Friday, June 9, 2017

Fun with Oracle Solaris 11.3 SunOS 5.11 on 64-bit Intel x86 - SNMP, NTP, FTP, Web, SMB Servers and more with NTFS support

Supratim Sanyal's Blog: Oracle Solaris 11.3 Intel x86 64-bit gnome desktop environment
Oracle Solaris 11.3 gnome desktop

The allure of a hobbyist server running the "official" version of the legendary Solaris operating system has been growing stronger while I have been playing with openindiana open-source community-driven illumos distribution for a couple of years now primarily as a central storage server for devices across our home networks to share files, and secondarily for having fun with a true Solaris derived environment.

Oracle, the current owners of Solaris, seem to be allowing hobbyist installations of authentic Solaris perfectly legally for non-commercial non-production deployment ("evaluation") via free Oracle Technology Network (OTN) memberships. Best of all, Oracle provide downloads of pre-built and configured Oracle Solaris 11.3 VirtualBox VMs based on the Solaris 11.3 live installation media ready to install and configure, including a complete gnome-derived graphical desktop environment.

Supratim Sanyal's Blog: Free Download Oracle Solaris 11.3 Live Media Installation with Desktop EnvironmentVirtualBox VM Virtual Machine (SunOS 5.11)
Download Oracle Solaris 11.3 Live Media Installation with Desktop EnvironmentVirtualBox VM

I finally gave in to temptation and went ahead to download Oracle Solaris 11.3 VM Template for Oracle VM VirtualBox to give  official Solaris 11.3 a spin. The download extracts to a 1.83 GB sol-11_3-vbox.ova file that is readily imported by Oracle VirtualBox and boots neatly to an awesome Solaris 11 desktop.

Supratim Sanyal's Blog: Oracle OTN Solaris 11.3 Certificate and Key for Authenticating Access to Solaris Repositories
Oracle OTN Solaris 11.3 Certificate and Key for Authenticating Access to Solaris Repositories

There is no need to sign up with OTN to download the Solaris 11 VM. However, I did sign up with OTN to access pkg-register.oracle.com to obtain for free a key file "pkg.oracle.com.key.pem"and certificate "pkg.oracle.com.certificate.pem" that enabled access to the repositories "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4".

Supratim Sanyal's Blog: Official Solaris 11.3 OTN Repository Accesses Granted via OTN membership
Official Solaris 11.3 OTN Repository Accesses Granted via OTN membership

Instructions on doing this are clearly documented and accessed by clicking on the "Show Details" button next to repositories that access has been granted to via OTN; basically just save the two .pem files to disk and use these commands as root (or use sudo from a user account) to add the repositories to the Solaris 11 package manager:

# pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solarisstudio/release solarisstudio

 # pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/ha-cluster/release ha-cluster

The package manager will now list additional repositories solarisstudio and ha-cluster. Subequent pkg update commands include these additional repositories.

Supratim Sanyal's Blog: Solaris 11 Additional Package Repositories in Package Manager
Solaris 11 Additional Package Repositories in Package Manager  

However, at the end of the day, I did not install any of the packages made available to me now via the "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4" repositories because a complete suite of GNU C, C++ and FORTRAN development tools is included with the release in the default "solaris" repository and I am far more familiar with gcc than Solaris compilers.

In fact, it appears Oracle has included a great set of "FOSS" (Free and Open Source Software) for evaluation with this Solaris 11.3 release, with a goal of formalizing the FOSS collection into the upcoming release of Solaris 12. Here is more information on selected FOSS evaluation packages for Oracle Solaris.

Basic Solaris 11 Hardening for Increased Security

I always harden my operating systems before deployment, and found some tips on basic hardening of the already-very-secure Solaris 11 operating system at Oracle's Official Guide as well as documented experiences of others. The following are the Solaris hardening steps I performed.

Edit /etc/system and add the following two lines at the bottom of the file:
set noexec_user_stack=1
set noexec_user_stack_log=1

The default installation comes with package signature policy set to "verify", which is good:

root@solaris11-3:~# pkg property signature-policy
PROPERTY         VALUE
signature-policy verify

However, we would like to enforce the stricter signature policy of "require-signatures" for packages from the official repositories, which in our case are:

root@solaris11-3:~# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://pkg.oracle.com/solaris/release/
solarisstudio               origin   online F https://pkg.oracle.com/solarisstudio/release/
ha-cluster                  origin   online F https://pkg.oracle.com/ha-cluster/release/

To set "require-signatures" policy and verify for each of our repositories one by one:

root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solaris
root@solaris11-3:~# pkg publisher solaris

            Publisher: solaris
           ...
           Properties:
                       signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solarisstudio
root@solaris11-3:~# pkg publisher solarisstudio

            Publisher: solarisstudio
           ...
           Properties:
                       signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures ha-cluster
root@solaris11-3:~# pkg publisher ha-cluster

            Publisher: ha-cluster
           ...
           Properties:
                       signature-policy = require-signatures

The default Solaris 11.3 installation seems to enable a huge list of network services:

root@solaris11-3:~# svcs | grep network
online         20:27:57 svc:/network/connectx/unified-driver-post-upgrade:default
online         20:27:58 svc:/network/socket-config:default
online         20:28:37 svc:/network/netcfg:default
online         20:28:39 svc:/network/tcp/congestion-control:cubic
online         20:28:45 svc:/network/tcp/congestion-control:highspeed
online         20:28:45 svc:/network/sctp/congestion-control:vegas
online         20:28:46 svc:/network/sctp/congestion-control:newreno
online         20:28:46 svc:/network/sctp/congestion-control:highspeed
online         20:28:46 svc:/network/tcp/congestion-control:newreno
online         20:28:46 svc:/network/sctp/congestion-control:cubic
online         20:28:46 svc:/network/tcp/congestion-control:vegas
online         20:28:49 svc:/network/ib/ib-management:default
online         20:29:02 svc:/network/tcp/tcpkey:default
online         20:29:06 svc:/network/smb:default
online         20:29:11 svc:/network/datalink-management:default
online         20:29:19 svc:/network/ipsec/ipsecalgs:default
online         20:29:24 svc:/network/ip-interface-management:default
online         20:29:34 svc:/network/eoib/eoib-post-upgrade:default
online         20:29:41 svc:/network/loopback:default
online         20:29:46 svc:/network/ipmp:default
online         20:30:44 svc:/network/ilomconfig-interconnect:default
online         20:30:44 svc:/network/uucp-lock-cleanup:default
online         20:30:54 svc:/network/npiv_config:default
online         20:31:08 svc:/network/physical:upgrade
online         20:31:11 svc:/network/install:default
online         20:31:11 svc:/network/location:upgrade
online         20:31:25 svc:/network/physical:default
online         20:31:32 svc:/network/location:default
online         20:31:38 svc:/network/ipsec/policy:default
online         20:31:39 svc:/milestone/network:default
online         20:31:45 svc:/network/initial:default
online         20:31:46 svc:/network/iptun:default
online         20:31:49 svc:/network/netmask:default
online         20:31:49 svc:/network/nfs/fedfs-client:default
online         20:31:50 svc:/network/dns/client:default
online         20:31:53 svc:/network/service:default
online         20:31:59 svc:/network/iscsi/initiator:default
online         20:32:00 svc:/network/ntp:default
online         20:32:40 svc:/network/shares:default
online         20:33:11 svc:/network/routing-setup:default
online         20:33:41 svc:/network/rpc/bind:default
online         20:33:43 svc:/network/inetd:default
online         20:33:51 svc:/network/rpc/gss:default
online         20:33:52 svc:/network/rpc/smserver:default
online         20:33:57 svc:/network/routing/ndp:default
online         20:33:58 svc:/network/ssh:default
online         20:34:08 svc:/network/sendmail-client:default
online         20:34:10 svc:/network/smtp:sendmail

