originally posted at https://ftp.uga.edu/pub/unix/sun/docs/sunos4.post-install This document describes what you need to do in order to get a Sun SunOS 4.x system ready for use on the UGA campus network. Some of the steps apply to any SunOS 4 installation, while others are specific to UGA. The document is available by anonymous ftp at ftp://ftp.uga.edu/pub/unix/sun/docs/sunos4.post-install If you have any questions about this document, or if you need any help implementing these steps, please contact the Workstation Support Group (542-3106, wsg@uga.cc.uga.edu). Also, please let us know if you have any suggestions regarding the contents of this document. -- Steps to Take Before You Connect Your SunOS Sun to the Campus Network -- 1. Before installing SunOS To connect to the UGA campus network, your department must have been assigned an address space (a range of IP numbers you may use), and your computer must have been assigned a particular IP address by your department's domain network liaison. If you have a question about this, please send electronic mail to the Network Information Center (nic@uga.cc.uga.edu) or call the UCNS Helpdesk at 542-3106. You need to do this *before* the initial SunOS installation, as the install process asks for a name, IP address and domain. You will probably want to have the name and IP address of your machine added to the campus nameserver. To do this, your departmental Domain Network Liaison must send the appropriate information via electronic mail to the Network Information Center (nic@uga.cc.uga.edu). If you do not have electronic mail access, you can contact the domain nameserver maintainer by calling the UCNS Helpdesk at 542-3106. If you haven't registered the new SunOS system with the campus nameserver yet, it will not be able to download the files mentioned later in this document. In that case, use some other system to download the files, and then transfer them from that other system to the new one. If this isn't an option for you, then be sure to register the new name/address before proceeding with the rest of this document. 2. Telling your system how to use the network a. Edit /etc/rc.local to check that the following parameters are set for ifconfig (note that you may have to modify existing ifconfig statements, or you may have to completely add these lines): ifconfig xx0 inet 128.192.z.y netmask 0xffff0000 ifconfig xx0 broadcast 128.192.255.255 -trailers where "xx" is the name of your Ethernet interface and "z.y" are the last two parts of the system's IP address. To determine the name of your Ethernet interface, type the command "netstat -i". The first ifconfig command sets the netmask for your machine. The second sets the broadcast address. Be SURE that the netmask is set BEFORE the broadcast address, as shown above. If this is not the case, the broadcast address will be reset by the netmask statement. After these commands are executed, you can check to make sure that the netmask and broadcast address are set correctly by issuing the command "ifconfig xx0" without any other parameters. Create the file /etc/resolv.conf containing the following lines: domain department.uga.edu nameserver 128.192.1.9 nameserver 128.192.1.193 where "department" is the subdomain that your department has been assigned (eg. "ucns"). b. Create a file /etc/defaultdomain, if it doesn't already exist. It should read "department.uga.edu" where "department" is your department as defined above. For example: ucns.uga.edu c. To configure your host so it knows how to reach off-campus machines, create a file called /etc/defaultrouter and add the following line to it: 128.192.1.1 This tells your machine to send any addresses it doesn't know about to the campus gateway and let it take care of sending them to the proper places. This entry will take effect next time you reboot. If you do not want to reboot now, also type the command; route add default 128.192.1.1 1 d. So that such programs as telnet, ftp, ping, etc will use the domain nameserver for resolution of names, you will want to replace the Sun shared library with a version containing the "get_host_by_name" calls which use the DNS system instead of the static host table. Extreme care must be taken since installing a bad shared library will leave you with a system on which almost all commands are broken. Shared libraries are available on ftp.uga.edu (128.192.252.5) in the /pub/unix/sun/packages/resolv+ directory. Since this fix is necessary before you can ftp by hostname, you will have to use the dotted decimal IP address. Obtain the file resolv+.README.UGA for complete instructions on how to install the new shared libraries. Also, get the file nslookup.sunos4.tar.gz from /ftp/pub/unix/sun/packages, and install the included binaries on your system. Otherwise, you won't be able to use the UGA nameservers. 4. Install the latest sendmail Get the latest Eric Allman sendmail from ftp.uga.edu in the /pub/unix/src/sendmail.uga directory. Read the README file in that directory for instructions. You will need to get the appropriate sendmail binary out of the binaries subdirectory and well as the appropriate sendmail.cf out of the config-files subdirectory. After completion of the configuration, you must restart mail with the following commands: ps -ef | grep sendmail | grep -v grep The process number for sendmail is the first number on the results from the above command. kill nnnn where nnnn is the number obtained above /usr/lib/sendmail -bd -q1h Now your sendmail is restarted, and should be operational. To check it, send mail to yourself and check the from line. It should read "userid@host.department.uga.edu" If it doesn't, please contact the Workstation Support Group. 