Instruction manuals">
Deshabilitar Servicios de Solaris 10
Deshabilitar Servicios de Solaris 10
Deshabilitar Servicios de Solaris 10
Al instalar Solaris 10 por default e iniciar sesion por primera vez se inician varios
servicios que en algunos casos son innecesarios.
Escaneo utilizando nmap
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
513/tcp open login
514/tcp open shell
587/tcp open submission
898/tcp open sun-manageconsole
4045/tcp open lockd
6000/tcp open X11
6112/tcp open dtspc
7100/tcp open font-service
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
MAC Address: 00:03:BA:0F:37:49 (Sun Microsystems)
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
Para cerrar puertos innecesarios, deshabilitanmos los servicios que no vayamos a
emplear normalmente.
Primero observamos cuales se encuentran abiertos con
svcs -a | grep -i 'network' | grep -i 'online'
online
online
online
online
online
online
online
online
online
online
online
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
svc:/network/login:default
svc:/network/finger:default
svc:/network/telnet:default
svc:/network/pfil:default
svc:/network/tnctl:default
svc:/network/loopback:default
svc:/network/physical:default
svc:/network/ipfilter:default
svc:/milestone/network:default
svc:/network/initial:default
svc:/network/service:default
online
online
online
online
online
Apr_17
Apr_17
Apr_17
Apr_17
Apr_17
svc:/network/inetd:default
svc:/network/smtp:sendmail
svc:/network/ssh:default
svc:/network/routing-setup:default
svc:/network/routing/route:default
#kerberos
88/tcp
kdc
# Kerberos V5 KDC
Con esto se cierran los puertos en Solaris 10 pero si algunos servicios no se pueden
deshabilitar o cerrar se pueden filtrar estos puertos con ipfilter.
El fichero de configuracin se encuentra en /etc/ipf/ipf.conf ah agregamos las reglas
para que ipfilter empiece a filtrar los puertos abiertos.
bash-3.00# more /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass in quick on dmfe0 proto icmp from 192.168.60.60 to any icmp-type echorep
pass out quick on dmfe0 proto icmp from any to 192.168.60.60 icmp-type echorep
#block in quick on dmfe0 proto icmp from any to any
block out quick on dmfe0 proto icmp from any to any
pass in quick proto tcp from 192.168.60.60 to any port = 22
block in quick proto tcp from any to any port = 22
block in quick proto tcp from any to any port = 161
block in quick proto udp from any to any port = 161
block in quick proto udp from any to any port = 177
block in quick proto udp from any to any port = 520
block in quick proto tcp from any to any port = 6788
block in quick proto tcp from any to any port = 6789
block in quick proto tcp from any to any port = 32770
block in quick proto tcp from any to any port = 32771
block in quick proto tcp from any to any port = 32772
block in quick proto tcp from any to any port = 32775
block in quick proto tcp from any to any port = 32776
block in quick proto tcp from any to any port = 32777
block in quick proto tcp from any to any port = 32778
block in quick proto tcp from any to any port = 32779
Para cargar las reglas se utilice el comando /lib/svc/method/ipfilter reload
Verificar si se cargaron correctamente con este otro comando
bash-3.00# ipfstat -iol
pass out quick on dmfe0 proto icmp from any to 192.168.60.60/32 icmp-type echorep
block out quick on dmfe0 proto icmp from any to any
pass in quick on dmfe0 proto icmp from 192.168.60.60/32 to any icmp-type echorep
pass in quick proto tcp from 192.168.60.60/32 to any port = ssh
block in quick proto tcp from any to any port = ssh
block in quick proto tcp from any to any port = 161
block in quick proto udp from any to any port = 161
block in quick proto udp from any to any port = 177
block in quick proto udp from any to any port = 520
block in quick proto tcp from any to any port = 6788