At the least, I disabled the sendmail-related services because I will configure postfix later as my email transport service, and also disabled services related to rpc and nfs; there are surely many other services in the list above that we can disable for a hobbyist installation later.

root@solaris11-3:~# svcadm disable /network/smtp:sendmail
root@solaris11-3:~# svcadm disable /network/sendmail-client
root@solaris11-3:~# svcadm disable /network/nfs/fedfs-client
root@solaris11-3:~# svcadm disable /network/rpc/bind
root@solaris11-3:~# svcadm disable /network/rpc/gss
root@solaris11-3:~# svcadm disable /network/rpc/smserver
root@solaris11-3:~# svcadm disable svc:/network/nis/client

Tighten up the login process by editing /etc/default/login and changing the following parameters as described:

# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# -- Change to abandon idle sessions after 15 minutes - Supratim
TIMEOUT=900
...
...
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided.  The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# Max this out to discourage continues dictionary attacks - Supratim
SLEEPTIME=5

# DISABLETIME  If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# Bump up to ten minutes, i.e. if you got the password wrong three times in a
row, wait ten minutes for login prompt to reappear - Supratim
DISABLETIME=600

# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
#RETRIES=5
# If you know the password, you should not need more than three tries - Supratim
RETRIES=3
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
# Yes we want to log ALL failed attempts - Supratim
SYSLOG_FAILED_LOGINS=0

We then harden the ssh daemon that is perhaps the most frequently used service for logging into the Solaris server from other internet or intranet hosts. Here is the /etc/ssh/sshd_config file I use for ssh server configuration. It incorporates many tips about securing ssh, as you can see in the comments. You can probably use this file straightaway as-is.

You should also put some sort of notice in /etc/issue file that is presented as a Banner to ssh login users during the login process. In addition, you should also put something appropriate in the /etc/motd file that is presented to the user by the system scripts that run automatically after login. Oracle provides some nice examples and more details about these files here.

To have the modified ssh server configuration file take effect and make sure it starts up:

root@solaris11-3:/etc/ssh# svcadm refresh ssh
root@solaris11-3:/etc/ssh# svcadm restart ssh
root@solaris11-3:/etc/ssh# svcs -xv ssh
svc:/network/ssh:default (SSH server)
 State: online since May 28, 2017 11:58:55 PM UTC
   See: man -M /usr/share/man -s 1M sshd
   See: /var/svc/log/network-ssh:default.log
Impact: None.

Enable additional audit logging of privileged actions. Replace <admin-user> with the non-root username you created while installing Solaris (as you know, root is a role in Solaris, not a username).

root@solaris11-3:~# usermod -K audit_flags=cusa:no <admin-user>
UX: usermod: <admin-user> is currently logged in, some changes may not take effect until next login.
root@solaris11-3:~# rolemod -K audit_flags=cusa:no root
root@solaris11-3:~# auditconfig -setpolicy +argv
root@solaris11-3:~# auditconfig -setpolicy +arge

Enable TCP Wrappers in general for inetd based network services:

root@solaris11-3:~# inetadm -M tcp_wrappers=TRUE

You should have a reasonably secure Solaris 11.3 server at this point, good enough to handle an internet-facing network.

Relax Default Solaris 11 Password Rules

As a purely personal preference, I do not like operating system enforcement of secure password rules. Problems with weak passwords are always due to human stupidity, and we should not call on machines to compensate. Solaris 11.3 default password rules require at least one numeric digit.

I relaxed this rule by editing the file /etc/default/passwd to explicitly specify MINNONALPHA=0 instead of the commented-out default of #MINNONALPHA=1 and tested this change by using the passwd command to temporarily set both the user and root passwords to not contain any digits before setting them back to strong secure passwords.

Enable Solaris 11 SNMP Agent

I run a Pandora FMS server to monitor the various networks in my home and on the internet. The Pandora FMS server is configured with Recon tasks that auto-discover hosts on the networks, and SNMP is then used extensively to poll the hosts. In general, an SNMP agent running on any host is often useful in quick monitoring or troubleshooting tasks.

Supratim Sanyal's Blog: Solaris 11.3 SNMP daemon agent net-snmp
Solaris 11.3 SNMP agent Net-SNMP

The Solaris 11.3 gnome desktop environment conveniently comes with a shortcut "Add More Software" which launches the Package Manager. Not knowing what, if any, SNMP package was already installed, I launched the Package Manager and typed in "SNMP" in the search box. To my pleasant surprise, Net-SNMP agent files and libraries which I am quite familiar with from the Linux world along with Fault Management SNMP agent plugins and MIB and SNMP Notification daemon for system events were already installed. I just had to configure and start the Net-SNMP service up.

The Net-SNMP configuration files on Solaris 11 reside in the directory /etc/net-snmp/snmp. I backed up and changed the main configuration file /etc/net-snmp/snmp/snmpd.conf to have the following very simple configuration, where mycommunitystring stands for the actual community string needed to access this agent securely.

# snmpd.conf
# - All private IPs allowed with community mycommunitystring
com2sec local   10.0.0.0/8      mycommunitystring
com2sec local   172.16.0.0/12   mycommunitystring
com2sec local   192.168.0.0/16  mycommunitystring
com2sec local   127.0.0.1       mycommunitystring

 group MyROGroup v1         local
group MyROGroup v2c        local
group MyROGroup usm        local
view all    included  .1                               80
access MyROGroup "" any     noauth    exact  all    none   none

 syslocation tatooine
syscontact Admin {supratim at riseup dot net}

 # Send traps to Pandora FMS Server
trapsink 10.100.0.10
trapcommunity mycommunitystring

Configuration being done, it was time to start the SNMP service up. A quick check showed the service was not enabled by the default installation:

root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
 State: disabled since May 27, 2017 04:44:29 PM UTC
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: man -M /usr/share/man/ -s 8 snmpd
   See: /var/svc/log/application-management-net-snmp:default.log
Impact: This service is not running.

