Manuals / Black Box / Marine Equipment / Marine Safety Devices

Black Box 1101, Secure Device Servers, 1102 manual , Client Keys

Models: 1101 1102 Secure Device Servers

1 164

Download 164 pages 30.63 Kb

Page 152

1101 and 1102 Secure Device Servers

If the host key has been legitimately changed, it can be removed from the ~/.ssh/known_hosts file and the new fingerprint added. If it has not changed, this indicates a serious problem that should be investigated immediately.

You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging.

Ethernet LAN

LES1101A		LES1101A

Serially connected device (for

COM port connectedexample, security appliance) control PC

Figure 15-4. SSH tunneling and bridging.

As detailed in Chapter 5, the Server console server is setup in Console server mode with either RAW or RFC2217 enabled and the Client console server is set up in Serial Bridging Mode with the Server Address, and Server TCP Port (4000 + port for RAW or 5000 + port # for RFC2217) specified:

Select SSH Tunnel when configuring the Serial Bridging Setting.

Figure 15-5. Serial bridge settings.

Next, you will need to set up SSH keys for each end of the tunnel and upload these keys to the Server and Client console servers.

Client Keys:

The first step in setting up ssh tunnels is to generate keys. Ideally, you will use a separate, secure machine to generate and store all keys to be used on the console servers. If this is not ideal for your situation, keys may be generated on the console servers themselves.

It is possible to generate only one set of keys, and reuse them for every SSH session. While we do not recommend this, each organization will need to balance the security of separate keys against the additional administration they bring.

Generated keys may be one of two types—RSA or DSA (and it is beyond the scope of this document to recommend one over the other). RSA keys will go into the files id_rsa and id_rsa.pub. DSA keys will be stored in the files id_dsa and id_dsa.pub.

For simplicity going forward, the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa.pub or id_dsa.pub.

