The default time that ARP entries are cached in a Sun Solaris system is 5 mins.

However, this can be reduced to lower level (say 3mins). This means that the number of ARP requests and ARP replies to and from the server will increase as a result. So, before modifying the caching time, check if this can cause andy congestion on your network.

To set the ARP cache time period

solaris# ndd -set /dev/arp arp_cleanup_interval 180000

The above command sets the interval to 3 minutes (1min is equal to 60000ms). Now, all the ARP entries are flushed at a faster rate (every 3mins)

For this change to persist across reboots, add this command onto the init scripts in /etc/rc2.d directory for your network interface (where all the required ndd commands are run).

Solaris Operating Environment by default is configured to both accept and send  the ICMP Redirect messages. According to RFCs, only a router or a gateway device should send an ICMP Redirect message and any other hosts should only be able to receive the ICMP Redirects. If the Solaris server is not acting as a Router or a Gateway then sending ICMP Redirect message should be disabled. The same applies to accepting ICMP Redirect messages if the solaris server is not required to receive ICMP Redirect messages (say a single Router/Gateway network/subnets scenario) as a malicous hacker could send fake ICMP redirect messages to modify the routing table on the host and potentialy cause a Denial of Service attack.

Show and Disable ICMP Redirect message accept option

To see if accepting ICMP Redirects are enabled in Solaris,

In IPv4

root@solaris# ndd -get /dev/ip ip_ignore_redirect
0

In IPv6 then

root@solaris# ndd -get /dev/ip ip6_ignore_redirect
0

The “0″ indicates that the host is configured to accept ICMP Redirect messages and “1″ indicates it is being disabled

To disable the ICMP Redirect accept option,

In IPv4

root@solaris# ndd -set /dev/ip ip_ignore_redirect 1

In IPv6

root@solaris# ndd -set /dev/ip ip6_ignore_redirect 1

Show and Disable ICMP Redirect message send option

To see if sending ICMP Redirects are enabled in Solaris,

If you are using IPv4

root@solaris# ndd -get /dev/ip ip_send_redirects
1

If you are using IPv6 then

root@solaris# ndd -get /dev/ip ip6_send_redirects
1

The “1″ indicates that the host is configured to send ICMP Redirect messages and “0″ indicates it is being disabled

To disable the option,

In IPv4

root@solaris# ndd -set /dev/ip ip_send_redirects 0

In IPv6

root@solaris# ndd -set /dev/ip ip6_send_redirects 0

The above ndd -set commands dynamically update the ICMP Redirect send/receive options on the host. However, to ensure that the settings are applied at the boot time (say the next time when the server reboots) then edit the startup script /etc/rc2.d/S69inet and modify values accordingly.

Alternatively, you can download the nddconfig script and install on your server. This script can be used to adjust most of the ndd parameters for security purpose.

The script can be downloaded here (need an Sunsolve account)

http://www.sun.com/blueprints/tools/

To install the nddconfig script

Untar the downloaded nddconfig.tar file

root@solaris# tar -xvf nddconfig.tar

Copy the nddconfig file to /etc/init.d/ directory

root@solaris# cp nddconfig /etc/init.d/nddconfig

Change the file permissions to 744

root@solaris# chmod 744 /etc/init.d/nddconfig

Change the file ownership to root(user) and sys (grooup)

root@solaris# chown root:sys /etc/init.d/nddconfig

Create a hard link as follows:

root@solaris# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

This should help.

IP packet forwarding is the process of routing packets between network interfaces on one system. A packet arriving on one network interface and addressed to a host on a different network is forwarded to the appropriate interface. While this is a job for the network router, Servers with multiple interfaces connected to different network can perform this action as well. This behaviour as a router is a default in Sun Solaris Operating Systems.

If your Sun Solaris server has multiple interfaces and is not intended to route packets between the networks it is connected to, then it is advisable to disable this option. This can be a potential target for a malicious hacker as this can potentially allow the hacker access to the network at the other side.

