HP UX System Adstration manual Clog Network Port Usage, Using Bastille to Harden the System

Page 79

In general, using ssh port forwarding requires that the log consolidation server perform a key exchange with the log forwarding client. Specifically, the ssh public key for the remote log forwarding client must be added to the consolidation server’s authorized keys file. Also, the fingerprint for the log consolidation server is added to the log forwarding client’s /.ssh/ known_hosts file. The client log forwarder is a trusted system after this key exchange, and the consolidation server does not need to prompt for any ssh passwords at this point.

Since the consolidation server is a package, it can potentially run on every member of the cluster. This key exchange between the remote log forwarding client and a cluster member must be replicated for each cluster member. Each cluster member has to establish the same trust relationship to the log forwarding clients.

A problem can arise with the log forwarding client’s known_host fingerprints. When using a package’s relocatable IP address for the initial ssh key exchange, the client will have the adoptive node’s fingerprint added to its local /.ssh/known_hosts file. When the package fails over and the ssh connection is reestablished, the new adoptive node will have a different fingerprint and ssh will detect this as a man-in-the-middle attack and refuse to reestablish the ssh tunnel.

In order to prevent this, each cluster member must look like the same system from the perspective of the log forwarding clients. This can be achieved by having each cluster member use an identical host key. The ssh host keys are located in /opt/ssh/etc and contained in the following files:

ssh_host_key

ssh_host_key.pub

ssh_host_dsa_key

ssh_host_dsa_key.pub

ssh_host_rsa_key

ssh_host_rsa_key.pub

Pick one of the cluster members and copy these files to the same directory on the other cluster members. Using the “cluster copy” or ccp tool is a quick way to do this, using the following commands:

#cd /opt/ssh/etc/

#ccp ssh_host_* /opt/ssh/etc/

Then from each log consolidation client, perform a standard ssh key exchange with the relocatable IP address of the clog package. One way to do this is using the csshsetup tool (see csshsetup(1)), as follows:

#csshsetup DNS name of the clog package

csshsetup will prompt for the password of the cluster in order to do the initial key exchange.

3.5.3 clog Network Port Usage

syslog and syslog-ngrequire specific network ports to be available for correct operation. These ports are the following:

UDP 514 – this port is used by syslogd clients for forwarding log messages

TCP port selected port - the administrator chooses which TCP port a syslog-nglog consolidator uses to receive messages.

TCP port 22 – When using ssh port forwarding to create encrypted tunnels, the remote clients communicate with the log consolidation server’s sshd daemon. In a default configuration, this daemon listens on TCP port 22.

3.5.4Using Bastille to Harden the System

Bastille is a security-hardening lockdown tool that can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by

