22 Appendix D: Sample scripts/utilities 

NT Scripts

I apologise, but none of the these scripts are not yet ready for release..

Script to clean up NT
Script to send SMTP email from NT (not yet tested)
Script to monitor an NT server for changes

UNIX Scripts

Here's a few scripts that I found useful in UNIX admin:

/etc/syslog.conf (tested on SunOS 4.1.3, 5.2-5.7) that is very useful for centralising logs to loghost and dividing up the different log types into separate files.

rotate_log is a perl script from Steven C. Simmons, that I modified slightly. It a great tool for compress, archiving, trimming the logs generated by syslog (for example). I run it from cron to trim all text based logs. checks to see if a list of processes are running. If not, send a message to syslog (if syslog is not running, send a mail). [syslogd is monitored even if not listed]. The list is given on the command line, but also has defaults. Runs on solaris 1 &2.

killproc is a perl script that will kill a process give it's name (or regular expression). Useful for killing in scripts, rdist and for killing runaway forks (with hundreds of processes). Won't kill textedits or rdist sessions. Runs on IRIX, SunOS, Solaris. is a perl script from Rahul Dhesi that is very useful for trimming wtmp[x] files are keeping a specified number or records. I recommend you run it at the end of December each year. Tested on SunOS/Solaris. is a perl script that can be used to monitor for unexpected Satan or Sybase (or any other) socket connections. It just sits waiting on the socket and emails the contents of attempted connections to the system administrator. A part of any intruder detection system.. is a bourne shell script that uses showmount -a to see who is mounting what NFS exported filesystems, and compare it with the list the last time the script ran and notifies root. For use on NFS servers. To initialise, showmount -a >/var/tmp/.mount_ref then call regularly from cron. is useful for enforcing what "trusted host" files are allowed. It also requires a configuration file
1. report & wipe ALL hosts.equiv, .exrc
2. report & wipe .rhosts except (see wanted() function)
3. Also move all files which start with ".." to STRANGE.$FILENAME
4. Check number of network interfaces (less than 2 except for datacenter servers) and check that interface is not in promiscous mode.
Tested on: Perl 4 + SunOS 4.1.3, 5.2, 5.3, 5.4, Perl 5 + SunOS 5.4, 5.5

SunOS 4.x: Cleaning up file permissions

Make sure you understand this script before executing it! This script was test on SunOS 4.1.3.

chmod 644 /etc/utmp /etc/sm /etc/sm.bak /etc/state /etc/mtab /etc/motd /etc/
chmod 644 /etc/aliases
chmod 0755 /usr/kvm/crash
chmod 0700 /bin/chsh /usr/etc/etherfind /usr/etc/devinfo
chmod u-s /usr/etc/restore
chmod 0644 /vmunix
chmod 000 /usr/ucb/rdist
chown root.wheel /vmunix
chmod o-r /var/spool/cron/crontabs/*

(TBD: /dev/kmem) 

Solaris 2.4: cleaning up file permissions

Make sure you understand this script before executing it! This script was tested on Solaris 2.4.

chmod 644 /var/adm/utmp /etc/motd /etc/ /etc/mail/aliases
chmod 0700 /usr/sbin/snoop /usr/sbin/devinfo
chmod 0755 /usr/kvm/crash
chmod o-r /var/spool/cron/crontabs/*
chown root /etc/mail/aliases
chmod 000 /bin/rdist
chmod o-rx /etc/security
chmod o-rx /etc/dt
chmod o-w /usr/adm/spellhist
chmod og-rwx /usr/adm/vold.log /usr/adm/log/asppp.log /.rhosts
chmod 1777 /tmp /var/tmp
touch /var/adm/loginlog; chmod 600 /var/adm/loginlog; chown root.sys /var/adm/loginlog 


Hardening is the process of securely installing/configuring hosts to be resistant to attack. Hardening issues are discussed in the section Firewall Configuration issues.

CERT now also provide several useful firewall/hardening/intrusion detection papers online:

Below concrete commands for hardening select operating systems are listed.

SunOS 4.x: installing a Firewall host

Well, there's no script here, but this is what needs to be done:

1. In /etc/rc.local, switch off sendmail, rpc, automounter, NFS client & server, YP
2. In /etc/rc, switch off lpd
3. In /etc/inetd.conf, disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh.
4. Install ssh for login access. Access is restricted (/etc/sshd_config) to named hosts with known public keys (RSA authentication). Rhosts authentication is disabled. 

Solaris 2.7: installing a Firewall host

This section has been replaced by a newer article on Hardening Solaris for SecurityPortal.

