In general, using ssh port forwarding requires that the log consolidation server perform a key exchange with the log forwarding client. Specifically, the ssh public key for the remote log forwarding client must be added to the consolidation server’s authorized keys file. Also, the fingerprint for the log consolidation server is added to the log forwarding client’s /.ssh/ known_hosts file. The client log forwarder is a trusted system after this key exchange, and the consolidation server does not need to prompt for any ssh passwords at this point.

Since the consolidation server is a package, it can potentially run on every member of the cluster. This key exchange between the remote log forwarding client and a cluster member must be replicated for each cluster member. Each cluster member has to establish the same trust relationship to the log forwarding clients.

A problem can arise with the log forwarding client’s known_host fingerprints. When using a package’s relocatable IP address for the initial ssh key exchange, the client will have the adoptive node’s fingerprint added to its local /.ssh/known_hosts file. When the package fails over and the ssh connection is reestablished, the new adoptive node will have a different fingerprint and ssh will detect this as a man-in-the-middle attack and refuse to reestablish the ssh tunnel.

In order to prevent this, each cluster member must look like the same system from the perspective of the log forwarding clients. This can be achieved by having each cluster member use an identical host key. The ssh host keys are located in /opt/ssh/etc and contained in the following files:

ssh_host_key

ssh_host_key.pub

ssh_host_dsa_key

ssh_host_dsa_key.pub

ssh_host_rsa_key

ssh_host_rsa_key.pub

Pick one of the cluster members and copy these files to the same directory on the other cluster members. Using the “cluster copy” or ccp tool is a quick way to do this, using the following commands:

#cd /opt/ssh/etc/

#ccp ssh_host_* /opt/ssh/etc/

Then from each log consolidation client, perform a standard ssh key exchange with the relocatable IP address of the clog package. One way to do this is using the csshsetup tool (see csshsetup(1)), as follows:

#csshsetup DNS name of the clog package

csshsetup will prompt for the password of the cluster in order to do the initial key exchange.

3.5.3 clog Network Port Usage

syslog and syslog-ngrequire specific network ports to be available for correct operation. These ports are the following:

UDP 514 – this port is used by syslogd clients for forwarding log messages

TCP port selected port - the administrator chooses which TCP port a syslog-nglog consolidator uses to receive messages.

TCP port 22 – When using ssh port forwarding to create encrypted tunnels, the remote clients communicate with the log consolidation server’s sshd daemon. In a default configuration, this daemon listens on TCP port 22.

3.5.4Using Bastille to Harden the System

Bastille is a security-hardening lockdown tool that can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by

3.5 Securing Consolidated Logs

79