To disable this packet forwarding in Solaris, simply create the file

/etc/notrouter

and reboot the server. However, if reboot is not an option at this time, then usee the NDD command to disble the option:

To display the current status

# ndd /dev/ip ip_forwarding
1

0 is Disabled
1 is Enabled

To disable,

# ndd -set /dev/ip ip_forwarding 0

For IPv6

# ndd -set /dev/ip6 ip6_forwarding 0

This should disable. To confirm change,

# ndd /dev/ip ip_forwarding
0

# ndd /dev/ip6 ip6_forwarding
0

In Solaris 8 and later, IP forwarding can be enabled or disabled on a per interface basis. For example, if there are 3 hme NIC cards namely hme0,hme1,hme2 then assume, we allow IP Forwarding only from hme0 and disable on hme1 and hme2 then the following will help:

# ndd -set /dev/ip hme0:ip_forwarding 1
# ndd -set /dev/ip hme1:ip_forwarding 0
# ndd -set /dev/ip hme2:ip_forwarding 0

This should help

Network File System (NFS) security in Sun Solaris can be enhanced by restricting the source ports for the client connections for NFS to be only privileged ports. The privileged port range is from 512 to 1023. Enabling this security feature for NFS in solaris, checks if the source ports from the clients from privilege ports. This prevents malicious users from gaining access to files exported/shared by the NFS server by preventing custom RPC based scripts or applications being used on unprivileged ports.

In Sun Solaris 10 this is enabled by default. In Solaris 9 and earlier, this can be enabled by simply editing the /etc/system file and adding an entry for nfs_portmon.

Edit the /etc/system file

sunsolaris# vi /etc/system

Add the following line

set nfssrv:nfs_portmon = 1

If you by any chance run Solaris 2.5 or earlier then

set nfs:nfs_portmon = 1

This change requires a reboot of the server for it to take effect.

Reboot the server

sunsolaris# init 6

When the server reboots, the changes take effect.

In Solaris 8 and later, run the following to confirm the change:

sunsolaris# adb -k

nfs_portmon /D

If this returns “1″ indicates nfs_portmon is enabled else if it returns “0″ indicates nfs_portmon is not enabled.

To check if your syslog service is listening for remote logs,

# netstat -aP udp | grep syslog

*.syslog                            Idle

This will show an output for syslog with status “idle”.

Unless a Server is as a Remote Central Logging server, it is recommended to disable Remote logging in Solaris.

Solaris 8 & Solaris 7

In Solaris 8 and Solaris 7 edit the startup scripts to start the syslogd daemon in non-remote logging mode.

This can be done as follows:

Edit the /etc/init.d/syslog file using a editor like vi:

# vi /etc/init.d/syslog

Replace the line,

/usr/sbin/syslogd >/dev/msglog 2>&1 &

with

/usr/sbin/syslogd -t >/dev/msglog 2>&1 &

NOTE: -t disables the Remote logging in syslogd

Save the file and restart the Sylogd daemon.

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

To confirm, remote logging is disabled, try

# netstat -aP udp | grep syslog

This should not show a line for syslog with status as “idle”.
Solaris 9
On Solaris 9, although the above procedure can work, this can be achieved by simply editing the /etc/default/syslogd using an editor like vi

# vi /etc/default/syslogd

Change the line from

#LOG_FROM_REMOTE=YES

to

LOG_FROM_REMOTE=NO

Save the file and restart the Syslogd daemon

# /etc/init.d/syslog stop

# /etc/init.d/syslog start

Now,

#netstat -aP|grep syslog

should not show an entry for syslog with status “idle”
Solaris 10

In Solaris 10,

Repeat the above procedure to edit the /etc/default/syslogd and restart syslogd as follows:

# svcadm -v restart svc:/system/system-log

Action restart set for svc:/system/system-log:default

This should help.