to the network at the other side.

To disable this packet forwarding in Solaris, simply create the file

/etc/notrouter

and reboot the server. However, if reboot is not an option at this time, then usee the NDD command to disble the option:

To display the current status

# ndd /dev/ip ip_forwarding
1

0 is Disabled
1 is Enabled

To disable,

# ndd -set /dev/ip ip_forwarding 0

For IPv6

# ndd -set /dev/ip6 ip6_forwarding 0

This should disable. To confirm change,

# ndd /dev/ip ip_forwarding
0

# ndd /dev/ip6 ip6_forwarding
0

In Solaris 8 and later, IP forwarding can be enabled or disabled on a per interface basis. For example, if there are 3 hme NIC cards namely hme0,hme1,hme2 then assume, we allow IP Forwarding only from hme0 and disable on hme1 and hme2 then the following will help:

# ndd -set /dev/ip hme0:ip_forwarding 1
# ndd -set /dev/ip hme1:ip_forwarding 0
# ndd -set /dev/ip hme2:ip_forwarding 0

This should help

There is every little chance that one loses or rather forgets the root password of his Sun Solaris servers. In the event, this happens, there is a way out of it. Well the way and infact the only way is to reset the password as there is no way to recover it. Recovering/restting the password involves booting the server in Single User mode and mounting the root file system.

Ofcourse, it is recommeded that the security for the physical access to the server is restricted so as to ensure that there is no unauthorized access and anyone who follows this routine is an authorized personnel.

Boot the server with a Sun Solaris Operating System CD (I’m using a Solaris 10 CD but doesn’t matter really) or a network boot with a JumpStart server from the OBP OK prompt.

OK boot cdrom -s

or

OK boot net -s

This will boot the server from the CD or Jumpstart server and launch a single user mode (No Password).

Mount the root file system (assume /dev/dsk/c0t0d0s0 here) onto /a

solaris# mount /dev/dsk/c0t0d0s0 /a

NOTE: /a is a temporary mount point that is available when you boot from CD or a JumpStart server

Now, with the root file system mounted on /a. All you need to do is to edit the shadow file and remove the encrypted password for root.

solaris# vi /a/etc/shadow

Now, exit the mounted filesystem, unmount the root filesystem and reboot the system to single-user mode booting of the disk.

solaris# cd /

solaris# umount /a

solaris# init s

This should boot of the disk and take you to the single-user mode. Press enter at the prompt to enter a password for root.

This should allow you to login to the system. Once in, set the password and change to multi-user mode.

NOTE: Single-User mode is only to ensure that the root user without password is not exposed to others if started in multi-user mode before being set with a new password.

solaris# passwd root

solaris# reboot

This should do. You should now be able to logon with the new password set for root

Most part of this article is common for most if not all of the UNIX/LINUX flavors except the following which steps to uncomment a few lines from the ssh_config file in Solaris:

 Uncomment the following lines from the /usr/local/etc/ssh_config file:

 RSAAuthentication yes

IdentityFile ~/.ssh/id_rsa

Now, let’s assume ServerA and ServerB both run the ssh daemons.

To allow ServerA to SSH to ServerB without password, please try the following:

# ssh-keygen -t rsa

Note: User here is root

This generates two files id_rsa.pub and id_rsa

Now, this needs to be copied to the authorized_keys file on ServerB

# scp id_rsa.pub ServerB:~/.ssh/authorized_keys

Enter password when prompted.

BEWARE: If the ServerB is already having a trust relationship with more that one hosts already then the above will wipe the contents and write this key alone. In which case, copy the file to the remote server as something like ServerA_rsa.pub and then append the contents to authorized_keys as follows. This will allow the existing authroized_keys from being wiped off.

# scp id_rsa.pub ServerB:~/.ssh/ServerA_rsa.pub
# cat ServerA_rsa.pub >> authorized_keys

Thats it. Test if you are able to do a ssh from ServerA without a password:

# ssh serverB uname -a

This will run the command “uname -a” on ServerB and returns the result on ServerA.

The same procedure has to be followed in the reverse to allow ServerB to talk back to ServerA without any password.

And, if there is anyone other server to be added to the existing list follow the same procedure ensuring the key is appended to the remote servers authorized_keys file and not by overwriting it.

To check if your syslog service is listening for remote logs,

# netstat -aP udp | grep syslog

*.syslog                            Idle

This will show an output for syslog with status “idle”.

Unless a Server is as a Remote Central Logging server, it is recommended to disable Remote logging in Solaris.

Solaris 8 & Solaris 7

In Solaris 8 and Solaris 7 edit the startup scripts to start the syslogd daemon in non-remote logging mode.

This can be done as follows:

Edit the /etc/init.d/syslog file using a editor like vi:

# vi /etc/init.d/syslog

Replace the line,

/usr/sbin/syslogd >/dev/msglog 2>&1 &

with

/usr/sbin/syslogd -t >/dev/msglog 2>&1 &

NOTE: -t disables the Remote logging in syslogd

Save the file and restart the Sylogd daemon.

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

To confirm, remote logging is disabled, try

# netstat -aP udp | grep syslog

This should not show a line for syslog with status as “idle”.
Solaris 9
On Solaris 9, although the above procedure can work, this can be achieved by simply editing the /etc/default/syslogd using an editor like vi

# vi /etc/default/syslogd

Change the line from

#LOG_FROM_REMOTE=YES

to

LOG_FROM_REMOTE=NO

Save the file and restart the Syslogd daemon

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

Now,

#netstat -aP|grep syslog

should not show an entry for syslog with status “idle”
Solaris 10

In Solaris 10,

Repeat the above procedure to edit the /etc/default/syslogd and restart syslogd as follows:

# svcadm -v restart svc:/system/system-log

Action restart set for svc:/system/system-log:default

This should help.