Dell Drac 5 User Manual
Have a look at the manual Dell Drac 5 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configuring Security Features211 Table 11-10. Telnet Settings Setting Description EnabledEnables or disables Telnet. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 0. Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 23. Table 11-11. Remote RACADM Settings Setting Description EnabledEnables or disables remote RACADM. Checked= Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. Table 11-12. SNMP Agent Settings Setting Description EnabledEnables or disables the SNMP agent. Checked=Enabled; Unchecked=Disabled. Community NameThe name of the community that contains the IP address for the SNMP Alert destination. The Community Name can be up to 31 non-blank characters in length. The default setting is public.
212Configuring Security Features Enabling Additional DRAC 5 Security Options To prevent unauthorized access to your remote system, the DRAC 5 provides the following features: IP address filtering (IPRange) — Defines a specific range of IP addresses that can access the DRAC 5. IP address blocking — Limits the number of failed login attempts from a specific IP address These features are disabled in the DRAC 5 default configuration. Use the following subcommand or the Web-based interface to enable these features: racadm config -g cfgRacTuning -o Additionally, use these features in conjunction with the appropriate session idle time-out values and a defined security plan for your network. The following subsections provide additional information about these features. IP Filtering (IpRange) IP address filtering (or IP Range Checking) allows DRAC 5 access only from clients or management workstations whose IP addresses are within a user- specific range. All other logins are denied. Table 11-13. Automated System Recovery Agent Setting Setting Description EnabledEnables the Automated System Recovery Agent. Table 11-14. Services Page Buttons Button Description PrintPrints the Services page. RefreshRefreshes the Services page. Apply ChangesApplies the Services page settings.
Configuring Security Features213 IP filtering compares the IP address of an incoming login to the IP address range that is specified in the following cfgRacTuning properties: cfgRacTuneIpRangeAddr cfgRacTuneIpRangeMask The cfgRacTuneIpRangeMask property is applied to both the incoming IP address and to the cfgRacTuneIpRangeAddr properties. If the results of both properties are identical, the incoming login request is allowed to access the DRAC 5. Logins from IP addresses outside this range receive an error. The login proceeds if the following expression equals zero: cfgRacTuneIpRangeMask & ( ^ cfgRacTuneIpRangeAddr) where & is the bitwise AND of the quantities and ^ is the bitwise exclusive-OR. See DRAC 5 Property Database Group and Object Definitions for a complete list of cfgRacTune properties. Table 11-15. IP Address Filtering (IpRange) Properties Property Description cfgRacTuneIpRangeEnableEnables the IP range checking feature. cfgRacTuneIpRangeAddrDetermines the acceptable IP address bit pattern, depending on the 1’s in the subnet mask. This property is bitwise AND’d with cfgRacTuneIpRangeMask to determine the upper portion of the allowed IP address. Any IP address that contains this bit pattern in its upper bits is allowed to establish a DRAC 5 session. Logins from IP addresses that are outside this range will fail. The default values in each property allow an address range from 192.168.1.0 to 192.168.1.255 to establish a DRAC 5 session. cfgRacTuneIpRangeMaskDefines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1’s with a single transition to all zeros in the lower-order bits.
214Configuring Security Features Enabling IP Filtering Below is an example command for IP filtering setup. See Using RACADM Remotely for more information about RACADM and RACADM commands. NOTE: The following RACADM commands block all IP addresses except 192.168.0.57) To restrict the login to a single IP address (for example, 192.168.0.57), use the full mask, as shown below. racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeAddr 192.168.0.57 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeMask 255.255.255.255 To restrict logins to a small set of four adjacent IP addresses (for example, 192.168.0.212 through 192.168.0.215), select all but the lowest two bits in the mask, as shown below: racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeAddr 192.168.0.212 racadm config -g cfgRacTuning -o cfgRacTuneIpRangeMask 255.255.255.252 IP Filtering Guidelines Use the following guidelines when enabling IP filtering: Ensure that cfgRacTuneIpRangeMask is configured in the form of a netmask, where all most significant bits are 1’s (which defines the subnet in the mask) with a transition of all 0’s in the lower-order bits. Use the range base address you prefer as the value for cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should have zeros in all the low-order bits where there are zeros in the mask.
