--- tags: ccdc, NCCDC2019 --- # Solaris Notes * Before changing passwords edit /etc/security/policy.conf and set CRYPT_DEFAULT=6 (sha512) <br>https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html * Before running scripts be sure you are in bash, run bash to be sure. Change the password algorithm ``` bash # As root vi /etc/security/policy.conf # Change default crypt ``` Locking passwords script ``` bash # As root for u in $(grep '/bin/sh' /etc/passwd | grep -v root | cut -d ':' -f1); do echo $u; passwd -l $u; done; ``` Changing passwords script ``` python import crypt, random, string, os, sys users = open('users.txt').read().split('\n') p = sys.argv[1] for u in users: if u == "": continue s = ''.join([random.choice(string.lowercase + string.digits) for d in range(10)]) print(os.popen("perl -pi -e 's/" + u + ".*/"+ u +":" + crypt.crypt(p, '$6$' + s).replace("/", "\\/").replace("$", "\\$") + ":18335::::::/g' /etc/shadow").read()) ``` Run it with: ``` bash echo -n "Password: "; python script.py $(read -s p; echo -n $p; unset p) ``` MANUALLY CHANGE THE PASSWORDS FOR THE USERS YOU LEFT ``` bash passwd root ``` List IP Addresses ``` bash ifconfig -a ``` Find listening ports ``` bash netstat -an | grep LISTEN # find pid of process listening on a port: PORT=22; for PID in /proc/*; do pfiles ${PID} |grep "port: ${PORT}" && echo ${PID}; ``` * Firewall * config file: /etc/ipf/ipf.conf * flush all rules: ipf -Fa * reload: ipf -f /etc/ipf/ipf.conf Example Firewall Ruleset allow only SSH and PINGS - /etc/ipf/ipf.conf ``` bash # # ipf.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax. # block everything not allowed explicitly block in all block out all # Allow Pings pass in quick proto icmp from any to any keep state pass out quick proto icmp from any to any keep state # Allow SSH pass in quick proto tcp from any to any port = 22 keep state pass out quick proto tcp from any to any port = 22 keep state ``` As of Solaris 10, processes are started via service manager. To check if ipf is running, you can: `svcs -a |grep ipf` If it is not running start it: `svcadm enable ipfilter` ## More Password Algorithm Information ### Password Encryption Strong password encryption provides an early barrier against attack. Solaris software provides four password encryption algorithms. The two MD5 algorithms and the Blowfish algorithm provide more robust password encryption than the UNIX algorithm. Password Algorithm Identifiers You specify the algorithms configuration for your site in the /etc/security/policy.conf file. In the policy.conf file, the algorithms are named by their identifier, as shown in the following table. Table 2–1 Password Encryption Algorithms | Identifier | Description | Algorithm Man Page | | --- | --- | --- | | 1 | The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems. | crypt_bsdmd5(5) | | 2a | The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems. | crypt_bsdbf(5) | | md5 | The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5. | crypt_sunmd5(5) | | 5 | The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords. | crypt_sha256(5) | | 6 | The SHA512 algorithm. | crypt_sha512(5) | | \_\_unix__ | The traditional UNIX encryption algorithm. This algorithm is the default module in the policy.conf file. | crypt_unix(5) | ### Algorithms Configuration in the policy.conf File The following shows the default algorithms configuration in the policy.conf file: ``` conf # # crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords. This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 # To deprecate use of the traditional unix algorithm, uncomment below # and change CRYPT_DEFAULT= to another algorithm. For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # #CRYPT_ALGORITHMS_DEPRECATE=__unix__ # The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # CRYPT_DEFAULT=__unix__ ``` When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with the algorithm that is associated with the new value. When current users change their passwords, how their old password was encrypted affects which algorithm is used to encrypt the new password. For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 and CRYPT_DEFAULT=1. The following table shows which algorithm would be used to generate the encrypted password. Identifier = Password Algorithm | Explanation | Initial Password | Changed Password | | --- | --- | --- | | 1 = crypt_bsdmd5 | Uses same algorithm | The 1 identifier is also the value of CRYPT_DEFAULT. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm. | | 2a = crypt_bsdbf | Uses same algorithm | The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_bsbdf algorithm. | | md5 = crypt_md5 | Uses same algorithm | The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_md5 algorithm. | | 5 = crypt_sha256 | Uses same algorithm | The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha256 algorithm. | | 6 = crypt_sha512 | Uses same algorithm | The 6 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha512 algorithm. | | __unix__ = crypt_unix | Uses crypt_bsdmd5 algorithm | The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm. | ## More firewall Information The native firewall that comes with Solaris is “ipf”. Configuration files are in the directory /etc/ipf and the file is “ipf.conf”, NAT rules in “ipnat.conf”. Unlike iptables, where the configuration file is a series of “iptable” commands, “ipf.conf” is purely a configuration file. Traffiic must be enabled on each interface, so you have “pass in” to allow traffic in on interface A and a “pass out” to allow traffic out on interface B, if it is acting as a firewall, obviously this is not. As of Solaris 10, processes are started via service manager. To check if ipf is running, you can: `svcs -a |grep ipf` If it is not running start it: `svcadm enable ipfilter` online May_05 svc:/network/ipfilter:default “online” status tells you that it is running. Commands to see what is happening. “ipfstat”: show statistics, bytes in, bytes out etc. “ipfstat -i” to display input running rule set “ipfstat -o” to display output running rule set “ipf -f /etc/ipf/ipf.conf” to load rules from config file. “ipmon -s [file]” to have ipf log to “file” To restart using service manager “svcadm restart svc:/network/ipfilter:default” See man page for “ipnat” for options to display NAT options. http://ozlabs.org/~rusty/index.cgi/2006/08/15 Last word: Solaris’s version of tcpdump is “snoop”. So to monitor traffic: “snoop -d e1000g0 not port 22” you can add “-v” etc. http://www.snowfrog.net/2009/05/22/firewalling-on-solaris-10/