Home > Dell > System > Dell Drac 5 User Guide

Dell Drac 5 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 418
    							Configuring Security Features221
     NOTE: SSHv1 is not supported.
    Configuring Services
     NOTE: To modify these settings, you must have Configure DRAC 5 permission. 
    Additionally, the remote RACADM command-line utility can only be enabled if the 
    user is logged in as root.
    1Expand the System tree and click Remote Access. 
    2Click the Configuration tab and then click Services.
    3
    Configure the following services as required:
    • Local Configuration (Table 12-7)
    • Web server (Table 12-8)
    • SSH (Table 12-9)
    Table 12-6. Cryptography Schemes
    Scheme Type Scheme
    Asymmetric Cryptography Diffie-Hellman DSA/DSS 512-1024 (random) bits 
    per NIST specification
    Symmetric Cryptography
    • AES256-CBC 
    •RIJNDAEL256-CBC 
    • AES192-CBC 
    •RIJNDAEL192-CBC 
    • AES128-CBC 
    •RIJNDAEL128-CBC 
    • BLOWFISH-128-CBC 
    • 3DES-192-CBC 
    •ARCFOUR-128 
    Message Integrity•HMAC-SHA1-160 
    •HMAC-SHA1-96 
    • HMAC-MD5-128 
    • HMAC-MD5-96
    Authentication•Password 
    						
    							222Configuring Security Features
    • Telnet (Table 12-10)
    • Remote RACADM (Table 12-11)
    • SNMP agent (Table 12-12)
    • Automated System Recovery Agent (Table 12-13)
    Use the 
    Automated Systems Recovery Agent to enable the Last Crash 
    Screen
     functionality of the DRAC 5.
     NOTE: Server Administrator must be installed with its Auto Recovery feature 
    activated by setting the Action to either: Reboot System, Power Off System, 
    orPower Cycle System, for the Last Crash Screen to function in the DRAC 5.
    4Click Apply Changes.
    5Click the appropriate Services page button to continue. See Table 12-14.
    Table 12-7. Local Configuration Settings
    Setting Description
    Disable the DRAC local 
    configuration using option 
    ROMDisables local configuration of the DRAC 5 using 
    option ROM. The option ROM prompts you to 
    enter the setup module by pressing  
    during system reboot.
    Disable the DRAC local 
    configuration using 
    RACADMDisables local configuration of the DRAC 5 using 
    local RACADM.
    Table 12-8. Web Server Settings
    Setting Description
    EnabledEnables or disables the Web server. Checked=Enabled; 
    Unchecked=Disabled.
    Max SessionsThe maximum number of simultaneous sessions allowed 
    for this system.
    Active SessionsThe number of current sessions on the system, less than 
    or equal to the Max Sessions.  
    						
    							Configuring Security Features223
    TimeoutThe time in seconds that a connection is allowed to 
    remain idle. The session is cancelled when the timeout is 
    reached. Changes to the timeout setting do not affect the 
    current session. When you change the timeout setting, 
    you must log out and log in again to make the new setting 
    effective. Timeout range is 60 to 1920 seconds.
    HTTP Port NumberThe port used by the DRAC that listens for a server 
    connection. The default setting is 80.
    HTTPS Port NumberThe port used by the DRAC that listens for a server 
    connection. The default setting is 443.
    Table 12-9. SSH Settings
    Setting Description
    EnabledEnables or disables SSH. Checked=Enabled; 
    Unchecked=Disabled.
    Max SessionsThe maximum number of simultaneous sessions allowed 
    for this system. Up to four sessions are supported.
    Active SessionsThe number of current sessions on the system, less than 
    or equal to the Max Sessions. 
    TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 
    1920 seconds. Enter 0 seconds to disable the Timeout 
    feature. The default setting is 300.
    Po r t  N u m b e rThe port used by the DRAC that listens for a server 
    connection. The default setting is 22.
    Table 12-10. Telnet Settings
    Setting Description
    EnabledEnables or disables Telnet. Checked=Enabled; 
    Unchecked=Disabled.
    Max SessionsThe maximum number of simultaneous sessions allowed 
    for this system. Up to four sessions are supported. Table 12-8. Web Server Settings 
    (continued)
    Setting Description 
    						
