|
Objective 7.1 - Configure Secure Remote Access |
 |
 |
|
Written by Matthijs van den Berg
|
|
Monday, 06 April 2009 23:00 |
KNOWLEDGE
- Explain how to prevent remote root login
Root login is disabled by default. This is configured in the sshd_config file. The line
PermitRootLogin <yes/no>
defines whether root login is allowed or not.
Describe the process to allow selected users remote access capabilities
The firewall service on a ESX system allows or disallows SSH traffic intended for or origination from the ESX host. To allow SSH traffic you need to modify the firewall. This can be done via the CLI of the vCenter Client (GUI).
Understand authentication process and options
Strange question, but I think they mean:
After you have opened up a connection you enter you username and password
The system checks your credentials and determines you group membership.
Based on the group membership you are given certain user permissions
You can use sudo to execute certain CLI commands with root privileges. To do so you need to enter the root password.
Describe SSH implementation
Vmware ESX uses an RedHat linux as service console. The RedHat implementation uses OpenSSH (and OpenSSL) as SSH service (sshd). When you setup a connection to the ESX host (assuming you are allowed access as user and the firewall is configured to permit SSH traffic) you enter the Linux OS. From there you can configure the ESX hypervisor with the tools written by VMware. Remember that ESX is not running ON Linux! Linux is solely used as management console!
Understand how user access is tracked and logged
On ESX via the command line:
Successful and unsuccessful host login attempts.
cat /var/log/messages
All commands executed via the sudo command
cat /var/log/secure
Explain the use of TCP wrappers to restrict access from specific hosts/addresses
The default firewall service in VMware is used to block or allow all traffic from or to a specific service. This firewall service cannot block or allow specific hosts acces to and from a service / server. To allow this you need to enable TCP Wrappers. This allows a more granular control of access to a ESX host. Read down below under Skills and Abilities how to configure TCP wrappers.
SKILLS AND ABILITIES
- Enable/Disable root SSH login
SSH root access can be enabled by editing Modify /etc/ssh/sshd_config via the command line. Replace PermitRootLogin no by PermitRootLogin yes Restart the service with /etc/init.d/sshd restart. Remember to also open the firewall service!
- Modify the default settings to allow both incoming and outgoing SSH traffic
- GUI
In and outgoing traffic can be permitted via the VI Client :
- Select a ESX host, configure,
- Security Profile,
- Properties.
- Select in the new window the SSH incoming and outgoing firewall rules. These a preconfigured.
- CLI
Via the command line the following command line example can be used (outgoing SSH traffic example)
esxcfg-firewall --openPort 22,tcp,out,ssh.
Substitute out for in to allow traffic the other way (into the ESX system)
Create ESX Server user accounts and assign group memberships
- Command Line
Add a user by typing:
useradd <username> -p <password>
Add a user and add it to an existing group by typing:
<username> test2 -g <groupname> -G <supplementary groups comma seperated> -p <password>
Add a group by typing:
groupadd <groupname>
Modify a user by typing:
usermod <username>
for example:
usermod –G <supplementary groups comma seperated>
VI client
Use the VI Client to connect to the ESX server.
Select the Server in the left pane, and then click on the Users & Groups tab in the right pane.
- Create User:
Click on the Users button
Right Click and Select Add
Specify the desired User Name, Password, etc and Click OK.
- Create a Local Group:
Click on the Groups button
Right click and select Add
Enter the group name you want and enter the User Name you created above in the User Name field and click Add
Click OK to create the group
- Assign Permissions:
Click on the Permissions Tab
Right Click and Select Add Permission
Click on the Add button and select the Group you created above and click on the Add button.
Click on the OK button.
Make sure the Assigned Role is set to Read-Only and click OK.
Configure SSH
- AllowUsers/DenyUsers
You can allow or deny specific users by defining them in the /etc/ssh /sshd_conf file. To deny specific users add the follow line to the bottom:
DenyUsers <username> <optional more space separated usernames>
To allow specific users use AllowUsers.
Another way to deny specific users access would be to enable pam_access.so. This is a more complex method but allows a more granular way. It is for example possible to deny users access only if they are originating from a specific location. Google for more info! I play around for a short while and could not get it to work, though I was no able to change too much due to the fact that it was a production server.
