$&$ | Black Box Secure Device Servers, 1102, 1101

Chapter 15: Advanced Configuration

To set the Username field (SNMP version 3 only):

config --set config.system.snmp.username2=yourusername

.. replacing yourusername with the username config.system.snmp.username2 (3 only)

To set the Engine ID field (SNMP version 3 only)

config --set config.system.snmp.password2=yourpassword

.. replacing yourpassword with the password

Once the fields are set, apply the configuration with the following command:

config --run snmp

You can add a third or more SNMP servers by incrementing the "2" in the above commands, for example, config.system.snmp.protocol3, config.system.snmp.address3, etc.

$&' ! "

This section covers how to generate public and private keys in a Linux and Windows environment and configure SSH for public key authentication. The steps to use in a Clustering environment are:

•Generate a new public and private key pair.

•Upload the keys to the Master and to each Slave console server.

•Fingerprint each connection to validate.

$&'$

Popular TCP/IP applications such as telnet, rlogin, ftp, and others transmit their passwords unencrypted. Doing this across pubic networks like the Internet can have catastrophic consequences. It leaves the door open for eavesdropping, connection hijacking, and other network-level attacks.

Secure Shell (SSH) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.

OpenSSH, the de facto open source SSH application, encrypts all traffic (including passwords) to effectively eliminate these risks. Additionally,

OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods.

OpenSSH is the port of OpenBSD's excellent OpenSSH[0] to Linux and other versions of Unix. OpenSSH is based on the last free sample implementation with all patent-encumbered algorithms removed (to external libraries), all known security bugs fixed, new features reintroduced, and many other clean-ups. The only changes in the Black Box SSH implementation are:

PAM support

EGD[1]/PRNGD[2] support and replacements for OpenBSD library functions that are absent from other versions of UNIX

The config files are now in /etc/config. for example /etc/config/sshd_config instead of /etc/sshd_config /etc/config/ssh_config instead of /etc/ssh_config /etc/config/users/<username>/.ssh/ instead of /home/<username>/.ssh/

$&'% !"

To generate new SSH key pairs use the Linux ssh-keygencommand. This will produce an RSA or DSA public/private key pair and you will be prompted for a path to store the two key files, for example, id_dsa.pub (the public key) and id_dsa (the private key). For example:

$ ssh-keygen -t [rsadsa]

Generating public/private [rsadsa] key pair.

Enter file in which to save the key (/home/user/.ssh/id_[rsadsa]):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/user/.ssh/id_[rsadsa].

Your public key has been saved in /home/user/.ssh/id_[rsadsa].pub.