3.5 Securing Consolidated Logs

79

Page 78 Page 80
Image 79
Page 78 Page 80
Contents Distributed Systems Administration Utilities Users Guide Copyright 2009 Hewlett-Packard Development Company, L.P Table of Contents HP-Supported Open Source pdsh Options Index List of Figures Syslog-ngLog-Forwarding ConfigurationTarget Node Error Messages Consolidated Logging CommandsList of Tables Related Information About this DocumentIntended Audience Typographic ConventionsProduct Support HP Encourages Your Comments Introduction Command Fanout Commands Distributed Systems Administration Utilities CommandsConfiguration Synchronization Command Consolidated Logging CommandsOpen Source Components Utility Setup CommandOpen Source cfengine Commands Open Source pdsh CommandsOpen Source syslog-ng Command Distributed Systems Administration Utilities Manual PagesDsau Manual Page Sections Cfengine Overview Configuration SynchronizationConfiguration Synchronization Cfengine Daemons and CommandsCfengine Overview Cfengine Master Server Deployment ModelsUsing the Configuration Synchronization Wizard Configuring cfengine# /opt/dsau/sbin/csyncwizard Configuration Data for csyncwizardWizard displays the following introductory screen Wizard proceeds to configure the system as a master server # /opt/dsau/sbin/csyncwizard Configuration Synchronization Configuring cfengine Would you like to manage clients? N Serviceguard Automation Features Cluster Configuration Notes for cfengineVar/opt/dsau/cfengine/inputs directory Opt/dsau/bin/csyncdispatcher Memberadded newhost Using the Wizard to Configure a Synchronization ClientWhen prompted, enter the name of the client to add Manual ConfigurationStart by creating the directory Manually Configuring a Standalone Synchronization Server# mkdir -p /var/opt/dsau/cfenginemaster/inputs # cp localhost.pub root-10.0.0.5.pub # /opt/dsau/sbin/cfkey # /var/opt/dsau/cfengine/ppkeys# cfrun -v -- --verbose # /sbin/init.d/cfservd start# cfagent --no-lock --verbose --no-splay # cfrun -- --inform# mkdir -p /csync/dsau/cfenginemaster/masterfiles Initial Serviceguard Package PreparationList Managed Clients in cfrun.hosts Policyhost = csync.abc.xyz.com# /opt/dsau/sbin/cfkey Edit the cfservd.conf File# cexec /sbin/init.d/cfservd start # ccp /etc/rc.config.d/cfservd /etc/rc.config.d/cfservd# cp localhost.pub root-192.10.25.12.pub # ccp * /var/opt/dsau/cfengine/ppkeys# cmapplyconf -P csync.conf # cmmodpkg -e csync Test the configuration by performing the following steps# ccp csync csync.conf /etc/cmcluster/csync Apply the package and start itOn a managed client, use the command Configuring a Synchronization Managed ClientChoosing a Synchronization Invocation Method Security NotesEncryption Checksum alerts Key ExchangeCsync Network Port Usage Encryption# /sbin/init.d/cfservd stop Disabling Use of cfengineLogging Options Checksum AlertsUnable to connect to a cfengine client or master Cfengine TroubleshootingSyntax error due to missing or superfluous spaces #cfagent -KCfagent -d, -d1, -d2, or -d3 cfservd Cfrun 2describes syslog Facilities Messages Consolidated LoggingIntroduction to syslog Syslog Message FormatMessage Filtering Log Consolidation OverviewImproved Log Consolidation Syslog Co-existence Etc/cmcluster/package-name/package-name.log Syslog-ng Log Consolidator Configuration Log Consolidation ConfigurationConfiguration Data for clogwizard Using the Log Consolidation WizardOpt/dsau/sbin/clogwizard Answer yes y or press Enter. The next question is Where N is the expected number of clientsAnswer yes y. The wizard then prompts If these choices are correct, continue Next prompt is Log files that reside on this cluster can be consolidated Consolidated package logs would be located here Cluster Configuration Notes for clog Minimizing Message Loss During Failover Or press Enter. The next question is Configuring a Log Forwarding Client Using clogwizardEnter the ssh port to be used for port forwarding Manually Configuring a Standalone Log Consolidation Server Manually Configuring Log ConsolidationReplace the %UDPLOOPBACKLOG% token with # /sbin/init.d/syslogd stop # /sbin/init.d/syslogd startFor example, for TCP Add the following lines Create the following symbolic linkChange the Clogconfigured line to If using the TCP protocol, addLog Consolidation Configuration SYSLOGDOPTS=-D -N KEEPALIVE% tokens with appropriate values UDPLOOPBACKSOURCE% and %UDPLOOPBACKLOG% tokens Creating the clog Package If consolidating package logs of this cluster, addIf using VxVM, comment out the LVM Volume Group line Distribute it cluster-wide Testing and Starting the clog PackageThen use cmviewcl to make sure it is running Using VxVM Instead of LVM Manually Configuring Log Forwarding ClientsManually Configuring a Standalone Log Forwarding Client Ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf # /sbin/init.d/syslog-ng start # cpp /etc/rc.config.d/syslogd /etc/rc.config.d Destination dsyslog%TYPE% %TYPE%%IP%port%PORT% Create the following symbolic link on each cluster member If using the TCP protocol, add the following linesIf using ssh port forwarding, add Otherwise, if using the UDP protocol, addForwarding Ascii Log Data Start syslog-ngon all cluster members usingFor the filter line For the destination lineFor the log line Consolidating Package Logs on the Log Consolidation Server#/sbin/init.d/syslogd stop Perform the following steps to disable log consolidationDisabling Log Consolidation Disabling a Standalone Log Consolidation System# /sbin/init.d/syslog-ng stop Disabling a Serviceguard Cluster Log Consolidation SystemDisabling a Standalone Log Forwarding Client #/sbin/init.d/syslogd start#/sbin/init.d/syslogd stop #/sbin/init.d/syslogd start Disabling a Serviceguard Cluster Log Forwarding ClientLog File Protections Securing Consolidated LogsSsh Port Forwarding Clog Network Port Usage Using Bastille to Harden the System# cd /opt/ssh/etc # ccp sshhost* /opt/ssh/etc To log in to the System Management Homepage, navigate to Using the System and Consolidated Log ViewerViewing System and Consolidated Logs Starting System Management HomepageViewing System and Consolidated Logs Page Parallel Distributed Shell Command FanoutCwall displays a wall1M broadcast message on multiple hosts Pdsh Utility WrappersAll nodes Systems# csshsetup -r -f memberslist.txt Security ConfigurationRemote Shell Security Setup Ssh Security SetupTarget Node Error Messages Command Fanout TroubleshootingSsh Command Messages Rsh Command MessagesHP-Supported Open Source pdsh Options Page Cfanouthosts IndexLVM UDP
Top Page Image Contents