The PCP script works on Solaris 10/9/8 and can be downloaded from here. Simply save the pcp.txt file to your Solaris Server as a Shell scripts (say pcp.sh) and change permissions to execute.

# chmod 755 pcp.sh

PIDs for TCP Port

Run PCP with “-p” option to show the PIDs of processes having a TCP port (say Port 22)

For instance, to find PIDs opening TCP port 22.

TCP Ports open by PIDs

Run PCP with “-P” option to show the TCP ports open by specific PID

For instance, here I try to find the TCP ports open by PID 18805

All PIDs for all open TCP Ports

Use the “-a” option to list all TCP ports open with all the PIDs

The DHCP Agent by default requests for the

Subnet Mask

Default Router

Hostname

DNS Domain

Broadcast Address

Encapsulated Vendor Option (vendor specific information as described in RFC 2132)

The DHCP Agent config file is

/etc/default/dhcpagent

In the file look for the line

PARAM_REQUEST_LIST=1,3,6,12,15,28,43

This is the line that defines what is being requested for from the DHCP Server. Here, each number stands for one of the above mentioned parameters where

1 = subnet mask

3 = Default Router

6 = DNS Server

12 = hostname

15 = DNS Domain Name

28 = broadcast address

43 = Encapsulated Vendor options

If you decide to not request for any of the above parameters then all you need to do is to remove the corresponding number from the PARAM_REQUEST_LIST. Let’s say you do not want to request for the hostname then simply remove the number “3″ and the “,” that follows so it looks as follows

PARAM_REQUEST_LIST=1,6,12,15,28,43

Once done,save the file. The next time the system restarts the hostname is not requested for from the DHCP Server.

# hostname
unknown

or the /etc/hosts file has an entry as follows:

# cat /etc/hosts
#
# Internet host table
#
127.0.0.1 localhost
192.168.0.3 unknown # Added by DHCP

This happens when the DHCP server doesn’t provide a hostname for your server. Most of the DHCP Servers or routers acting as a DHCP Server doesn’t provide a hostname and Solaris DHCP agent relies on the DHCP server for its hostname.

To fix this problem, edit the dhcpagent config and set it not to request a Hostname from the DHCP server and then add a hostname to the /etc/hosts & /etc/nodename file.

Edit DHCPAGENT config

[For Solaris 10, this is not required as setting the hostname in /etc/nodename overrides the hostname provided by the DHCP Server. Move onto the next step]

Edit the dhcpagent config file /etc/default/dhcpagent with your favorite editor

# vi /etc/default/dhcpagent

and look for

PARAM_REQUEST_LIST=1,3,6,12,15,28,43

and remove the Parameter “12″ from the above to look as follows:

PARAM_REQUEST_LIST=1,3,6,15,28,43

and save the file.

Now, add the hostname to the /etc/nodename & /etc/hosts as follows

# vi /etc/nodename

and add the hostname you want it to have (solarisserver for me)

# cat /etc/nodename
solarisserver

and edit the /etc/hosts file

# vi /etc/hosts

and add the line similar to the following

192.168.0.3 solarisserver loghost

Now,reboot the server and you should be all fine with hostname set for the system.

# init 6

To add a Static Route in Sun Solaris operating system, you can use the route command. This will dynamically update the Kernel IP Routing table. However, when a server is restarted, these routes will be lost. To prevent this from happening, add a startup script S76static-routes with all the route commands for the static route that needs to persist. This will ensure that the route gets added at boot time.

To use the route command,

Syntax:

# route add [net|host] <Addr> netmask <Mask> [GatewayAddr|-interface ] <metric>

Example:

Add a network

# route add net 10.10.10.0 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 10.10.10.0/24 192.168.1.1 1

Add a host

# route add host 1.1.1.1 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 1.1.1.1/24 192.168.1.1 1

To route the traffic through an interface instead of an IP Gateway

# route add 1.1.1.1/24 -interface hme0

To check that the roots are added to Kernel IP Routing table,

# netstat -rn

Routing Table: IPv4
Destination           Gateway           Flags  Ref   Use   Interface
——————– ——————– —– —– —— ———
192.168.1.0          192.168.1.1        U         1    273  hme0
224.0.0.0            192.168.1.1         U         1      0   hme0
default              192.168.1.1          UG        1    196

Static Routes at boot time

To make the routes available at boot time so the next time when the server reboots, the routes are still available. Add a startup script named as

/etc/rc2.d/S76static-routes

and add the required route commands as above.

Change the permissions for the file so that the file is executable by root.

# chmod 744 /etc/rc2.d/S76static-routes

This should help.

IP packet forwarding is the process of routing packets between network interfaces on one system. A packet arriving on one network interface and addressed to a host on a different network is forwarded to the appropriate interface. While this is a job for the network router, Servers with multiple interfaces connected to different network can perform this action as well. This behaviour as a router is a default in Sun Solaris Operating Systems.