5. Install the XNTP client In order to keep your processor clock synchronized with the standard campus time, you will need to install XNTP (Network Time Protocol). Not only is this convenient, it is very important for general security and is very necessary if you NFS mount filesystems on more than one computer. Get "xntp.solaris.README" and the latest version of xntp from the /pub/unix/sun/packages directory on ftp.uga.edu. (This directory will be moving to /pub/unix/sun/packages.) 6. Edit the rc.local file and look for the chmod 666 for /etc/motd. Change it to chmod 644 so only the root user can change it. 7. Check in /etc/syslog.conf for the following lines: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) comment out the mail.debug line by placing a # character in the first position so that it looks like the following: #mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) 8. In order to keep your processor clock synchronized with the standard campus time, you will need to install XNTP (Network Time Protocol). Not only is this convenient, it is very important for general security and is very necessary if you NFS mount filesystems on more than one computer. The full source package is available via ftp.uga.edu as /pub/packages/xntp3*.tar.Z. However, the file /pub/unix/sun/xntp3.3zc-sun.tar.gz contains the binaries and instructions for Sun3, Sun4, and Solaris 2 machines, and is all you really need to install xntp on your Sun machines. 12. Security: a. There are a fairly large number of security patches that need to be installed on Sun systems. In order to connect your machine to the campus network, YOU MUST INSTALL THEM. Look in the directory /pub/unix/sun/patches on ftp.uga.edu for several files called Solaris1.1.*.PatchReport (note that Solaris1.1 is the same as SunOS 4.1.3, Solaris1.1.1 is SunOS 4.1.3_U1, and Solaris1.1.2 is SunOS 4.1.4). Read the PatchReport for your system and INSTALL THE PATCHES THAT ARE INDICATED. These patches are located in the same directory. Contact the Workstation Support Group if you need any assistance installing the patches. b. Install password shadowing. Password shadowing is a system by which the actual encrypted passwords, normally located in /etc/passwd, are moved to another file that is only readable by root. To install password shadowing, run the program "mkshadow.sunos4" located in /pub/unix/sun on ftp.uga.edu. c. Remove the + from /etc/passwd and /etc/groups. Its existence can permit people to login to your system without a password if their username matches one on your system. The + will be required in these files if the machines are NIS clients, but remove them unless you know they are necessary. d. Remove /.rhosts and /etc/hosts.equiv as these files permit other machines to login to your machine without requiring a password. e. Check /etc/passwd for entries with no password, they permit people to logon to your machine with no password. f. Check the /etc/exports file as the default is to export almost everything read/write. This permits foreign users to modify your system files without your knowledge. You should export filesystems to specific machines with read only access unless there is careful consideration of who can write on your files. g. Read the security papers available via anonymous ftp from ftp.uga.edu in pub/security. Papers of interest are found in brand-security-primer and sri-security-report*. Also read the article "Unix System Security: How to Help Make it So" in the Fall 1992 "UCNS Computer Review". Hardcopies of all these papers are available from the Workstation Support Group. h. Use decent passwords and change them regularly for root and other powerful id's. All users should use GOOD passwords. See the security papers for description of GOOD passwords. i. System managers should regularly review /etc/passwd and /etc/group for accounts that should be deleted, people in groups they shouldn't belong in and id's that are unknown, as well as accounts without passwords. j. The COPS package provides a means for automating many routine security checking procedures. It is available from ftp.uga.edu in the /pub/security directory. k. Check /etc/ttytab for the 'secure' attribute on your tty and pseudo ttys. The console should be the only one with the secure attribute. The secure attribute permits root to login directly from that device. The 'su' command must be used on other devices. l. Anonymous FTP. If you set up an anonymous FTP server, all directories (with the exception of a single directory for inbound FTP) MUST have access set to Read/Execute to prevent anyone from storing items on your server, or deleting items from your server. This can be done with the following commands: cd ~ftp find . -type d -exec chmod =rx {} \; 13. Helpful tips and Ideas from various sources: What are the dump parameters for an exabyte 8200 or 8500? 8200 -- dump 0budfs 126 54000 /dev/rst0 6000 filesystem 8500 -- dump 0budfs 126 54000 /dev/rst0 13000 filesystem Note: Under 4.1.2 and above you should use rst8. Previous versions did not do anything special for the 8500.