- Banner
You can configure messages that are shown to you when logging in to the CLI in two different ways.
- If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:
*********************************************************
* This is a private server. No unauthorized access! *
* All login attempts will be logged *
*********************************************************
When done editing, save the file. In the sshd_conf file, find a line that says:
#Banner /etc/issue.net
Uncomment the line and change the path to your custom SSH banner text file.
- /etc/motd
This is the message of the day. The motd shows a text after a user authenticated successfully. Configure by editing the file:
nano /etc/motd
Define VI Client roles and user and group assignments
- Add a Role
Use the VI Client to connect to the Virtual Infrastructure
Click the Administration button in the top bar
Click Administration, Role, Add
Give the role a name and assign VI privileges
- Assign a user or group to a role
Use the VI Client to connect to the Virtual Infrastructure
Select a Server in the left pane, and then click on the Permissions tab in the right pane
Right click on the white space, Add Role
Add a user and select a role in the new window
Use Service Console commands to track user access
There are several commands
- who
Show who is logged on. Example:
root pts/0 Apr 7 08:53 (10.1.1.106)
w
Show who is logged on and what they are doing. Example;
08:53:04 up 3 days, 19:00, 1 user, load average: 0.00, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.1.1.106 8:53am 0.00s 0.03s 0.00s w
last
Show listing of last logged in users. Example:
root pts/0 10.1.1.106 Tue Apr 7 08:53 still logged in
reboot system boot 2.4.21-57.ELvmni Fri Apr 3 13:53 (3+19:01)
wtmp begins Fri Apr 3 13:50:01 2009
fuser
Identify processes using files or sockets. You need to specify an option. For all options see “man fuser”.
Use esxcfg-auth to modify authentication settings
Configures the service console user authentication options. You can use several authentication options like local, NIS, LDAP and Active Directory.
- Preferred authentication method
I could not find a pest practice on the internet (not saying there is non) but I think this mainly depends on the underlying infrastructure. If you use AD this would be a valid option for you. Active Directory authentication can be enabled on the ESX server by running the following command in the Command Line:
esxcfg-auth –enabled –addomain=<domainname> -addc=<domaincontroller>
Use fully qualified domain names for both the AD domain as well for the domain controller. Make sure you can resolve them! You can also authenticate via Kerberos.
- Login attempts
the maximum number of login attempts can be configured via the same esxcfg-auth command. Example:
esxcfg-auth --maxfailedlogins=<count>
- Password aging
You can configure a password aging policy including a minimum time (only allowed to change after x days) maximum time (must change before x days) warning time (number of days a warning is given before a password expires). You can use the following commands to implement:
esxcfg-auth --passmaxdays=<days>
esxcfg-auth --passmindays=<days>
esxcfg-auth --passwarnage=<days>
See this forumpost on how to: http://communities.vmware.com/.
Configure TCP wrappers
- hosts.allow/hosts.deny
TCP wrappers is used to allow and deny designated IP addresses or IP address ranges to services on the system. In the follwing example we only permit SSH access from one subnet.
- TCP wrappers alow access:
Edit the /etc/ hosts.allow file on the VMware server via the Command Line:
nano /etc/ hosts.allow
You can add or delete hosts or subnets in this file. You can specify the host or subnet voor all services, or specify access to a specific service. The allow file is used to allow only designated IPs of subnets, the deny file is used to deny specified hosts or subnets. An example how to allow only a specified subnet SSH access (the SSH daemon, SSHD)is provided below.
sshd: 10.10.10.: ALLOW
sshd: ALL: DENY
The 10.10.10. represents a C class subnet. By leaving out digits from a complete address a subnet is defined. The ALL: DENY part is obligatory! If you leave this out all traffic will still be permitted! The most secure way is to deny all traffic (ALL: ALL in host.deny) and permit only traffic you want in host.allow. The VMware deamon is not included in the TCP wrapper rules!
More info can be found in the man pages: man hosts_access. Another way to limit traffic to the ESX host is to use xinetd and to include a only_from line in the config file. More info on this via man xinetd.conf .
TOOLS
- CLI
- vmware-authd
- esxcfg-auth
- who
- w
- last
- fuser
|
