Simple Debian Lockdown(for those of you under NESSUS scrutiny)

There are a million ways to lock down a server. I prefer the non-paranoid method, since none of the data I work with is valuable enough warranting all the extra setup for paranoia-mode.

I recommend the following three, very simple, tasks to lock down your Linux server(specifically Debian Etch).

1. Prevent root logins from SSH


2. Turn off ident


3. Disable RPC(only do this if you do not use NFS)

Preventing root logins via SSH is a good idea for two reasons.

• Allows you to accurately log who is accessing your system...root can be somewhat anonymus if people know the password.


• If someone who does know the root password becomes a threat, you simple have to restrict their username from being granted access(and physical security of course). This is a lot better than haveing to change the root password in a pinch (I like not having to update documentation every time someone leaves my company).

Removing Ident is merely to make NESSUS complain less. Its not really needed so lets shut it off.

• Open /etc/inetd.conf in Vi/Emacs/whatever


• Comment out the line that begins with ident(just add a # at the beginning of the line)


• Save the file and restart inetd:  /etc/init.d/inetd restart

Finally, another thing to make NESSUS happy is to disable RPC if you arent using it(NFS shares mainly). Simple remove the package portmap from your system. On Debian: apt-get remove portmap

Exim4 "n00b" Guides

Exim4 is a very powerful MTA(the default for Debian Etch). Getting started with it is a bit daunting, and I found the official website too chock full of info to be useful for a newbie.

These two sites help quite a bit:

http://www.techcuriosity.com/resources/exim/exim.php

http://bradthemad.org/tech/notes/exim_cheatsheet.php

Exim Cheatsheet

This page has a good single-page command line admin reference for the popular exim MTA(the default MTA for Debian Etch).

I found it very useful.

http://bradthemad.org/tech/notes/exim_cheatsheet.php

Good article

Good blog post about part of one of Obama's recent speeches that talked about GTA4.

http://stupidgamer.com/2008/05/01/barack-obama-on-gta-iv/

SNMP Traps now working

Well, continueing from the past two postings, I have figured out what the problem was with the sending of SNMP traps. Apparently trap2sink sends a SNMPv2 trap, while trapsink sends a SNMPv1 trap.

trapsink works, trap2sink does not work.

I do not know why, but I have tested this. With trapsink configured alerts are received in IT Assistant, with trap2sink configured, no alerts are seen in the alert log.

That solves that! I think I finally have a fully managed 64-bit Debian Server....whats next?

Further down the rabbit hole...

So I got the OMSA service working on my 64-bit Debian server. THATS all fine and dandy.

Yesterday, I spent hours getting the nuances setup correctly to just get this thing to be "managed" by the central Dell OpenManage server, hopefully my hard work will help someone out there.

First, in terms of server monitoring, Dell has their "client" OpenManage Server Administrator(OMSA), and their "server" IT Assistant.

My IT Assistant is installed on windows and is pretty self-explanatory to get that part done, and I already explained how to install OMSA.

Now, in order for IT Assistant to manage an OMSA client, it must have SNMP read-only access to it, and in Linux, this is done through snmpd via SMUX and in Debian, SMUX is disabled by default(but isn't immediately obvious).

First of all, you need to enable SNMP read-only access to your server.

Then, you need to add a smux configuration for the dell OID. Add this to your recently-made snmpd.conf

# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
smuxpeer .1.3.6.1.4.1.674.10892.1

As I said, by default Debian has SMUX turned off. You need to re-enable it by deleting the -I -smux in the startup options line in the /etc/default/snmpd file.

Now make sure you restart your snmpd service

/etc/init.d/snmpd restart

Your Debian SNMP configuration is complete. You can check the status of the dell data engine by:

/opt/dell/srvadmin/dataeng/bin/dataeng status

Now add a 'range' in IT Assistant with the IP of your server and community string you setup for your server. Then run a discovery job and it should appear in your devices list. The icon next to the device signifies if there are any current alerts applicable to this server.

Congratulations, you can now "manage" your server.

My current problem is that it appears that I cannot have IT Assistant generate alerts for my server since it can only do so if it receives a trap from the server. I find this pretty silly, it should support alerting me based on its polling, not just by waiting for an alert.

I defined a trapsink in my snmpd.conf, and the hardware log shows the event(me pulling out a hard drive), but no trap is received by the IT Assistant. My syslog shows the following:

May  1 14:05:41 inp2552zeus snmpd[5992]: Got trap from peer on fd 14
May  1 14:05:42 inp2552zeus snmpd[5992]: Got trap from peer on fd 14
May  1 14:05:43 inp2552zeus snmpd[5992]: Got trap from peer on fd 14
May  1 14:05:44 inp2552zeus snmpd[5992]: Got trap from peer on fd 14
May  1 14:05:45 inp2552zeus snmpd[5992]: Got trap from peer on fd 14

Anyone have any idea what the issue could be?

Installing Dell OMSA on a 64-bit Debian Server

Dell doesn't quite support Debian(my favorite GNU/Linux server distro) for its OpenManage services line, but much work has been made by others on this front. Getting this done on 64-bit is a bit trickier still.

First, the easiest way to get OMSA(the openmanage service) on your box is to add the sara repositories to your apt.

add to the bottom of /etc/apt/sources.list:

deb ftp://ftp.sara.nl/pub/sara-omsa dell  sara

Now, (as root) run

aptitude update

to update your package list(from this new repository) then

aptitude install dellomsa

to download and install the package.

Once that is done, you may need to start the service:

/etc/init.d/dsm_om_connsvc start

If you are running 32-bit, you are done. If you have 64-bit, here is where it gets a lil hairy.

You have to download the following 32-bit debs from the main debian repository. Links provided are for the STABLE branch, if you are running unstable, please find your own links ;-)

• libpam-modules


• libsepol1


• libselinux1

After you downloaded each of these 32-bit(i386) debs, extract the files out of them(do not install) with the dpkg -x command. If you can't figure out how to do that, just read the dpkg manual.

Example:

dpkg -x libselinux1_1.32-3_i386.deb ./temp

When you are done you should find the following 4 files wherever you extracted them.

libsepol.so.1
libselinux.so.1
pam_unix.so
pam_nologin.so

Once you find these files, copy the two files that start with "libse" to the /lib32 directory and the two "pam_" files to the /lib32/security directory(you may have to create the security subdirectory).

Now, edit the /etc/pam.d/omauth file and replace the uncommented out lines with the path starting with /lib/security to /lib32/security. It should look something like this when you are done.(ignoring the commented out lines at the top)

auth       required     /lib32/security/pam_unix.so nullok
auth       required     /lib32/security/pam_nologin.so
account    required     /lib32/security/pam_unix.so nullok

One last step! Its an easy one. Just run the command ldconfig. This will update pam to read the new config files(the one you just edited) and now openmanage will be looking in the correct spot!

Now just browse to your web interface:(change IP as necessary). Make sure you use https to browse it, http will not work.

https://10.1.1.1:1311/

Login as root and BAM you are done.

This guide was built from a conglomoration of sites:(kudos to them!)

http://linux.dell.com/debian_9g.shtml

http://lists.us.dell.com/pipermail/linux-poweredge/2007-June/031531.html

http://blog.loftninjas.org/?p=100