To enable and start the service up:

root@solaris11-3:~# svcadm refresh net-snmp
root@solaris11-3:~# svcadm enable net-snmp

Check to make sure service is now running:

root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
 State: online since May 27, 2017 07:34:31 PM UTC
   See: man -M /usr/share/man/ -s 8 snmpd
   See: /var/svc/log/application-management-net-snmp:default.log
Impact: None.

Walk the MIB from another host querying the Solaris 11 host (10.200.0.50):

$ snmpwalk -c mycommunitystring -v2c 10.200.0.50 ISO | grep -i solaris
SNMPv2-MIB::sysDescr.0 = STRING: SunOS solaris11-3.sanyalnet.lan 5.11 11.3 i86pc
SNMPv2-MIB::sysName.0 = STRING: solaris11-3.sanyalnet.lan
HOST-RESOURCES-MIB::hrSWRunParameters.679 = STRING: "-g -d /dev/console -l console -m ldterm,ttcompat -h -p solaris"
HOST-RESOURCES-MIB::hrSWRunParameters.739 = STRING: "-g -d /dev/vt/6 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.741 = STRING: "-g -d /dev/vt/2 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.751 = STRING: "-g -d /dev/vt/3 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.752 = STRING: "-g -d /dev/vt/5 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.753 = STRING: "-g -d /dev/vt/4 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.1205 = STRING: "-Djava.security.policy=/usr/share/vpanels/java.policy com.oracle.solaris.v"
HOST-RESOURCES-MIB::hrSWInstalledName.169 = STRING: "SUNWopensolaris-backgrounds"
HOST-RESOURCES-MIB::hrSWInstalledName.501 = STRING: "SUNWopensolaris-backgrounds-xtra"


Forward SYSLOG to Remote SYSLOG SERVER over Secure Tunnel


I run a central syslog server on a VPS in the cloud where I send the system logs from all of my servers. I use the stunnel secure-tunnel utility to forward log entries securely over the internet as described in this post.

The configuration file for syslog daemon on Solaris 11.3 is /etc/syslog.conf. I edited the file to enable forwarding of system log entries to the local LAN endpoint server for the stunnel (10.42.2.1) which forwards them in turn securely to the remote VPS central syslog server. I also adjusted entries for the auth facility to log authorization failures suitably for use with the fail2ban tool that I have discussed in detail in this post.

Here is my complete syslog.conf file. Important: The delimiters in the middle of the lines have to be TAB characters, SPACEs do not work!

#
# Copyright (c) 1991, 2014, Oracle and/or its affiliates. All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#

 # -- Supratim's Remote syslog hosts
# - Forward to CentOS which in turn forwards to VPS and Papertrailapp
# - White space delimiter has to be TABs for this to work; SPACEs do not work!
*.debug         @10.42.2.1
# --

 *.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

 *.alert;kern.err;daemon.err                     operator
*.alert                                         root

 *.emerg                                         *

 # if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
# Required for fail2ban
auth.notice                     ifdef(`LOGHOST', /var/log/authlog, @loghost)
auth.info                       /var/adm/auth.log

 mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

 #
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)


After editing the syslog.conf configuration file, create an empty /var/adm/auth.log file (it is not created by syslog even if configured in the config file), and refresh and restart the syslog daemon:

root@solaris11-3:/etc# touch /var/adm/auth.log
root@solaris11-3:/etc# svcadm refresh system-log
root@solaris11-3:/etc# svcadm restart system-log
root@solaris11-3:/etc# svcs -xv system-log
svc:/system/system-log:default (system log)
 State: online since May 27, 2017 08:39:29 PM UTC
   See: man -M /usr/share/man -s 1M syslogd
   See: /var/svc/log/system-system-log:default.log
Impact: None.


Enable Solaris 11 NTP Time Synchronization Service

A quick check against the Solaris 11 package manager again reveals good news - a NTP v4 daemon is already installed. I just have to configure it to be able to keep the Solaris clock synchronized.

Supratim Sanyal's Blog: Solaris 11 NTP v4 Network Time Synchronization server and client daemon
Solaris 11 NTP v4 daemon

The Solaris 11 NTP configuration file is /etc/inet/ntp.conf. The initial installation includes two templates in that directory: /etc/inet/ntp.client  and /etc/inet/ntp.server,the intent being one of them can be used as the starting point of the final ntp.conf file. But, I already have a fully functional Solaris 11 NTP configuration file as described in this post, and simply dropped my working ntp.conf into /etc/inet/ directory.

I then checked to make sure the NTP service has not already been started automatically yet:

root@solaris11-3:/etc/inet# svcs -xv ntp
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
 State: disabled since Sat May 27 16:44:31 2017
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: man -M /usr/share/man -s 1M ntpd
   See: man -M /usr/share/man -s 4 ntp.conf
   See: man -M /usr/share/man -s 1M ntpq
   See: /var/svc/log/network-ntp:default.log
Impact: This service is not running.

I then refresh and enable the NTP service, and confirm it is now running.

root@solaris11-3:/etc/inet# ls -l /etc/inet/ntp.conf
-rw-r--r--   1 root     root        3267 May 27 23:08 /etc/inet/ntp.conf
root@solaris11-3:/etc/inet# svcadm refresh ntp
root@solaris11-3:/etc/inet# svcadm enable ntp
root@solaris11-3:/etc/inet# svcs -xv ntp 
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
 State: online since Sat May 27 23:12:26 2017
   See: man -M /usr/share/man -s 1M ntpd
   See: man -M /usr/share/man -s 4 ntp.conf
   See: man -M /usr/share/man -s 1M ntpq
   See: /var/svc/log/network-ntp:default.log
Impact: None.

ntpd errors "frequency error -512 PPM exceeds tolerance 500 PPM" in system log

I have observed entries like "frequency error -512 PPM exceeds tolerance 500 PPM" in my openindiana system logs at /var/adm/messages regularly, and this was also happening on my new Solaris 11.3 system log. Here are typical examples of this:

May 28 10:37:46 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:48 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:52 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:03:31 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:18:18 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:28:19 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:54:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:04:27 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:18:04 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:30:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM

My guess is the Solaris family of kernels do not like to be stuck inside virtual machines, and NTP's 500 PPM tolerance is regularly exceeded in Solaris virtual machines.

Adding the following tinker panic 0 line at the top of /etc/inet/ntp.conf file may help, according to some online posts that I found. However, it does not solve the issue, and I am still looking for a resolution. I am not overly concerned because the logs seem to indicate these are notices (daemon.notice), not errors.

# -----
# Workaround for unstable clock in virtual machine
# -----
tinker panic 0

Warning: Trying the advice on this Oracle blog post to modify /etc/system to attempt to increase "the system clock tick rate from the default of 100 per second to 1,000 per second, effectively changing the clock resolution from 10ms to 1ms" by adding set hires_tick=1 by itself, as well as followed by set hires_hz=10000 hang the Solaris boot-up process. Do not try these. I had fortunately taken a boot image backup using the beadm create command before trying these and failing, and was able to recover and will not attempt these changes in /etc/system ever again.