    							224Configuring Security Features
    Active SessionsThe number of current sessions on the system, less than 
    or equal to the Max Sessions. 
    TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 
    1920 seconds. Enter 0 seconds to disable the Timeout 
    feature. The default setting is 0.
    Po r t  N u m b e rThe port used by the DRAC that listens for a server 
    connection. The default setting is 23.
    Table 12-11. Remote RACADM Settings
    Setting Description
    EnabledEnables or disables remote RACADM. Checked=
    Enabled; Unchecked=Disabled.
    Max SessionsThe maximum number of simultaneous sessions allowed 
    for this system. Up to four sessions are supported.
    Active SessionsThe number of current sessions on the system, less than 
    or equal to the Max Sessions. 
    Table 12-12. SNMP Agent Settings
    Setting Description
    EnabledEnables or disables the SNMP agent. Checked=Enabled; 
    Unchecked=Disabled.
    Community NameThe name of the community that contains the IP address 
    for the SNMP Alert destination. The Community Name 
    can be up to 31 non-blank characters in length. The 
    default setting is public. 
    Table 12-13. Automated System Recovery Agent Setting
    Setting Description
    EnabledEnables the Automated System Recovery Agent. Table 12-10. Telnet Settings
    Setting Description 
    						
    							Configuring Security Features225
    Enabling Additional DRAC 5 Security Options
    To prevent unauthorized access to your remote system, the DRAC 5 provides 
    the following features:
    • IP address filtering (IPRange) — Defines a specific range of IP addresses 
    that can access the DRAC 5. 
    • IP address blocking — Limits the number of failed login attempts from a 
    specific IP address
    These features are disabled in the DRAC 5 default configuration. Use the 
    following subcommand or the Web-based interface to enable these features:
    racadm config -g cfgRacTuning -o  
    Additionally, use these features in conjunction with the appropriate session 
    idle time-out values and a defined security plan for your network.
    The following subsections provide additional information about these features.
    IP Filtering (IpRange)
    IP address filtering (or IP Range Checking) allows DRAC 5 access only from 
    clients or management workstations whose IP addresses are within a user-
    specific range. All other logins are denied. 
    IP filtering compares the IP address of an incoming login to the IP address 
    range that is specified in the following cfgRacTuning properties:
    • cfgRacTuneIpRangeAddr
    • cfgRacTuneIpRangeMask
    The cfgRacTuneIpRangeMask property is applied to both the incoming 
    IP address and to the cfgRacTuneIpRangeAddr properties. If the results of 
    both properties are identical, the incoming login request is allowed to access 
    the DRAC 5. Logins from IP addresses outside this range receive an error. 
    Table 12-14. Services Page Buttons
    Button Description
    PrintPrints the Services page.
    RefreshRefreshes the Services page.
    Apply ChangesApplies the Services page settings. 
    						
    							226Configuring Security Features
    The login proceeds if the following expression equals zero:
    cfgRacTuneIpRangeMask & ( ^ 
    cfgRacTuneIpRangeAddr)
    where & is the bitwise AND of the quantities and ^ is the bitwise 
    exclusive-OR.
    See DRAC 5 Property Database Group and Object Definitions on page 345 
    for a complete list of cfgRacTune properties.
    Enabling IP Filtering
    Below is an example command for IP filtering setup.
    See Using RACADM Remotely on page 78 for more information about 
    RACADM and RACADM commands. 
     NOTE: The following RACADM commands block all IP addresses except 
    192.168.0.57) Table 12-15. IP Address Filtering (IpRange) Properties
    Property Description
    cfgRacTuneIpRangeEnableEnables the IP range checking feature.
    cfgRacTuneIpRangeAddrDetermines the acceptable IP address bit pattern, 
    depending on the 1’s in the subnet mask.
    This property is bitwise AND’d with 
    cfgRacTuneIpRangeMask to determine the upper 
    portion of the allowed IP address. Any IP address that 
    contains this bit pattern in its upper bits is allowed to 
    establish a DRAC 5 session. Logins from IP addresses 
    that are outside this range will fail. The default values 
    in each property allow an address range from 
    192.168.1.0 to 192.168.1.255 to establish a DRAC 5 
    session. 
    cfgRacTuneIpRangeMaskDefines the significant bit positions in the IP address. 
    The subnet mask should be in the form of a netmask, 
    where the more significant bits are all 1’s with a single 
    transition to all zeros in the lower-order bits. 
    						
    							Configuring Security Features227
    To restrict the login to a single IP address (for example, 192.168.0.57), use the 
    full mask, as shown below.
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeEnable 1
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeAddr 192.168.0.57
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeMask 255.255.255.255
    To restrict logins to a small set of four adjacent IP addresses (for example, 
    192.168.0.212 through 192.168.0.215), select all but the lowest two bits in the 
    mask, as shown below:
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeEnable 1
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeAddr 192.168.0.212
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeMask 255.255.255.252
    IP Filtering Guidelines
    Use the following guidelines when enabling IP filtering:
    • Ensure that cfgRacTuneIpRangeMask is configured in the form of a 
    netmask, where all most significant bits are 1’s (which defines the subnet 
    in the mask) with a transition of all 0’s in the lower-order bits. 
    • Use the range base address you prefer as the value for 
    cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should 
    have zeros in all the low-order bits where there are zeros in the mask. 
    						