724-746-5500 blackbox.com

147

Image 147

Black Box Secure Device Servers, 1102, 1101 manual $& ! , $&$

Contents

1102 Secure Device Servers 1102 Secure Device Servers FCC and IC RFI Statements Normas Oficiales Mexicanas NOM Electrical Safety Statement Trademarks Used in this Manual Table of Contents Local Authentication Tacacs Authentication SMS Alerts Snmp AlertsAdd a New Alert 110 106107 108 Fingerprinting Installing the Key and CertificatePowerMan Tool Pmpower Tool Specifications Specifications Overview 2.1 Introduction Manual OrganizationTypes of Users Overview Management ConsoleHardware Description 2.5.1 LES1101A Front Panel RJ-45 Ethernet Activity Number Component Description DB9 connector2 LES1101A Back Panel Ethernet Connectivity LED 3 LES1102A Front Panel Number Component Description Barrel connector PowerLED left side of connector Ethernet Connectivity LED LED right side of connector Ethernet Activity LED What’s Included 1 LES1101A2 LES1102A Network Connection InstallationInstallation Power Connection Non RS-232 Serial Port Pinouts- LES1102A TX + Non RS-232 Serial Port Pinouts- LES1101A+3V RX+ TX+ +VIN System Configuration Connected PC/Workstation SetupManagement Console Connection Browser connection System Configuration Administrator Password Network IP Address IPv6 configuration System Services System Services screen Forwarded to SDT ConnectorSDT connector SSH encrypted Communications Software SSHTerm PuTTY Configure Serial Ports Serial Port, Host, Device, and User Configuration Common Settings Serial Port, Host, Device, and User Configuration Console Server Mode Serial Port, Host, Device, and User Configuration 1102 Secure Device Servers SDT Mode Device RPC, UPS, EMD Mode Terminal Server ModeSerial Bridging Mode Local Ethernet LAN LES1102A COM port Syslog Add/ Edit Users Serial Port, Host, Device, and User Configuration Network Hosts Authentication Serial Port Redirection Trusted Networks LES1102A Retail data systems Managed Devices Serial Port, Host, Device, and User Configuration Secure SSH Tunneling and SDT Connector Secure LocalLES1102A Serial Connected SDT Connector installation Secure SSH Tunneling and SDT ConnectorConfiguring for SSH Tunneling to Hosts SDT Connector Client Configuration 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Make an SDT Connection through the Gateway to a Host Manually Adding Hosts to the SDT Connector Gateway 10. Clients Manually Adding New Services to the New Hosts 1102 Secure Device Servers Adding a Client Program to be Started for the New Service 16. Telnet client Click OK 17. Edit SDT host screen SDT Connector to Management Console 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Importing and Exporting Preferences SDT Connector Public Key Authentication Setting up SDT for Remote Desktop Access 23. Remote Desktop Users dialog box Configure the Remote Desktop Connection Client Use -p to receive password prompt Computer, enter the appropriate IP Address and Port NumberGeometry width x height or 70% screen percentage SDT SSH Tunnel for VNC For Linux servers and clients Install, Configure, and Connect the VNC Viewer 30. VNC authentication 1102 Secure Device Servers 33. Incoming TCP/IP properties Set up SDT Serial Ports on Console Server Address of port01. Then select the RDP Service check box SSH Tunneling Using other SSH Clients for example, PuTTY 1102 Secure Device Servers Secure SSH Tunneling and SDT Connector 1102 Secure Device Servers Email Alerts Configure SMTP/SMS/SNMP/Nagios Alert ServiceAlerts and Logging Alerts and Logging SMS Alerts Snmp AlertsSelect Alerts & Logging Snmp Activate Alert Events and Notifications Nagios Alerts Add a New Alert Configuring General Alert Types Serial port signal alert This alert type monitors UPSes, RPCs, and power devices Configuring Power Alert Type Remote Log Storage Serial Port LoggingNetwork TCP or UDP Port Logging 1102 Secure Device Servers RPC Connection Power ManagementPower Management Remote Power Control RPC 1102 Secure Device Servers User Power Management RPC Access Privileges and Alerts Uninterruptible Power Supply Control UPS RPC StatusTurn on Turn OFF Cycle Status Serial, USB, or Network Connections Managed Managed UPS Connections Click Add Managed UPS As Device Type UPS and clicking Apply Power Management Remote UPS Management Controlling UPS Powered Computers UPS AlertsUPS Status 12. Log table Overview of Network UPS Tools NUT Refer to 1102 Secure Device Servers Tacacs Authentication AuthenticationAuthentication Configuration Local Authentication Enter the Server Password Radius Authentication RADIUS/TACACS User Configuration Ldap