Install gnu C, C++, Objective C and FORTRAN Development Environment

Supratim Sanyal's Blog: Free GNU C C++ Compilers and Development Environment Installation on Solaris 11
GNU Development Environment for Solaris 11 Group Package Installation


Launch the Package Manager and select "All Publishers" in the Publisher drop-down list. Then navigate to Meta Packages -> Group Packages on the left pane. Find the group package "developer-gnu" in the list of group packages on the right pane. Check the selection box at the left of that package, and click the Install/Update button at the top. That's it, when installation finishes, the familiar GNU C and C++ compilers and build tools will be available, along with Fortran and Objective C.

I did a quick check of the C++ compiler, and it all looked good with gcc 4.8.2 compiler working:

user@solaris11-3:~$ gcc --version
gcc (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 user@solaris11-3:~$ g++ --version
g++ (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 user@solaris11-3:~$ gmake --version
GNU Make 3.82
Built for i386-pc-solaris2.11
Copyright (C) 2010  Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

 user@solaris11-3:~$ cat hello.cpp
#include <iostream>
using namespace std;

 int main()
{
        std::cout << "hello world!\n";
        return 0;
}

 user@solaris11-3:~$ g++ -o hello hello.cpp

 user@solaris11-3:~$ ./hello
hello world!

Install and Configure FTP Server on Solaris 11 with Anonymous FTP Access


The default Solaris 11.3 VirtualBox image did not come pre-installed with a FTP server. I found FTP Server and Utilities" in the Package Manager and installed it.

Supratim Sanyal's Blog: Solaris 11 FTP Server Package Installation (ProFTP)
Solaris 11 FTP Server Package Installation

The FTP server installed is proftpd, which uses the main configuration file /etc/proftpd.conf.

My goal was to deploy a simple anonymous FTP server with read-only access to clients. The basic onfiguration file made available here for establishing "a single server and a single anonymous login" fit the bill perfectly, more so as the Solaris package installer for FTP did create the required "ftp" account and the "nobody" account was already present. as seen in /etc/passwd.

I took a backup of the file and dropped in the basic proftpd.conf in, and restarted the service. However, the service did not start up at this first attempt:

root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: maintenance since May 30, 2017 12:31:02 PM UTC
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://support.oracle.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# cat /var/svc/log/network-ftp:default.log
[ May 30 04:30:17 Disabled. ]
[ May 30 04:30:37 Rereading configuration. ]
[ May 30 12:30:47 Rereading configuration. ]
[ May 30 12:30:54 Enabled. ]
[ May 30 12:30:55 Executing start method ("/usr/lib/inet/proftpd"). ]
2017-05-30 12:30:55,679 solaris11-3.sanyalnet.lan proftpd[3482]: fatal: unknown configuration directive 'DisplayFirstChdir' on line 58 of '/etc/proftpd.conf'
[ May 30 12:30:59 Method "start" exited with status 1. ]

The problematic "DisplayFirstChdir" directive seems to enable display of a ".message" file in each newly chdired directory. I did not really care about this feature, and commented out the "DisplayFirstChdir" directive in the configuration file, and retried. Note: On Solaris 11, a service in maintenance needs to be taken out of maintenance by disabling and enabling it again after fixing the issues that put it into maintenance.

root@solaris11-3:/etc# svcadm disable ftp
root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: offline* transitioning to online since May 30, 2017 12:39:31 PM UTC
Reason: Start method is running.
   See: http://support.oracle.com/msg/SMF-8000-C4
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: online since May 30, 2017 12:39:46 PM UTC
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: None.

The FTP server now came up. However, a quick test to login to the FTP server with anonymous account still failed, showing the following error in /var/adm/authlog:

USER ftp (Login failed): User in /etc/ftpusers

It turns out the error message is perfect; default installation includes the user "ftp" in the list of users to deny FTP service to in the file /etc/ftpusers. The "anonymous" FTP user is an alias of this "ftp" user in /etc/proftpd.conf. So I edited the /etc/ftpusers file and deleted the "ftp" user from it, and retried to log in to the FTP server as anonymous:

 Compaq-Presario-CQ61] ➤ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:user): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx   1 root     root            9 Oct  7  2015 bin -> ./usr/bin
drwxr-xr-x   5 root     sys             9 Oct  7  2015 boot
drwxr-xr-x   2 root     root            3 Oct  7  2015 cdrom
drwxr-xr-x 200 root     sys           200 May 30 01:33 dev
drwxr-xr-x   4 root     sys            12 May 30 01:33 devices
drwxr-xr-x  97 root     sys           195 May 30 12:56 etc
drwxr-xr-x   3 root     sys             3 May 27 15:18 export
dr-xr-xr-x   2 root     root            2 Oct  6  2015 home
drwxr-xr-x  19 root     sys            19 Oct  7  2015 kernel
drwxr-xr-x  12 root     bin           335 May 27 21:06 lib
drwxr-xr-x   2 root     root            3 May 30 01:42 media
drwxr-xr-x   2 root     sys             2 Oct  7  2015 mnt
dr-xr-xr-x   2 root     root            2 Oct  7  2015 net
dr-xr-xr-x   2 root     root            2 Oct  7  2015 nfs4
drwxr-xr-x   5 root     sys             5 Oct  7  2015 opt
drwxr-xr-x   5 root     sys             5 Oct  6  2015 platform
dr-xr-xr-x 124 root     root       480032 May 30 12:57 proc
drwx------   8 root     root           14 May 29 13:18 root
drwxr-xr-x   3 root     root            3 Oct  7  2015 rpool
lrwxrwxrwx   1 root     root           10 Oct  7  2015 sbin -> ./usr/sbin
drwxr-xr-x   7 root     root            7 Oct  7  2015 system
drwxrwxrwt  16 root     sys          1542 May 30 12:30 tmp
drwxr-xr-x  33 root     sys            45 May 28 05:10 usr
drwxr-xr-x  41 root     sys            48 May 27 21:05 var
-r--r--r--   1 root     root       277648 Oct  6  2015 zvboot
226 Transfer complete
ftp> pwd
257 "/" is the current directory
ftp> bye
221 Goodbye.

Anonymous login to the proftpd FTP server now worked, but exposing all these directories to anonymous users is obviously not a good thing. The /etc/passwd file did specify / as the login directory for the "ftp" user.

ftp:x:21:21:FTPD Reserved UID:/:

I changed the home directory of the "ftp" user to /media for now since I am not at the point of mounting devices at /media yet.

ftp:x:21:21:FTPD Reserved UID:/media:

Finally, I dropped a MP3 file from the internet archive into /media/ and retried anonymous FTP, and verified it works as expected.

$ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:rumtuk): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
Torley_Wong-1981_A.D..mp3
226 Transfer complete
27 bytes received in 0.0026 seconds (10.08 Kbytes/s)
ftp> bin
200 Type set to I
ftp> hash
Hash mark printing on (8192 bytes/hash mark).
ftp> get Torley_Wong-1981_A.D..mp3
200 PORT command successful
150 Opening BINARY mode data connection for Torley_Wong-1981_A.D..mp3 (4487168 bytes)
####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
226 Transfer complete
local: Torley_Wong-1981_A.D..mp3 remote: Torley_Wong-1981_A.D..mp3
4487168 bytes received in 1.4 seconds (3088.44 Kbytes/s)
ftp> bye
221 Goodbye.

If you wish, you can additionally follow the instructions here to protect the FTP network service using TCP Wrappers module of ProFTPD (Solaris 11 hardening step).

Configure a Public Passwordless Workgroup-Mode Samba SMB CIFS Server for Sharing Files in Private Networks


A primary purpose of my Solaris 11 installation is to be a shared network drive and file server for all the computers and devices in our home. Specifically, an external USB Hard Disk will be made available as a SMB/CIFS share across the network. No credentials will be required to access this share from any computer on the home subnets as long as the SMB client IP address is in the private address space.

I used the network/samba package because it is independent of ZFS-level sharing features of the
The network/samba package is not the same as service/filesystem/smb package. If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command first before installing network/samba.
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
 State: online since May 31, 2017 02:52:35 AM UTC
   See: man -M /usr/share/man -s 4 smb
   See: /system/volatile/network-smb:default.log
   See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb

Supratim Sanyal's Blog: Solaris 11 Samba SMB/CIFS File Server Package
Solaris 11 Samba SMB/CIFS File Server Package

With these goals, I fired up the package manager and searched for "samba". I then installed the "network/samba" package from the search results. Alternatively the GUI can be avoided and the same can be done from the command line using the pkg install command like so:
root@solaris11-3:~# pkg install network/samba
           Packages to install:  2
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

 DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                2/2     3038/3038  104.6/104.6  433k/s

 PHASE                                          ITEMS
Installing new actions                     2600/3302
Installing new actions                     3302/3302
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           3/3


Please keep in mind the network/samba package ("samba - A Windows SMB/CIFS fileserver for UNIX") is not the same as service/filesystem/smb package ("SMB/CIFS server libraries and commands"). If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command before installing network/samba:
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
 State: online since May 31, 2017 02:52:35 AM UTC
   See: man -M /usr/share/man -s 4 smb
   See: /system/volatile/network-smb:default.log
   See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb

The Samba server configuration file is /etc/samba/smb.conf. I created a /etc/samba/smb.conf with the following simple contents to enable a public share:

# -----
# /etc/samba/smb.conf
# Simple Samba/CIFS server configuration for unauthenticated shared network drive
# accessible from intranet private IP address space
# For network/samba package on Solaris 11.3 (SunOS 5.11)
# Supratim Sanyal, May 31, 2017
# -----

 [global]
   workgroup = ENTERPRISE
   server string = SANYALnet Solaris 11.3 LAN Samba/CIFS Shared Drive
   hosts allow = 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0
   log file = /var/log/samba/log.%m
   max log size = 50
   map to guest = bad user

    # Disable printer support
   disable spoolss = yes
   load printers = no
   printing = bsd
   printcap name = /dev/null

 [sanyalnet-shared]
   path = /media/USB-Storage/sanyalnet-shared
   public = yes
   only guest = yes
   writable = yes
   printable = no
   guest ok = yes
   read only = no


I then created the log directory and set global read-write permissions on the shared directory:

root@solaris11-3:/etc/samba# mkdir /var/log/samba
root@solaris11-3:/etc/samba# chmod 777 /media

Then I refreshed, started and verified the samba service.

root@solaris11-3:/etc/samba# svcadm refresh samba
root@solaris11-3:/etc/samba# svcadm enable samba
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
 State: offline* transitioning to online since May 31, 2017 04:31:55 PM UTC
Reason: Start method is running.
   See: http://support.oracle.com/msg/SMF-8000-C4
   See: man -M /usr/share/man -s 1m smbsmbd
   See: man -M /usr/share/man -s 4 smb.conf
   See: /var/svc/log/network-samba:default.log
Impact: This service is not running.
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
 State: online since May 31, 2017 04:32:06 PM UTC
   See: man -M /usr/share/man -s 1m smbsmbd
   See: man -M /usr/share/man -s 4 smb.conf
   See: /var/svc/log/network-samba:default.log
Impact: None.


Finally, I successfully verified the shared drive is visible and I could transfer files from and to the shared drive from a Windows 10 workstation on the same network.

Supratim Sanyal's Blog: Samba SMB CIFS Server Share hosted on Solaris 11 Accessed from Windows 10
Samba Server hosted on Solaris 11 Accessed from Windows 10


Configure Solaris 11.3 as a http web server using Apache httpd daemon


Supratim Sanyal's Blog: Web page served by Apache httpd web-server on Solaris 11
Web page served by Apache httpd web-server on Solaris 11

The Oracle Solaris 11.3 VirtualBox Virtual Machine came with Apache web server installed at the directory /usr/apache2/2.2 with the configuration files in /etc/apache2/2.2 and the DocumentRoot (web-root) directory for the default website configured to be at /var/apache2/2.2/htdocs. The primary configuration file is at /etc/apache2/2.2/httpd.conf. The version of Apache httpd daemon installed is 2.2.31:

root@solaris11-3:~# /usr/apache2/2.2/bin/httpd -v
Server version: Apache/2.2.31 (Unix)
Server built:   Sep 24 2015 08:41:55

I enhanced the Apache configuration file /etc/apache2/2.2/httpd.conf for a bit of added security mostly following this article. Here is my complete /etc/apache2/2.2/httpd.conf:


Then I commented out the following lines from both the 32-bit and 64-bit Apache module configuration files /etc/apache2/2.2/conf.d/modules-32.load and /etc/apache2/2.2/conf.d/modules-64.load to disable the DAV and Info modules:

#LoadModule dav_module libexec/mod_dav.so
#LoadModule info_module libexec/mod_info.so
#LoadModule dav_fs_module libexec/mod_dav_fs.so

For added security, I changed the owner of the Apache installation directory tree from root:sys to the non-privileged Apache daemon user and took out all world permissions from the Apache binary and configuration directories:

root@solaris11-3:~# chown -R webservd:webservd /usr/apache2

root@solaris11-3:~# chmod -R 750 /usr/apache2/2.2/bin /etc/apache2/2.2

I then simply put in my custom index.html and all associated files into /var/apache2/2.2/htdocs. Then I refreshed and enabled the http service and have a functional web server on Solaris 11.

root@solaris11-3:~# svcadm disable http
root@solaris11-3:~# svcadm refresh http
root@solaris11-3:~# svcadm enable http
root@solaris11-3:~# svcs -xv http
svc:/network/http:apache22 (Apache 2.2 HTTP server)
 State: online since May 31, 2017 08:52:28 PM UTC
   See: man -M /usr/apache2/2.2/man -s 8 httpd
   See: http://httpd.apache.org
   See: /var/svc/log/network-http:apache22.log
Impact: None.