Solaris 2.4/5: installing a Firewall host

The following switches off all unnecessary (& historically holey) services on a Firewall host. Tested on 2.4/2.5. Mostly OK for 2.6 too.

Note that although sendmail is not running as a daemon, the binary is still present and email can be sent from (but not received by) the host. The only host that needs to receive email, the mail gateway, should use smap or an equivalent to minimise sendmail risks.

  1. When installing the OS, install the minimum packages needed (pkginfo will list installed packages). For example avoid compilers and X11/Openlook/Tooltalk of no GUIs are needed..
  2. When partitioning the disk, consider a separate, large /var for syslog/news/HTTP proxy servers. Also that /usr can be mounted read-only (if it is in a separate partition). If possible, all partitions should be mounted either read-only or nosuid (SUID programs cannot assume other identities).
  3. Install the recommended & security patches from Sun Get the Patchdiag tool from Sunsolve and run it to see what patches are needed, then download & install the missing ones. Check the status of your patches with PatchDiag once per month.
  4. Run the script for cleaning up Solaris 2 in the previous section.
  5. Switch off unnecessary services (sendmail, automounter, NFS client, lp and rpc).
      mv /etc/rc2.d/S88sendmail /etc/rc2.d/.S88sendmail
      mv /etc/rc2.d/S74autofs /etc/rc2.d/.S74autofs
      mv /etc/rc2.d/S73nfs.client /etc/rc2.d/.S73nfs.client
      mv /etc/rc2.d/K60nfs.server /etc/rc2.d/.K60nfs.server
      mv /etc/rc3.d/S15nfs.server /etc/rc3.d/.S15nfs.server
      mv /etc/dfs/dfstab /etc/dfs/.dfstab
      mv /etc/rc2.d/S80lp /etc/rc2.d/.S80lp
      mv /etc/rc2.d/S71rpc /etc/rc2.d/.S71rpc
      mv /etc/rc2.d/ /etc/rc2.d/
      mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/.S71sysid.sys
      mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.S72autoinstall
      mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/.S93cacheos.finish
      mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/.S80PRESERVE
      mv /etc/rc2.d/S47asppp /etc/rc2.d/.S47asppp
      mv /etc/rc2.d/S92volmgt /etc/rc2.d/.S92volmgt                         [assuming you have no CD]   bdconfig
      mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.S89bdconfig                   [assuming you no serial devices]
                   Even more secure is to delete the above files altogether...
  6. Turn off multicasting in /etc/init.d/inetsvc, by commenting the line with:
              route add
    Add add "-t" to the inetd startup line to enable connection logging:
              /usr/sbin/inetd -s -t
  7. Consider enabling crash dumps for post motem analysis (may help debugging after a crash, but will increase reboot time). Uncomment the lines as follows in /etc/init.d/sysetup:
      ## Enable savecore (default is disabled)
      if [ ! -d /var/crash/Žuname -nŽ ]
         then mkdir -p /var/crash/Žuname -nŽ
      echo 'checking for crash dump...\c '
      savecore /var/crash/Žuname -nŽ
      echo ' '
  8. Configure /etc/hosts with a list of critical machines (which you don't want resolved via DNS).
  9. Use default routes (add the IP address of the router to /etc/defaultrouter, or create a startup file in /etc/rc2.d/S99static_routes using the "route" command).
  10. Install SSH for login access. Configure (/etc/sshd_config - sample here) the ssh daemon so that access is restricted to named hosts with known public keys (/etc/scp /etc/ssh_known_hosts) and rhosts authentication is disabled. Use .shosts rather than .rhosts.
  11. Configure environment files: .cshrc,.login,.profile, Cshrc, Login, /etc/mail/aliases, /etc/syslog.conf, /etc/resolv.conf /etc/default/su etc..
  12. inetd.conf: disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh (use SSH for remote login).
    Even better disable everything and use only SSH for login access. If you really want to use inetd services, then use them with the FWTK netacl or tcp wrappers.
  13. Crons
       1)  Remove unnecessary crons:     rm /var/spool/cron/crontabs/{lp,sys,adm}
            Don't delete the adm cron if you want sar performance collection or accounting .
       2) Since sendmail is disabled above, it would be a good idea to setup a root cron
           job to check for  undelivered mail, e.g             0 * * * * /usr/lib/sendmail -q
  14. Reboot. Now ps -ef should show a small process list and netstat -a should show a minimum of network connections.
  15. DNS servers: install the latest public BIND version. Ditto for mailgateways & sendmail but add SMAP.
  16. Disable ip forwarding and source routing, if there is more than one interface, by adding the following to the end of /etc/init.d/inetinit:
    ndd -set /dev/ip ip_forward_directed_broadcasts 0
    ndd -set /dev/ip ip_forward_src_routed 0
    ndd -set /dev/ip ip_forwarding 0
  17. Filesystems: in /etc/vfstab, mount root with "remount,nosuid", /var with "nosuid" and /usr with "ro" options.
    Optional [but difficult]: Mount all other filesystems either "ro" or "nosuid". This reduces the risk of trojan horses and unauthorised modifications. Test it first though, you may have some problems.
  18. Logging: use the syslog.conf presented already. Designate one machine as the loghost and give it a whopping great disk (4GB) for logs. Use to prune & compress logs.
  19. Log "su" attempts to the console and /var/adm/sulog: edit /etc/default/su.
  20. Set a strong password for root. Remove any user accounts unless absolutely. Ensure all accounts are either blocked, removed or have a strong password.
  21. Document configuration changes in /etc/mods, update after each change.
  22. Test in detail: what works, what can be done, what is forbidden. Is it as expected?

