In general, using ssh port forwarding requires that the log consolidation server perform a key exchange with the log forwarding client. Specifically, the ssh public key for the remote log forwarding client must be added to the consolidation server’s authorized keys file. Also, the fingerprint for the log consolidation server is added to the log forwarding client’s /.ssh/ known_hosts file. The client log forwarder is a trusted system after this key exchange, and the consolidation server does not need to prompt for any ssh passwords at this point.
Since the consolidation server is a package, it can potentially run on every member of the cluster. This key exchange between the remote log forwarding client and a cluster member must be replicated for each cluster member. Each cluster member has to establish the same trust relationship to the log forwarding clients.
A problem can arise with the log forwarding client’s known_host fingerprints. When using a package’s relocatable IP address for the initial ssh key exchange, the client will have the adoptive node’s fingerprint added to its local /.ssh/known_hosts file. When the package fails over and the ssh connection is reestablished, the new adoptive node will have a different fingerprint and ssh will detect this as a
In order to prevent this, each cluster member must look like the same system from the perspective of the log forwarding clients. This can be achieved by having each cluster member use an identical host key. The ssh host keys are located in /opt/ssh/etc and contained in the following files:
•ssh_host_key
•ssh_host_key.pub
•ssh_host_dsa_key
•ssh_host_dsa_key.pub
•ssh_host_rsa_key
•ssh_host_rsa_key.pub
Pick one of the cluster members and copy these files to the same directory on the other cluster members. Using the “cluster copy” or ccp tool is a quick way to do this, using the following commands:
#cd /opt/ssh/etc/
#ccp ssh_host_* /opt/ssh/etc/
Then from each log consolidation client, perform a standard ssh key exchange with the relocatable IP address of the clog package. One way to do this is using the csshsetup tool (see csshsetup(1)), as follows:
#csshsetup DNS name of the clog package
csshsetup will prompt for the password of the cluster in order to do the initial key exchange.
3.5.3 clog Network Port Usage
syslog and
•UDP 514 – this port is used by syslogd clients for forwarding log messages
•TCP port selected port - the administrator chooses which TCP port a
•TCP port 22 – When using ssh port forwarding to create encrypted tunnels, the remote clients communicate with the log consolidation server’s sshd daemon. In a default configuration, this daemon listens on TCP port 22.
3.5.4Using Bastille to Harden the System
Bastille is a
3.5 Securing Consolidated Logs | 79 |