The access and error logs are written to /var/apache2/2.2/logs as configured in /etc/apache2/2.2/httpd.conf.

TAKE A BACKUP!

At this point taking a backup is extremely important, since the next steps are dangerous because we will be playing with external USB hard disks. You can take a backup of the entire Virtual Machine as well as use the beadm create and beadm activate commands twice to create a boot environment to fall back to if the 2nd (more recent) environment is hosed, i.e. something like
root@solaris11-3:~# beadm create -d "baseline before USB HDD support" BeforeExtHDD
root@solaris11-3:~# beadm create -d "USB HDD experiment" ExtHDDExperimental
root@solaris11-3:~# beadm activate ExtHDDExperimental
root@solaris11-3:~# reboot

This way, if the External Hard Disk mounting attempts result in a kernel that keeps panicking, you can choose a prior boot environment from the grub menu.


MOUNTING EXTERNAL USB HDD WITH WINDOWS 95 / FAT 32 FILE SYSTEM FOR READING AND WRITING ON SOLARIS 11.3

Install VirtualBox Guest Additions

In a nutshell, for an external USB drive to work seamlessly at USB 2.0 speeds with VirtualBox Solaris 11.3 virtual machine, we need to install the companion version of VirtualBox Guest Additions corresponding to the installed version of Oracle VirtualBox host software itself, on both the VirtualBox host software installation and the Solaris 11.3 virtual machine that runs under the VirtualBox virtualization  environment.

To get USB 2.0 transfer speeds from an external USB hard disk, I needed to upgrade the VirtualBox Guest Additions included in the Oracle Solaris 11.3 Oracle VirtualBox VM to the same version as my installed VirtualBox release on the host computer. I had already installed the extension pack on the VirtualBox host software right after installing VirtualBox itself by downloading and double-clicking "Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.vbox-extpack" corresponding to the installed version of VirtualBox.

However, the Solaris 11.3 virtual appliance had an older version of VirtualBox Guest Additions. I first uninstalled the obsolete VirtualBox Guest Additions package from the Solaris 11.3 VM:

 root@solaris11-3:~# pkginfo | grep -i guest
application SUNWvboxguest                    Oracle VM VirtualBox Guest Additions
root@solaris11-3:~# pkgrm SUNWvboxguest

The following package is currently installed:
   SUNWvboxguest  Oracle VM VirtualBox Guest Additions
                  (i386) 5.0.4,REV=r102546.2015.09.08.10.07

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <SUNWvboxguest>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <SUNWvboxguest> dependencies in global zone
## Processing package information.
## Executing preremove script.
Removing VirtualBox service...
Removing VirtualBox kernel modules...
Device busy
Cannot unload module: vboxms
Will be unloaded upon reboot.
VirtualBox pointer integration module unloaded.
Device busy
Cannot unload module: vboxguest
Will be unloaded upon reboot.
VirtualBox guest kernel module unloaded.
Restoring X.Org...
Done.
## Removing pathnames in class <manifest>
## Removing pathnames in class <none>
/var/svc/manifest/application/virtualbox
/usr/share/gnome/autostart/vboxclient.desktop
/usr/sbin/vboxmslnk
/usr/lib/xorg/modules/drivers/vboxvideo_drv.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGL.so
/usr/kernel/fs/vboxfs
/usr/kernel/fs/amd64/vboxfs
/usr/kernel/drv/vboxms.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/amd64/vboxguest
/usr/bin/VBoxService
/usr/bin/VBoxControl
/usr/bin/VBoxClient-all
/usr/bin/VBoxClient
/opt/VirtualBoxAdditions/x11restore.pl
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/VBoxService
/opt/VirtualBoxAdditions/i386/VBoxControl
/opt/VirtualBoxAdditions/i386/VBoxClient
/opt/VirtualBoxAdditions/i386
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/VBoxService
/opt/VirtualBoxAdditions/amd64/VBoxControl
/opt/VirtualBoxAdditions/amd64/VBoxClient
/opt/VirtualBoxAdditions/amd64
/opt/VirtualBoxAdditions/VBoxService
/opt/VirtualBoxAdditions/VBoxISAExec
/opt/VirtualBoxAdditions/VBoxControl
/opt/VirtualBoxAdditions/VBoxClient
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions
/etc/fs/vboxfs/mount
/etc/fs/vboxfs
/dev/vboxguest
## Updating system information.

Removal of <SUNWvboxguest> was successful.

A couple of kernel modules were busy and could not be unloaded as highlighted above. However, according to the messages, they "will be unloaded upon reboot". I wanted a complete uninstallation of the shipped VirtualBox Guest Additions before installing the new version to avoid conflicts with active kernel modules from the old version while installing the new version, and rebooted:

root@solaris11-3:~# reboot

Once Solaris 11.3 returned after reboot, I used VirtualBox's "Devices" menu to select "Insert Guest Additions CD Image". As soon as I did this, the virtual Guest Additions CD was auto-mounted at /media/VBOXADDITIONS_5.1.22_115126 and new icon was added to the Desktop. I then installed the package VBoxSolarisAdditions.pkg from /media/VBOXADDITIONS_5.1.22_115126.

 root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# ls -l
total 102841
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 32Bit
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 64Bit
-r-xr-xr-x   1 root     root         647 Aug 16  2016 AUTORUN.INF
-r-xr-xr-x   1 root     root        6381 Apr 28 16:27 autorun.sh
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 cert
dr-xr-xr-x   2 root     root        4096 Apr 28 15:35 OS2
-r-xr-xr-x   1 root     root        4824 Apr 28 16:27 runasroot.sh
-r-xr-xr-x   1 root     root     8140237 Apr 28 16:27 VBoxLinuxAdditions.run
-r-xr-xr-x   1 root     root     17782784 Apr 28 17:28 VBoxSolarisAdditions.pkg
-r-xr-xr-x   1 root     root     16400296 Apr 28 16:35 VBoxWindowsAdditions-amd64.exe
-r-xr-xr-x   1 root     root     10039072 Apr 28 16:29 VBoxWindowsAdditions-x86.exe
-r-xr-xr-x   1 root     root      268496 Apr 28 16:27 VBoxWindowsAdditions.exe
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# pkgadd -d VBoxSolarisAdditions.pkg

 The following packages are available:
  1  SUNWvboxguest     Oracle VM VirtualBox Guest Additions
                       (i386) 5.1.22,REV=r115126.2017.04.28.18.28

 Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

 Processing package instance <SUNWvboxguest> from </media/VBOXADDITIONS_5.1.22_115126/VBoxSolarisAdditions.pkg>

 Oracle VM VirtualBox Guest Additions(i386) 5.1.22,REV=r115126.2017.04.28.18.28
Oracle Corporation
Using </> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

 This package contains scripts which will be executed with super-user
permission during the process of installing this package.

