Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configuring Security Features221 NOTE: SSHv1 is not supported. Configuring Services NOTE: To modify these settings, you must have Configure DRAC 5 permission. Additionally, the remote RACADM command-line utility can only be enabled if the user is logged in as root. 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click Services. 3 Configure the following services as required: • Local Configuration (Table 12-7) • Web server (Table 12-8) • SSH (Table 12-9) Table 12-6. Cryptography Schemes Scheme Type Scheme Asymmetric Cryptography Diffie-Hellman DSA/DSS 512-1024 (random) bits per NIST specification Symmetric Cryptography • AES256-CBC •RIJNDAEL256-CBC • AES192-CBC •RIJNDAEL192-CBC • AES128-CBC •RIJNDAEL128-CBC • BLOWFISH-128-CBC • 3DES-192-CBC •ARCFOUR-128 Message Integrity•HMAC-SHA1-160 •HMAC-SHA1-96 • HMAC-MD5-128 • HMAC-MD5-96 Authentication•Password
222Configuring Security Features • Telnet (Table 12-10) • Remote RACADM (Table 12-11) • SNMP agent (Table 12-12) • Automated System Recovery Agent (Table 12-13) Use the Automated Systems Recovery Agent to enable the Last Crash Screen functionality of the DRAC 5. NOTE: Server Administrator must be installed with its Auto Recovery feature activated by setting the Action to either: Reboot System, Power Off System, orPower Cycle System, for the Last Crash Screen to function in the DRAC 5. 4Click Apply Changes. 5Click the appropriate Services page button to continue. See Table 12-14. Table 12-7. Local Configuration Settings Setting Description Disable the DRAC local configuration using option ROMDisables local configuration of the DRAC 5 using option ROM. The option ROM prompts you to enter the setup module by pressing during system reboot. Disable the DRAC local configuration using RACADMDisables local configuration of the DRAC 5 using local RACADM. Table 12-8. Web Server Settings Setting Description EnabledEnables or disables the Web server. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions.
Configuring Security Features223 TimeoutThe time in seconds that a connection is allowed to remain idle. The session is cancelled when the timeout is reached. Changes to the timeout setting do not affect the current session. When you change the timeout setting, you must log out and log in again to make the new setting effective. Timeout range is 60 to 1920 seconds. HTTP Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 80. HTTPS Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 443. Table 12-9. SSH Settings Setting Description EnabledEnables or disables SSH. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 300. Po r t N u m b e rThe port used by the DRAC that listens for a server connection. The default setting is 22. Table 12-10. Telnet Settings Setting Description EnabledEnables or disables Telnet. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Table 12-8. Web Server Settings (continued) Setting Description
224Configuring Security Features Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 0. Po r t N u m b e rThe port used by the DRAC that listens for a server connection. The default setting is 23. Table 12-11. Remote RACADM Settings Setting Description EnabledEnables or disables remote RACADM. Checked= Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. Table 12-12. SNMP Agent Settings Setting Description EnabledEnables or disables the SNMP agent. Checked=Enabled; Unchecked=Disabled. Community NameThe name of the community that contains the IP address for the SNMP Alert destination. The Community Name can be up to 31 non-blank characters in length. The default setting is public. Table 12-13. Automated System Recovery Agent Setting Setting Description EnabledEnables the Automated System Recovery Agent. Table 12-10. Telnet Settings Setting Description
Configuring Security Features225 Enabling Additional DRAC 5 Security Options To prevent unauthorized access to your remote system, the DRAC 5 provides the following features: • IP address filtering (IPRange) — Defines a specific range of IP addresses that can access the DRAC 5. • IP address blocking — Limits the number of failed login attempts from a specific IP address These features are disabled in the DRAC 5 default configuration. Use the following subcommand or the Web-based interface to enable these features: racadm config -g cfgRacTuning -o Additionally, use these features in conjunction with the appropriate session idle time-out values and a defined security plan for your network. The following subsections provide additional information about these features. IP Filtering (IpRange) IP address filtering (or IP Range Checking) allows DRAC 5 access only from clients or management workstations whose IP addresses are within a user- specific range. All other logins are denied. IP filtering compares the IP address of an incoming login to the IP address range that is specified in the following cfgRacTuning properties: • cfgRacTuneIpRangeAddr • cfgRacTuneIpRangeMask The cfgRacTuneIpRangeMask property is applied to both the incoming IP address and to the cfgRacTuneIpRangeAddr properties. If the results of both properties are identical, the incoming login request is allowed to access the DRAC 5. Logins from IP addresses outside this range receive an error. Table 12-14. Services Page Buttons Button Description PrintPrints the Services page. RefreshRefreshes the Services page. Apply ChangesApplies the Services page settings.