Authentication Radius Example PAM Pluggable Authentication ModulesPamtacplus Pamldap SSL certificates screen SSL Certificate Organizational Unit Challenge PasswordConfirm Challenge Password Common name Upload button LES1102A Network Managed hosts Services Nagios IntegrationNagios Overview Central Management and Setting Up SDT for Nagios Nagios IntegrationDistributed console servers Black Box console servers Setup Distributed Console Servers Setup Central Nagios Server Description enter Administrator connection Configuring Nagios Distributed Monitoring Enable Nagios on the Console ServerSelect Users & Groups from the Serial & Network menu Tunneled SSH LES1102A Sendncsa Program/script Nagios Enable Nrpe MonitoringEnable Nsca Monitoring LES1102A Serial Check Nagios Configure Selected Serial Ports for Nagios Monitoring Configure Selected Network Hosts for Nagios MonitoringConfigure the Upstream Nagios Monitoring Host Hostname Server Use Generic-service Commandname checknrpedaemon CommandlineCommandname checkserialstatus Commandline Define service Checkportlog Define service Servicedescription port-log-serverServer Use Generic-service Activechecksenabled Passivechecksenabled Number of Supported Devices Basic Nagios Plug-Ins Distributed Monitoring Usage Scenarios Using Nagios in a local office Remote site Remote site with restrictive firewall System Management System Administration and Reset System Management Upgrade Firmware Configuration Backup Configure Date and Time 109 Statistics Port Access and Active UsersSelect the Status Port Access Status Reports Support Reports Status Reports Select Status Syslog Dashboard Configure dashboard screen Configuring the Dashboard Echo table Creating Custom Widgets for the Dashboard Port and Host Logs ManagementManagement Device Management Select Manage Terminal Serial Port Terminal Connection Select Manage Power Accessing config from the Command Line Configuration from the Command Line # config -g config Configuration from the Command LineConfig tool # config -g config.users.user1.description Serial Port Configuration SDT mode Device Mode Adding and Removing Users Terminal server modeSerial bridge mode Syslog settings # config -r users # ./delete-node config.users.user2 # rmuser Group7 # config -g config.groups.total# config -a Adding and Removing User Groups # config -s config.sdt.hosts.total=4 List of remote authentiction and authorization servers# config -r auth # config -g config.sdt.hosts.total # config -g config.portaccess.total Log level for services# config -g config.devices.total # config -hosts UPS Connections # config -s config.cascade.slaves.total=1# config -r cascade Cascaded Ports Remote UPSes # config -s config.ups.monitors.total=1# config -d config.ups.monitors.monitor1 RPC Connections To delete the above managed device # config -d config.devices.device8To configure serial/network port logging Port Log Connection Alert General settings for all alertsSignal Alert Alerts Smtp and SMS UPS Power Status AlertPower Sensor Alert # config -r alerts Administration IP SettingsSnmp Date and Time Settings Services # config -r timeDhcp Server Nagios Enable SDT for Nagios ext Enabled SDT gateway addressPrefer Nrpe over Nsca Disabled defaults to Disabled To configure Nrpe with following settings Nrpe port Advanced Configuration ! Bin/sh /etc/scripts/alert-email $suffix # ./delete-node config.users.user3 Echo Warning $TOTALNODE greater than number of items NEWTOTAL=$ $TOTAL Add the following line to rc.local# loop indefinitely While true do # /etc/scripts/backup-usb check-magic # configEtc/config/scripts/config-post Usage /etc/scripts/backup-usb Command File Etc/config/pmshell-start.sh #!/bin/sh PORT=$1 USER=$2 To set the Community field Snmp version 1 and 2c only Config --set config.system.snmp.address2=w.x.y.zConfig --set config.system.snmp.trapport2=162 To set the Manager Address field $& ! $&$ $&% ! $ mkdir keys $ ssh-keygen -t rsa Chown fred /etc/config/users/fred/.ssh/authorizedkeys#$! #$ Http//openssh.org/portable.html ! Http//www openbsd.org/cgi-bin/man.cgi?query=sshdOpenSSH Windows http//sshwindows.sourceforge.net/download Offending key in /.ssh/knownhosts1 # ssh remhost Ab7e33bd85505a430be0bd433f1ca5f8 Client Keys Uploading Keys Authorized Keys !! +- ! !$ % #% #$! #$ #% Target Specification Powerstrip IdName or ID of the device support/id Powerstrip Username PpasswordPport Targetaddress # #%& GNU Bourne-Again Shell Appendix a Linux Commands and Source CodeAppendix A. Linux Commands and Source Code Add a group or add an user to a group Add an user Iptables-save LoginReboot Ip6tables Smbmount VconfigSleep Smbmnt 164