If your Sun Solaris server has multiple interfaces and is not intended to route packets between the networks it is connected to, then it is advisable to disable this option. This can be a potential target for a malicious hacker as this can potentially allow the hacker access to the network at the other side.

To disable this packet forwarding in Solaris, simply create the file

/etc/notrouter

and reboot the server. However, if reboot is not an option at this time, then usee the NDD command to disble the option:

To display the current status

# ndd /dev/ip ip_forwarding
1

0 is Disabled
1 is Enabled

To disable,

# ndd -set /dev/ip ip_forwarding 0

For IPv6

# ndd -set /dev/ip6 ip6_forwarding 0

This should disable. To confirm change,

# ndd /dev/ip ip_forwarding
0

# ndd /dev/ip6 ip6_forwarding
0

In Solaris 8 and later, IP forwarding can be enabled or disabled on a per interface basis. For example, if there are 3 hme NIC cards namely hme0,hme1,hme2 then assume, we allow IP Forwarding only from hme0 and disable on hme1 and hme2 then the following will help:

# ndd -set /dev/ip hme0:ip_forwarding 1
# ndd -set /dev/ip hme1:ip_forwarding 0
# ndd -set /dev/ip hme2:ip_forwarding 0

This should help

There is every little chance that one loses or rather forgets the root password of his Sun Solaris servers. In the event, this happens, there is a way out of it. Well the way and infact the only way is to reset the password as there is no way to recover it. Recovering/restting the password involves booting the server in Single User mode and mounting the root file system.

Ofcourse, it is recommeded that the security for the physical access to the server is restricted so as to ensure that there is no unauthorized access and anyone who follows this routine is an authorized personnel.

Boot the server with a Sun Solaris Operating System CD (I’m using a Solaris 10 CD but doesn’t matter really) or a network boot with a JumpStart server from the OBP OK prompt.

OK boot cdrom -s

or

OK boot net -s

This will boot the server from the CD or Jumpstart server and launch a single user mode (No Password).

Mount the root file system (assume /dev/dsk/c0t0d0s0 here) onto /a

solaris# mount /dev/dsk/c0t0d0s0 /a

NOTE: /a is a temporary mount point that is available when you boot from CD or a JumpStart server

Now, with the root file system mounted on /a. All you need to do is to edit the shadow file and remove the encrypted password for root.

solaris# vi /a/etc/shadow

Now, exit the mounted filesystem, unmount the root filesystem and reboot the system to single-user mode booting of the disk.

solaris# cd /

solaris# umount /a

solaris# init s

This should boot of the disk and take you to the single-user mode. Press enter at the prompt to enter a password for root.

This should allow you to login to the system. Once in, set the password and change to multi-user mode.

NOTE: Single-User mode is only to ensure that the root user without password is not exposed to others if started in multi-user mode before being set with a new password.

solaris# passwd root

solaris# reboot

This should do. You should now be able to logon with the new password set for root

OpenSSH is a free opensource version of the SSH connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks unlike Telnet,rlogin or ftp where the data is not encrypted and transmitted in plain text. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

The easiest way to install OpenSSH in Sun Solaris is to use the pre-compiled packages from sunfreeware.

The following are the packages that are required to be installed for OpenSSH to work properly in Solaris 9:

OpenSSL (Latest stable: openssl-0.9.8f)

ZLib (Latest stable: zlib-1.2.3)

GNU Compiler Collection (gcc Latest stable: libgcc-3.4.6)

TCPWrapper (Optional tcp_wrappers-7.6)

and OpenSSH itself (Latest Stable: openssh-4.7p1)

To start of, download the packages from the following sunfreeware.com links Solaris 9 x86:

gcc

ftp://ftp.sunfreeware.com/pub/freeware/intel/9/libgcc-3.4.6-sol9-x86-local.gz

Zlib

ftp://ftp.sunfreeware.com/pub/freeware/intel/9/zlib-1.2.3-sol9-x86-local.gz

OpenSSL

ftp://ftp.sunfreeware.com/pub/freeware/intel/9/openssl-0.9.8f-sol9-x86-local.gz

OpenSSH

ftp://ftp.sunfreeware.com/pub/freeware/intel/9/openssh-4.7p1-sol9-x86-local.gz

Once done, upload the files onto the server so we can start to unzip the files and install.

Unzip and install gcc

solaris9# gunzip libgcc-3.4.6-sol9-x86-local.gz

solaris9# pkgadd -d libgcc-3.4.6-sol9-x86-local

…
…
Installation of <SMCgcc> was successful.

Unzip and install zlib

solaris9# gunzip  zlib-1.2.3-sol9-x86-local.gz

solaris9# pkgadd -d zlib-1.2.3-sol9-x86-local

…
…
Installation of <SMCzlib> was successful.

Unzip and install OpenSSL

solaris9# gunzip openssl-0.9.8f-sol9-x86-local.gz

solaris9# pkgadd -d openssl-0.9.8f-sol9-x86-local
…
…
Installation of <SMCossl> was successful.