    							228Configuring Security Features
    IP Blocking
    IP blocking dynamically determines when excessive login failures occur from 
    a particular IP address and blocks (or prevents) the address from logging into 
    the DRAC 5 for a preselected time span. 
    The IP blocking parameter uses cfgRacTuning group features that include:
    • The number of allowable login failures
    • The timeframe in seconds when these failures must occur 
    • The amount of time in seconds when the guilty IP address is prevented 
    from establishing a session after the total allowable number of failures is 
    exceeded
    As login failures accumulate from a specific IP address, they are aged by an 
    internal counter. When the user logs in successfully, the failure history is 
    cleared and the internal counter is reset. 
     NOTE: When login attempts are refused from the client IP address, some SSH 
    clients may display the following message: ssh exchange 
    identification: Connection closed by remote host. 
    See DRAC 5 Property Database Group and Object Definitions on page 345 
    for a complete list of cfgRacTune properties.
    Table 12-16 lists the user-defined parameters. 
    Table 12-16. Login Retry Restriction Properties
    Property Definition
    cfgRacTuneIpBlkEnableEnables the IP blocking feature.
    When consecutive failures 
    (cfgRacTuneIpBlkFailCount) from a single IP 
    address are encountered within a specific amount of 
    time (cfgRacTuneIpBlkFailWindow), all further 
    attempts to establish a session from that address are 
    rejected for a certain timespan 
    (cfgRacTuneIpBlkPenaltyTime).
    cfgRacTuneIpBlkFailCountSets the number of login failures from an IP address 
    before the login attempts are rejected.
    cfgRacTuneIpBlkFailWindowThe timeframe in seconds when the failure attempts 
    are counted. When the failures exceed this limit, 
    they are dropped from the counter. 
    						
    							Configuring Security Features229
    Enabling IP Blocking
    The following example prevents a client IP address from establishing a session 
    for five minutes if that client has failed its five login attempts in a one-minute 
    period of time. 
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpRangeEnable 1
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkFailCount 5
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkFailWindows 60
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkPenaltyTime 300
    The following example prevents more than three failed attempts within one 
    minute, and prevents additional login attempts for an hour.
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkEnable 1
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkFailCount 3
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkFailWindows 60
    racadm config -g cfgRacTuning -o 
    cfgRacTuneIpBlkPenaltyTime 3600
    crgRacTuneIpBlkPenaltyTimeDefines the timespan in seconds when all login 
    attempts from an IP address with excessive failures 
    are rejected. Table 12-16. Login Retry Restriction Properties 
    (continued)
    Property Definition 
    						
    							230Configuring Security Features
    Configuring the Network Security Settings Using the DRAC 5 GUI
     NOTE: You must have Configure DRAC 5 permission to perform the following steps.
    1In the System tree, click Remote Access. 
    2Click the Configuration tab and then click Network.
    3In the Network Configuration page, click Advanced Settings.
    4In the Network Security page, configure the attribute values and then click 
    Apply Changes.
    Table 12-17 describes the 
    Network Security page settings.
    5Click the appropriate Network Security page button to continue. See 
    Table 12-18 for description of the 
    Network Security page buttons.
    Table 12-17. Network Security Page Settings
    Settings Description
    IP Range EnabledEnables the IP Range checking feature, which defines a specific 
    range of IP addresses that can access the DRAC 5.
    IP Range AddressDetermines the acceptable IP subnet address.
    IP Range Subnet 
    MaskDefines the significant bit positions in the IP address. The 
    subnet mask should be in the form of a netmask, where the 
    more significant bits are all 1s with a single transition to all 
    zeros in the lower-order bits.
    For example: 255.255.255.0
    IP Blocking 
    EnabledEnables the IP address blocking feature, which limits the 
    number of failed login attempts from a specific IP address for a 
    preselected time span.
    IP Blocking Fail 
    CountSets the number of login failures attempted from an IP address 
    before the login attempts are rejected from that address.
    IP Blocking Fail 
    WindowDetermines the time span in seconds within which IP Block Fail 
    Count failures must occur to trigger the IP Block Penalty Time.
    IP Blocking 
    Pe n a l t y  Ti m eThe time span in seconds within which login attempts from an 
    IP address with excessive failures are rejected. 
    						
    All Dell manuals Comments (0)

    Related Manuals for Dell Drac 5 User Guide