 Do you want to continue with the installation of <SUNWvboxguest> [y,n,?] y

 Installing Oracle VM VirtualBox Guest Additions as <SUNWvboxguest>

 ## Installing part 1 of 1.
/etc/fs/vboxfs/mount <symbolic link>
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/amd64/VBoxClient.Z
/opt/VirtualBoxAdditions/amd64/VBoxControl.Z
/opt/VirtualBoxAdditions/amd64/VBoxService.Z
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/vboxfs
/opt/VirtualBoxAdditions/amd64/vboxfs_s10
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/i386/VBoxClient.Z
/opt/VirtualBoxAdditions/i386/VBoxControl.Z
/opt/VirtualBoxAdditions/i386/VBoxService.Z
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/vboxfs
/opt/VirtualBoxAdditions/i386/vboxfs_s10
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/solaris_xorg.conf
/opt/VirtualBoxAdditions/solaris_xorg_modeless.conf
/opt/VirtualBoxAdditions/vbox_vendor_select
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/x11restore.pl
/usr/bin/VBoxClient <symbolic link>
/usr/bin/VBoxClient-all <symbolic link>
/usr/bin/VBoxControl <symbolic link>
/usr/bin/VBoxService <symbolic link>
/usr/kernel/drv/amd64/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/vboxguest
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxms.conf
/usr/lib/VBoxOGL.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/sbin/vboxmslnk <symbolic link>
[ verifying class <none> ]
/opt/VirtualBoxAdditions/VBoxClient <linked pathname>
/opt/VirtualBoxAdditions/VBoxControl <linked pathname>
/opt/VirtualBoxAdditions/VBoxISAExec <linked pathname>
/opt/VirtualBoxAdditions/VBoxService <linked pathname>
[ verifying class <manifest> ]
## Executing postinstall script.
Uncompressing files...
Configuring VirtualBox guest kernel module...
VirtualBox guest kernel module loaded.
VirtualBox pointer integration module loaded.
Creating links...
Installing video driver for X.Org 1.14.5...
Configuring client...
Installing 64-bit shared folders module...
Installing 32-bit shared folders module...
Configuring services (this might take a while)...
Enabling services...
Updating boot archive...
Done.
Please re-login to activate the X11 guest additions.
If you have just un-installed the previous guest additions a REBOOT is required.

 Installation of <SUNWvboxguest> was successful.
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# cd
root@solaris11-3:~#

Connect External Hard Disk with NTFS Formatted Volume to Solaris 11.3 and find device name


I shut Solaris 11.3 down from the desktop GUI and connected an NTFS-formatted Western Digital USB disk drive to a USB port on the VM host, reconfiguring the VM to connect the USB drive to Solaris 11 over USB 2.0.

Supratim Sanyal's Blog: Oracle VirtualBox USB 2.0 EHCI Controller Configuration for Solaris 11.3 Virtual Machine - 1.5TB Western Digital MyBook
Oracle VirtualBox USB 2.0 EHCI Controller Configuration for Solaris 11.3 Virtual Machine
I then launched the Solaris 11.3 virtual machine, logged in and ran the Applications -> System Tools -> GParted Partition Editor tool. GParted took some time to scan the attached drives for partitions, after which I could select the external USB drive from a drop-down list at the top right corner. From the information presented, the device name for the USB drive is /dev/dsk/c3t0d0p1.

Supratim Sanyal's Blog: GParted on Solaris 11.3 Showing NTFS volume on external USB Hard Drive
GParted on Solaris 11.3 Showing NTFS volume on external USB Hard Drive

Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11

Now that I know the name of the device corresponding to the Windows NTFS volume on the external USB hard disk, I proceeded to install the software tools needed to mount it on Solaris 11.3.

Adding SFE Solaris 11 Repo

The software needed to mount NTFS volumes on Solaris 11 are available for free from SFE - Software Packages for Solaris, OpenIndiana and OmniOS, To get access to the software, I launched the Package Manager from the desktop icon and first added the Solaris 11 IPS Packages Repository as a publisher using File -> Add Publisher... with the URI http://sfe.opencsw.org/localhosts11.

Supratim Sanyal's Blog: Adding Solaris 11 SFE Repository to Package Manager using Publisher URI
Adding Solaris 11 SFE Repository to Package Manager using Publisher URI
On clicking "Add", the Package Manager downloads, refreshes and caches the new catalog, and reports success in a pop-up window when all done.

Install fusefs on Oracle Solaris 11.3 to read/write NTFS volumes

To install FUSE (File System in User Space), I searched for "fuse" in the Package Manager searchbox at the top right, checked the fusefs from publisher localhosts11 and library/libfuse from publisher solaris check-boxes, and clicked on "Install/Update". I then clicked Proceed on the Install Confirmation pop-up.

Supratim Sanyal's Blog: Install FUSE file system and FuseFS libraries on Solaris 11
Install FUSE file system and FuseFS libraries on Solaris 11
After installing fusefs, I rebooted the system just to start clean since fusefs is a kernel module.

Install ntfs-3g on Oracle Solaris 11.3 to read/write NTFS volumes

Installing ntfs-3g turned out to be a bit tricky, and I had to build and install it from the source package. The problem with the ntfs-3g binary package is it includes the tools in the ntfsprogs package which was already installed in the Oracle Solaris 11.3 VirtualBox Virtual Machine distribution. Trying to uninstall ntfsprogs threw up dependencies on GParted and partition manager tools that I did not want to uninstall in turn because they are so useful. Building and installing ntfs-3g from source actually overwrites the ntfsprogs tools without requiring complex resolution of dependencies by uninstalling useful programs.

I installed the ntfs-3g/src source package from the SFE localhosts11 repository using the package manager.

Supratim Sanyal's Blog: NTFS-3G Source Package Installation on Solaris 11.3 for Read-Write NTFS Volume Support
NTFS-3G Source Package Installation on Solaris 11.3

Installing the ntfs-3g source package ntfs-3g/src using the Package Manager basically dropped the compressed source tarball at /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz. I uncompressed, built and installed ntfs-3g from this source tarball:

root@solaris11-3:~# cd /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# tar xvzf ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# cd ntfs-3g_ntfsprogs-2016.2.22AR.2
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# ./configure
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make install

Here is a log of the complete terminal session of building ntfs-3g on Solaris from source and installing it.