226Configuring Security Features The login proceeds if the following expression equals zero: cfgRacTuneIpRangeMask & ( ^ cfgRacTuneIpRangeAddr) where & is the bitwise AND of the quantities and ^ is the bitwise exclusive-OR. See DRAC 5 Property Database Group and Object Definitions on page 345 for a complete list of cfgRacTune properties. Enabling IP Filtering Below is an example command for IP filtering setup. See Using RACADM Remotely on page 78 for more information about RACADM and RACADM commands. NOTE: The following RACADM commands block all IP addresses except 192.168.0.57) Table 12-15. IP Address Filtering (IpRange) Properties Property Description cfgRacTuneIpRangeEnableEnables the IP range checking feature. cfgRacTuneIpRangeAddrDetermines the acceptable IP address bit pattern, depending on the 1’s in the subnet mask. This property is bitwise AND’d with cfgRacTuneIpRangeMask to determine the upper portion of the allowed IP address. Any IP address that contains this bit pattern in its upper bits is allowed to establish a DRAC 5 session. Logins from IP addresses that are outside this range will fail. The default values in each property allow an address range from 192.168.1.0 to 192.168.1.255 to establish a DRAC 5 session. cfgRacTuneIpRangeMaskDefines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1’s with a single transition to all zeros in the lower-order bits.
Configuring Security Features227 To restrict the login to a single IP address (for example, 192.168.0.57), use the full mask, as shown below. racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeAddr 192.168.0.57 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeMask 255.255.255.255 To restrict logins to a small set of four adjacent IP addresses (for example, 192.168.0.212 through 192.168.0.215), select all but the lowest two bits in the mask, as shown below: racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeAddr 192.168.0.212 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeMask 255.255.255.252 IP Filtering Guidelines Use the following guidelines when enabling IP filtering: • Ensure that cfgRacTuneIpRangeMask is configured in the form of a netmask, where all most significant bits are 1’s (which defines the subnet in the mask) with a transition of all 0’s in the lower-order bits. • Use the range base address you prefer as the value for cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should have zeros in all the low-order bits where there are zeros in the mask.
228Configuring Security Features IP Blocking IP blocking dynamically determines when excessive login failures occur from a particular IP address and blocks (or prevents) the address from logging into the DRAC 5 for a preselected time span. The IP blocking parameter uses cfgRacTuning group features that include: • The number of allowable login failures • The timeframe in seconds when these failures must occur • The amount of time in seconds when the guilty IP address is prevented from establishing a session after the total allowable number of failures is exceeded As login failures accumulate from a specific IP address, they are aged by an internal counter. When the user logs in successfully, the failure history is cleared and the internal counter is reset. NOTE: When login attempts are refused from the client IP address, some SSH clients may display the following message: ssh exchange identification: Connection closed by remote host. See DRAC 5 Property Database Group and Object Definitions on page 345 for a complete list of cfgRacTune properties. Table 12-16 lists the user-defined parameters. Table 12-16. Login Retry Restriction Properties Property Definition cfgRacTuneIpBlkEnableEnables the IP blocking feature. When consecutive failures (cfgRacTuneIpBlkFailCount) from a single IP address are encountered within a specific amount of time (cfgRacTuneIpBlkFailWindow), all further attempts to establish a session from that address are rejected for a certain timespan (cfgRacTuneIpBlkPenaltyTime). cfgRacTuneIpBlkFailCountSets the number of login failures from an IP address before the login attempts are rejected. cfgRacTuneIpBlkFailWindowThe timeframe in seconds when the failure attempts are counted. When the failures exceed this limit, they are dropped from the counter.
Configuring Security Features229 Enabling IP Blocking The following example prevents a client IP address from establishing a session for five minutes if that client has failed its five login attempts in a one-minute period of time. racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 5 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindows 60 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 300 The following example prevents more than three failed attempts within one minute, and prevents additional login attempts for an hour. racadm config -g cfgRacTuning -o cfgRacTuneIpBlkEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 3 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindows 60 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 3600 crgRacTuneIpBlkPenaltyTimeDefines the timespan in seconds when all login attempts from an IP address with excessive failures are rejected. Table 12-16. Login Retry Restriction Properties (continued) Property Definition
230Configuring Security Features Configuring the Network Security Settings Using the DRAC 5 GUI NOTE: You must have Configure DRAC 5 permission to perform the following steps. 1In the System tree, click Remote Access. 2Click the Configuration tab and then click Network. 3In the Network Configuration page, click Advanced Settings. 4In the Network Security page, configure the attribute values and then click Apply Changes. Table 12-17 describes the Network Security page settings. 5Click the appropriate Network Security page button to continue. See Table 12-18 for description of the Network Security page buttons. Table 12-17. Network Security Page Settings Settings Description IP Range EnabledEnables the IP Range checking feature, which defines a specific range of IP addresses that can access the DRAC 5. IP Range AddressDetermines the acceptable IP subnet address. IP Range Subnet MaskDefines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1s with a single transition to all zeros in the lower-order bits. For example: 255.255.255.0 IP Blocking EnabledEnables the IP address blocking feature, which limits the number of failed login attempts from a specific IP address for a preselected time span. IP Blocking Fail CountSets the number of login failures attempted from an IP address before the login attempts are rejected from that address. IP Blocking Fail WindowDetermines the time span in seconds within which IP Block Fail Count failures must occur to trigger the IP Block Penalty Time. IP Blocking Pe n a l t y Ti m eThe time span in seconds within which login attempts from an IP address with excessive failures are rejected.