152	724-746-5500 blackbox.com

Image 152

Black Box 1101, Secure Device Servers, 1102 manual , Client Keys

Contents

1102 Secure Device Servers 1102 Secure Device Servers Normas Oficiales Mexicanas NOM Electrical Safety Statement FCC and IC RFI StatementsTrademarks Used in this Manual Table of Contents Add a New Alert Local Authentication Tacacs AuthenticationSMS Alerts Snmp Alerts 106 107108 110Installing the Key and Certificate PowerMan ToolPmpower Tool FingerprintingSpecifications SpecificationsTypes of Users Overview 2.1 IntroductionManual Organization Hardware Description 2.5.1 LES1101A Front Panel OverviewManagement Console Number Component Description DB9 connector 2 LES1101A Back PanelEthernet Connectivity LED RJ-45 Ethernet ActivityNumber Component Description Barrel connector Power LED left side of connector Ethernet Connectivity LEDLED right side of connector Ethernet Activity LED 3 LES1102A Front Panel2 LES1102A What’s Included1 LES1101A Installation InstallationPower Connection Network ConnectionNon RS-232 Serial Port Pinouts- LES1102A Non RS-232 Serial Port Pinouts- LES1101A +3VRX+ TX+ +VIN TX +Management Console Connection System ConfigurationConnected PC/Workstation Setup System Configuration Browser connectionAdministrator Password Network IP Address System Services IPv6 configurationSystem Services screen SDT Connector SDT connector SSH encryptedCommunications Software Forwarded toPuTTY SSHTermSerial Port, Host, Device, and User Configuration Configure Serial PortsSerial Port, Host, Device, and User Configuration Common SettingsConsole Server Mode Serial Port, Host, Device, and User Configuration 1102 Secure Device Servers SDT Mode Serial Bridging Mode Device RPC, UPS, EMD ModeTerminal Server Mode Syslog Local Ethernet LAN LES1102A COM portAdd/ Edit Users Serial Port, Host, Device, and User Configuration Authentication Network HostsTrusted Networks Serial Port RedirectionManaged Devices LES1102A Retail data systemsSerial Port, Host, Device, and User Configuration LES1102A Serial Connected Secure SSH Tunneling and SDT ConnectorSecure Local Secure SSH Tunneling and SDT Connector Configuring for SSH Tunneling to HostsSDT Connector Client Configuration SDT Connector installation1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Manually Adding Hosts to the SDT Connector Gateway Make an SDT Connection through the Gateway to a HostManually Adding New Services to the New Hosts 10. Clients1102 Secure Device Servers Adding a Client Program to be Started for the New Service 16. Telnet client Click OK SDT Connector to Management Console 17. Edit SDT host screen1102 Secure Device Servers Secure SSH Tunneling and SDT Connector SDT Connector Public Key Authentication Importing and Exporting PreferencesSetting up SDT for Remote Desktop Access Configure the Remote Desktop Connection Client 23. Remote Desktop Users dialog boxGeometry width x height or 70% screen percentage Use -p to receive password promptComputer, enter the appropriate IP Address and Port Number SDT SSH Tunnel for VNC For Linux servers and clients Install, Configure, and Connect the VNC Viewer 30. VNC authentication 1102 Secure Device Servers 33. Incoming TCP/IP properties Set up SDT Serial Ports on Console Server SSH Tunneling Using other SSH Clients for example, PuTTY Address of port01. Then select the RDP Service check box1102 Secure Device Servers Secure SSH Tunneling and SDT Connector 1102 Secure Device Servers Configure SMTP/SMS/SNMP/Nagios Alert Service Alerts and LoggingAlerts and Logging Email AlertsSelect Alerts & Logging Snmp SMS AlertsSnmp Alerts Nagios Alerts Activate Alert Events and NotificationsConfiguring General Alert Types Add a New AlertSerial port signal alert Configuring Power Alert Type This alert type monitors UPSes, RPCs, and power devicesNetwork TCP or UDP Port Logging Remote Log StorageSerial Port Logging 1102 Secure Device Servers Power Management Power ManagementRemote Power Control RPC RPC Connection1102 Secure Device Servers RPC Access Privileges and Alerts User Power ManagementTurn on Turn OFF Cycle Status Uninterruptible Power Supply Control UPSRPC Status Managed UPS Connections Serial, USB, or Network Connections ManagedAs Device Type UPS and clicking Apply Click Add Managed UPSPower Management Remote UPS Management UPS Status Controlling UPS Powered ComputersUPS Alerts Overview of Network UPS Tools NUT 12. Log tableRefer to 1102 Secure Device Servers Authentication Authentication ConfigurationLocal Authentication Tacacs AuthenticationRadius Authentication Enter the Server PasswordLdap Authentication RADIUS/TACACS User ConfigurationPAM Pluggable Authentication Modules PamtacplusPamldap Radius ExampleSSL Certificate SSL certificates screenChallenge Password Confirm Challenge PasswordCommon name Organizational UnitUpload button Nagios Overview LES1102A Network Managed hosts ServicesNagios Integration Distributed console servers Black Box console servers Central Management and Setting Up SDT for NagiosNagios Integration Setup Central Nagios Server Setup Distributed Console ServersDescription enter Administrator connection Select Users & Groups from the Serial & Network menu Configuring Nagios Distributed MonitoringEnable Nagios on the Console Server Enable Nrpe Monitoring Enable Nsca MonitoringLES1102A Serial Check Nagios Tunneled SSH LES1102A Sendncsa Program/script NagiosConfigure the Upstream Nagios Monitoring Host Configure Selected Serial Ports for Nagios MonitoringConfigure Selected Network Hosts for Nagios Monitoring Commandname checknrpedaemon Commandline Commandname checkserialstatus CommandlineDefine service Hostname Server Use Generic-serviceDefine service Servicedescription port-log-server Server Use Generic-serviceActivechecksenabled Passivechecksenabled CheckportlogBasic Nagios Plug-Ins Number of Supported DevicesUsing Nagios in a local office Remote site Distributed Monitoring Usage ScenariosRemote site with restrictive firewall System Administration and Reset System ManagementUpgrade Firmware System ManagementConfigure Date and Time Configuration Backup109 Port Access and Active Users Select the Status Port AccessStatus Reports StatisticsStatus Reports Support ReportsDashboard Select Status SyslogConfiguring the Dashboard Configure dashboard screenCreating Custom Widgets for the Dashboard Echo tableManagement ManagementDevice Management Port and Host LogsSerial Port Terminal Connection Select Manage TerminalSelect Manage Power Configuration from the Command Line Accessing config from the Command LineConfiguration from the Command Line Config tool# config -g config.users.user1.description # config -g configSerial Port Configuration Device Mode SDT modeTerminal server mode Serial bridge modeSyslog settings Adding and Removing Users# ./delete-node config.users.user2 # config -r users# config -g config.groups.total # config -aAdding and Removing User Groups # rmuser Group7List of remote authentiction and authorization servers # config -r auth# config -g config.sdt.hosts.total # config -s config.sdt.hosts.total=4Log level for services # config -g config.devices.total# config -hosts # config -g config.portaccess.total# config -s config.cascade.slaves.total=1 # config -r cascadeCascaded Ports UPS Connections# config -s config.ups.monitors.total=1 # config -d config.ups.monitors.monitor1RPC Connections Remote UPSes# config -d config.devices.device8 To configure serial/network port loggingPort Log To delete the above managed deviceGeneral settings for all alerts Signal AlertAlerts Connection AlertUPS Power Status Alert Power Sensor Alert# config -r alerts Smtp and SMSSnmp AdministrationIP Settings Date and Time Settings Dhcp Server Services# config -r time Enable SDT for Nagios ext Enabled SDT gateway address Prefer Nrpe over Nsca Disabled defaults to DisabledTo configure Nrpe with following settings Nrpe port Nagios Bin/sh /etc/scripts/alert-email $suffix Advanced Configuration! # ./delete-node config.users.user3 NEWTOTAL=$ $TOTAL Echo Warning $TOTALNODE greater than number of items# loop indefinitely While true do Add the following line to rc.local # config Etc/config/scripts/config-postUsage /etc/scripts/backup-usb Command File # /etc/scripts/backup-usb check-magic Etc/config/pmshell-start.sh #!/bin/sh PORT=$1 USER=$2 Config --set config.system.snmp.address2=w.x.y.z Config --set config.system.snmp.trapport2=162To set the Manager Address field To set the Community field Snmp version 1 and 2c only$&% ! $& ! $&$ Chown fred /etc/config/users/fred/.ssh/authorizedkeys #$! #$ $ mkdir keys $ ssh-keygen -t rsaHttp//openssh.org/portable.html OpenSSH Windows http//sshwindows.sourceforge.net/download ! Http//www openbsd.org/cgi-bin/man.cgi?query=sshd # ssh remhostAb7e33bd85505a430be0bd433f1ca5f8 Offending key in /.ssh/knownhosts1 Client KeysAuthorized Keys Uploading Keys+- ! !$ % !!#$! #$ #% #% Target Specification Powerstrip IdName or ID of the device support/idPowerstrip Ppassword PportTargetaddress Username#%& #Appendix a Linux Commands and Source Code Appendix A. Linux Commands and Source CodeAdd a group or add an user to a group Add an user GNU Bourne-Again ShellLogin RebootIp6tables Iptables-saveVconfig SleepSmbmnt Smbmount164