Unzip and install OpenSSH

solaris9# gunzip openssh-4.7p1-sol9-x86-local.gz

solaris9# pkgadd -d openssh-4.7p1-sol9-x86-local
…
…
Installation of <SMCossl> was successful.

The packages are now installed.

Create /var/empty directory

solaris9# mkdir /var/empty

Change directory ownership to Root user and sys group

solaris9# chown root:sys /var/empty

Change permissions

solaris9# chmod 755 /var/empty

Add sshd user & group

solaris9# groupadd ssh

solaris9# # useradd -g sshd -c ‘sshd privsep’ -d /var/empty -s /bin/false sshd

Edit the default /usr/local/sshd_config file and make the following changes:

Replace the line

Subsystem sftp /usr/libexec/sftp-server

with

Subsystem sftp /usr/local/libexec/sftp-server

Generate Keys for the server

solaris9# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N “”
solaris9# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N “”
solaris9# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N “”

sshd at Solaris startup

Add a startup script /etc/init.d/sshd as follows to enable the OpenSSH server daemon “sshd” at the startup

case “$1″ in
‘start’)
        if [ -x /usr/local/sbin/sshd ]; then
                echo “Starting the secure shell daemon”
                /usr/local/sbin/sshd &
        fi
        ;;

‘stop’)
        echo “Stopping the secure shell daemon ”
        pkill -TERM sshd
        ;;
*)
        echo “Usage: /etc/init.d/sshd { start | stop }”
        ;;
esac
exit 0

Change the ownership & permissions on the startup script

solaris9# chown root:sys /etc/init.d/sshd
solaris9# chmod 555 /etc/init.d/sshd

Create a Symlink to the startup script at /etc/rc2/d/S98sshd

# ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd

That is it. All done and ready to go. Try connecting to the server using a ssh client like PUTTY.

Most part of this article is common for most if not all of the UNIX/LINUX flavors except the following which steps to uncomment a few lines from the ssh_config file in Solaris:

 Uncomment the following lines from the /usr/local/etc/ssh_config file:

 RSAAuthentication yes

IdentityFile ~/.ssh/id_rsa

Now, let’s assume ServerA and ServerB both run the ssh daemons.

To allow ServerA to SSH to ServerB without password, please try the following:

# ssh-keygen -t rsa

Note: User here is root

This generates two files id_rsa.pub and id_rsa

Now, this needs to be copied to the authorized_keys file on ServerB

# scp id_rsa.pub ServerB:~/.ssh/authorized_keys

Enter password when prompted.

BEWARE: If the ServerB is already having a trust relationship with more that one hosts already then the above will wipe the contents and write this key alone. In which case, copy the file to the remote server as something like ServerA_rsa.pub and then append the contents to authorized_keys as follows. This will allow the existing authroized_keys from being wiped off.

# scp id_rsa.pub ServerB:~/.ssh/ServerA_rsa.pub
# cat ServerA_rsa.pub >> authorized_keys

Thats it. Test if you are able to do a ssh from ServerA without a password:

# ssh serverB uname -a

This will run the command “uname -a” on ServerB and returns the result on ServerA.

The same procedure has to be followed in the reverse to allow ServerB to talk back to ServerA without any password.

And, if there is anyone other server to be added to the existing list follow the same procedure ensuring the key is appended to the remote servers authorized_keys file and not by overwriting it.

To check if your syslog service is listening for remote logs,

# netstat -aP udp | grep syslog

*.syslog                            Idle

This will show an output for syslog with status “idle”.

Unless a Server is as a Remote Central Logging server, it is recommended to disable Remote logging in Solaris.

Solaris 8 & Solaris 7

In Solaris 8 and Solaris 7 edit the startup scripts to start the syslogd daemon in non-remote logging mode.

This can be done as follows:

Edit the /etc/init.d/syslog file using a editor like vi:

# vi /etc/init.d/syslog

Replace the line,

/usr/sbin/syslogd >/dev/msglog 2>&1 &

with

/usr/sbin/syslogd -t >/dev/msglog 2>&1 &

NOTE: -t disables the Remote logging in syslogd

Save the file and restart the Sylogd daemon.

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

To confirm, remote logging is disabled, try

# netstat -aP udp | grep syslog

This should not show a line for syslog with status as “idle”.
Solaris 9
On Solaris 9, although the above procedure can work, this can be achieved by simply editing the /etc/default/syslogd using an editor like vi

# vi /etc/default/syslogd

Change the line from

#LOG_FROM_REMOTE=YES

to

LOG_FROM_REMOTE=NO

Save the file and restart the Syslogd daemon

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

Now,

#netstat -aP|grep syslog

should not show an entry for syslog with status “idle”
Solaris 10

In Solaris 10,

Repeat the above procedure to edit the /etc/default/syslogd and restart syslogd as follows:

# svcadm -v restart svc:/system/system-log

Action restart set for svc:/system/system-log:default

This should help.