=> At this stage install tripwire and initialise it's database and run regular checks to minor for changes (see sample script If possible keep the tripwire master database on another machine or write-once media. Even better, copy tripwire & it's database and run it automatically at regular intervals using SSH. This makes it difficult for an attacker to know that tripwire is being used to check the system.

SUSE Linux: installing a firewall host (a few quick notes)

SUSE Linux 6 is easily hardened, for instance to shutdown all network services except SSH, change the following defaults in /etc/rc.config and reboot.


Web Server Best Practices

A very useful high level summary from the CIAC bulletin J-O42 of how to secure an Internet Webserver, be it UNIX or NT. The bulletin is available from CIAC or a locally formatted version.

Setting up anonymous ftp on Solaris 2.x

Here a short description for setting up anonymous ftp on a Sun Solaris 2.x. Note that the instructions in the in.ftpd man pages prior to Solaris 2.5 are incorrect. The following steps are necessary

# This is a short script to set up anonymous ftp on a Sun Solaris 2.x, run as root
# ftphome defines the home directory for anonymous ftp (change as needed).
# Create needed directories
# core directories
mkdir ${ftphome} ${ftphome}/usr ${ftphome}/usr/lib
mkdir ${ftphome}/bin ${ftphome}/etc ${ftphome}/dev
# user directories
mkdir ${ftphome}/pub ${ftphome}/pub/download ${ftphome}/pub/upload
# Setting up the directories
cp /usr/bin/ls ${ftphome}/bin
# usr/lib
cp /usr/lib/* ${ftphome}/usr/lib
cp /usr/lib/ /usr/lib/ ${ftphome}/usr/lib
cp /usr/lib/ /usr/lib/ ${ftphome}/usr/lib
# etc
cp /etc/netconfig ${ftphome}/etc
sed -e 's/:[^:]*:/:*:/' /etc/passwd > ${ftphome}/etc/passwd
sed -e 's/:[^:]*:/:*:/' /etc/group > ${ftphome}/etc/group
# The following are needed for 'ls' to resolve NIS names
cp /usr/lib/ ${ftphome}/usr/lib
cp /usr/lib/ ${ftphome}/usr/lib
cp /etc/nsswitch.conf ${ftphome}/etc
# make device nodes. ticotsord and udp are necessary for
# 'ls' to resolve NIS names.
for device in zero tcp udp ticotsord ; do
line=Žls -lL ${prefix}/${device} | sed -e 's/,//'Ž
major=Žecho $line | awk '{print $5}'Ž
minor=Žecho $line | awk '{print $6}'Ž
mknod ${ftphome}/dev/${device} c ${major} ${minor}
# Set owners and permissions
chown -R root.root ${ftphome}
# should be ??
#chown -R root.ftp ${ftphome}
# bin
chmod 111 ${ftphome}/bin/ls ${ftphome}/bin
chown root ${ftphome}/bin
# usr/lib
chmod 555 ${ftphome}/usr/lib/lib*
# etc
chmod 444 ${ftphome}/etc/*
chmod 111 ${ftphome}/etc
chown root ${ftphome}/etc
# dev
chmod 666 ${ftphome}/dev/*
# pub
chmod 555 ${ftphome}/pub
chmod 755 ${ftphome}/pub/download
chown -R root.ftp ${ftphome}/pub/download
chmod 1777 ${ftphome}/pub/upload
chown -R ftp.ftp ${ftphome}/pub/upload
echo "done."