Mounting the NTFS Volume

The device name for the NTFS partition of the external USB drive is /dev/dsk/c3t0d0p1  as I had found by running GParted previously. With fusefs and ntfs-3g now installed, we can now finally mount the NTFS volume from the USB disk on a directory:

root@solaris11-3:~# mkdir /media/USB-Storage
root@solaris11-3:~# lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/
The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing.

The "The disk contains an unclean file system (0, 0). The file system wasn't safely closed on Windows. Fixing." message typically happens during mounting a NTFS volume on Solaris 11.3 using lowntfs-3g or ntfs-3g if the volume was previously mounted on Windows and Windows was shut down in the "hybrid" fast-startup (fastboot) mode.

A quick test to make sure we can write to and read from the NTFS volume, and we are all set on a read-write NTFS volume mounted on Solaris 11.3 using fuse and ntfs-3g.

root@solaris11-3:~# mount
...
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun  9 03:30:14 2017
root@solaris11-3:~# cp /etc/release /media/USB-Storage/
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx   1 root     root           0 Jun  2 23:54 $RECYCLE.BIN
-rwxrwxrwx   1 root     root         187 Jun  9 03:37 release
drwxrwxrwx   1 root     root      151552 Jun  7 19:16 sanyalnet-shared
drwxrwxrwx   1 root     root        4096 Jun  2 23:55 System Volume Information

Once the NTFS volume is mounted and available, Solaris 11.3 even places an icon for the new NTFS volume on the desktop automatically. Double-clicking on this new icon opens up File Browser showing the files contained in the NTFS volume:

Desktop Icon for External USB Hard Disk NTFS Volume on Solaris 11.3

Auto-mount NTFS volume on Solaris 11.3 using ntfs-3g and fuse

To mount the USB HDD automatically on reboot of Solaris 11.3, I created a file /etc/rc.local with the following contents

# ---
# /etc/rc.local
#
# Commands to execute at end of boot
# This is a linked from /etc/rc3.d/S99local
# Solaris 11 still supports this
# ---
/usr/bin/lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/

and then placed a symbolic link from /etc/rc3.d/S99local to /etc/rc.local 

# chmod +x /etc/rc.local
# ln -s /etc/rc.local /etc/rc3.d/S99local
# ls -l /etc/rc.local /etc/rc3.d/S99local
-rwxr-xr-x   1 root     root         357 Jan 23 19:30 /etc/rc.local
lrwxrwxrwx   1 root     root          13 Jan 20 19:12 /etc/rc3.d/S99local -> /etc/rc.local

Then I rebooted and verified if the auto-mount on boot worked.

root@solaris11-3:~# uptime
  1:48pm  up 13 min(s),  2 users,  load average: 2.64, 1.84, 1.01
root@solaris11-3:~# dmesg | grep lowntfs
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Version 2016.2.22AR.2 integrated FUSE 27
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Requested device /dev/dsk/c3t0d0p1 canonicalized as /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mounted /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r (Read-Write, label "WD My Book 1110 External HDD USB", NTFS 3.1)
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Cmdline options:
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mount options: allow_other,nonempty,relatime,fsname=/devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Ownership and permissions disabled, configuration type 6
root@solaris11-3:~# mount | grep -i USB-Storage
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun  9 13:44:18 2017
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx   1 root     root           0 Jun  2 23:54 $RECYCLE.BIN
-rwxrwxrwx   1 root     root         187 Jun  9 03:37 release
drwxrwxrwx   1 root     root      151552 Jun  7 19:16 sanyalnet-shared
drwxrwxrwx   1 root     root        4096 Jun  2 23:55 System Volume Information

Looks like everything worked and we are all set!


Configure final IP v4 address and Default Routing Gateway

I reconfigured Solaris 11 networking to the final production IP v4 address and gateway, based on excellent online documentation provided by Oracle including Creating Persistent (Static) Routes and Configuring IP Interfaces. I have no use for IPv6 which I did not configure.


Configure Solaris 11.3 IP Address

root@solaris11-3:~# dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             up         1000   full      e1000g0
root@solaris11-3:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
root@solaris11-3:~# ipadm show-if
IFNAME     CLASS    STATE    ACTIVE OVER
lo0        loopback ok       yes    --
net0       ip       ok       yes    --
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           10.200.0.50/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::a00:27ff:fe11:52f/10
root@solaris11-3:~# ipadm delete-ip net0
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
lo0/v6            static   ok           ::1/128
root@solaris11-3:~# ipadm create-ip net0
root@solaris11-3:~# ipadm create-addr -T static -a 10.42.2.3/24 net0/v4
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           10.42.2.3/24
lo0/v6            static   ok           ::1/128



Configure Solaris 11.3 Routing Default Gateway

root@solaris11-3:~# route -p show
persistent: route add default 10.200.0.1
root@solaris11-3:~# route -p flush
delete persistent net default: gateway 10.200.0.1
default              10.200.0.1           done
root@solaris11-3:~# route -p show
No persistent routes are defined
root@solaris11-3:~# route -p add default 10.42.2.1
add net default: gateway 10.42.2.1
add persistent net default: gateway 10.42.2.1
root@solaris11-3:~# route -p show
persistent: route add default 10.42.2.1


The completed reconfigured network configuration looks like this.

root@solaris11-3:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
        inet 10.42.2.3 netmask ffffff00 broadcast 10.42.2.255
        ether 8:0:27:11:5:2f
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
        inet6 ::/0
        ether 8:0:27:11:5:2f

root@solaris11-3:~# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.42.2.1            UG        6       3228
10.42.2.0            10.42.2.3            U         5       1550 net0
127.0.0.1            127.0.0.1            UH        2          4 lo0

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2      32 lo0


Wrapping Up


Install fail2ban with intrusion reporting to blocklist.de


I installed and configured fail2ban with reporting to my existing server account at blocklist.de by first executing:

root@solaris11-3:~# pkg install network/fail2ban
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

 DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         99/99      0.1/0.1 47.8k/s

 PHASE                                          ITEMS
Installing new actions                       134/134
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           4/4
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
 State: disabled since June 10, 2017 06:52:11 PM UTC
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: /var/svc/log/network-fail2ban:default.log
Impact: This service is not running.
root@solaris11-3:~# svcadm refresh fail2ban
root@solaris11-3:~# svcadm enable fail2ban
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
 State: online since June 10, 2017 06:53:35 PM UTC
   See: /var/svc/log/network-fail2ban:default.log
Impact: None.

and then grabbed action.d/blocklist_de.local from here. I then took help from my prior post about Fail2Ban on openindiana "Fail2Ban Intrusion Prevention on Solaris 11 OPENINDIANA SunOS 5.11 Illumos with Reporting to Blocklist.de" to configure it with full reporting capability to blocklist.de.


Other final reconfiguration


I then reconfigured the ProFTP FTP server to use a folder on the external USB drive as ftproot. Finally I zeroed out the empty space on the ZFS file system and compacted the virtual machine hard drive, took a backup and put it into production at http://sanyal.duckdns.org:81.







at

No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.