Configuring Security Features215 IP Blocking IP blocking dynamically determines when excessive login failures occur from a particular IP address and blocks (or prevents) the address from logging into the DRAC 5 for a preselected time span. The IP blocking parameter uses cfgRacTuning group features that include: The number of allowable login failures The timeframe in seconds when these failures must occur The amount of time in seconds when the guilty IP address is prevented from establishing a session after the total allowable number of failures is exceeded As login failures accumulate from a specific IP address, they are aged by an internal counter. When the user logs in successfully, the failure history is cleared and the internal counter is reset. NOTE: When login attempts are refused from the client IP address, some SSH clients may display the following message: ssh exchange identification: Connection closed by remote host. See DRAC 5 Property Database Group and Object Definitions for a complete list of cfgRacTune properties. Table 11-16 lists the user-defined parameters. Table 11-16. Login Retry Restriction Properties Property Definition cfgRacTuneIpBlkEnableEnables the IP blocking feature. When consecutive failures (cfgRacTuneIpBlkFailCount) from a single IP address are encountered within a specific amount of time (cfgRacTuneIpBlkFailWindow), all further attempts to establish a session from that address are rejected for a certain timespan (cfgRacTuneIpBlkPenaltyTime). cfgRacTuneIpBlkFailCountSets the number of login failures from an IP address before the login attempts are rejected.
216Configuring Security Features Enabling IP Blocking The following example prevents a client IP address from establishing a session for five minutes if that client has failed its five login attempts in a one-minute period of time. racadm config -g cfgRacTuning -o cfgRacTuneIpRangeEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 5 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindows 60 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 300 The following example prevents more than three failed attempts within one minute, and prevents additional login attempts for an hour. racadm config -g cfgRacTuning -o cfgRacTuneIpBlkEnable 1 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 3 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindows 60 racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 3600 cfgRacTuneIpBlkFailWindowThe timeframe in seconds when the failure attempts are counted. When the failures exceed this limit, they are dropped from the counter. crgRacTuneIpBlkPenaltyTimeDefines the timespan in seconds when all login attempts from an IP address with excessive failures are rejected. Table 11-16. Login Retry Restriction Properties (continued) Property Definition
Configuring Security Features217 Configuring the Network Security Settings Using the DRAC 5 GUI NOTE: You must have Configure DRAC 5 permission to perform the following steps. 1In the System tree, click Remote Access. 2Click the Configuration tab and then click Network. 3In the Network Configuration page, click Advanced Settings. 4In the Network Security page, configure the attribute values and then click Apply Changes. Table 11-17 describes the Network Security page settings. 5Click the appropriate Network Security page button to continue. See Table 11-18 for description of the Network Security page buttons. Table 11-17. Network Security Page Settings Settings Description IP Range EnabledEnables the IP Range checking feature, which defines a specific range of IP addresses that can access the DRAC 5. IP Range AddressDetermines the acceptable IP subnet address. IP Range Subnet MaskDefines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1s with a single transition to all zeros in the lower-order bits. For example: 255.255.255.0 IP Blocking EnabledEnables the IP address blocking feature, which limits the number of failed login attempts from a specific IP address for a preselected time span. IP Blocking Fail CountSets the number of login failures attempted from an IP address before the login attempts are rejected from that address. IP Blocking Fail WindowDetermines the time span in seconds within which IP Block Fail Count failures must occur to trigger the IP Block Penalty Time. IP Blocking Pe n a l t y Ti m eThe time span in seconds within which login attempts from an IP address with excessive failures are rejected.
218Configuring Security Features Table 11-18. Network Security Page Buttons Button Description PrintPrints the Network Security page RefreshReloads the Network Security page Apply ChangesSaves the changes made to the Network Security page. Go Back to Network Configuration Pa g eReturns to the Network Configuration page.
Using the DRAC 5 SM-CLP Command Line Interface219 Using the DRAC 5 SM-CLP Command Line Interface This section provides information about the Server Management Workgroup (SMWG) Server Management-Command Line Protocol (SM-CLP) that is incorporated in the DRAC 5. NOTE: This section assumes that you are familiar with the Systems Management Architecture for Server Hardware (SMASH) Initiative and the SMWG SM-CLP specifications. For more information on these specifications, see the Distributed Management Task Force (DMTF) website at www.dmtf.org. The DRAC 5 SM-CLP is a protocol driven by the DMTF and SMWG to provide standards for systems management CLI implementations. The SMWG SM-CLP is a subcomponent of the overall SMASH efforts overseen by DMTF. DRAC 5 SM-CLP Support DRAC 5 is the first RAC product that provides support for the SM-CLP standard-based command line protocol. The SM-CLP is hosted from the DRAC 5 controller firmware and supports telnet, SSH, and serial-based interfaces. The DRAC 5 SM-CLP interface is based on the SM-CLP Specification Version 1.0 provided by the DMTF organization. The following sections provide an overview of the SM-CLP feature that is hosted from the DRAC 5. SM-CLP Features The SM-CLP promotes the concept of verbs and targets to provide system management capabilities through the CLI. The verb indicates the operation to perform, and the target determines the entity (or object) that runs the operation. Below is an example of the SM-CLP command line syntax. [] [] []
220Using the DRAC 5 SM-CLP Command Line Interface During a typical SM-CLP session, the user can perform operations using the verbs listed in Table 12-1 and Table 12-2. Using SM-CLP 1SSH (or telnet) to the DRAC 5 with correct credentials. 2At the command prompt, type smclp. The SMCLP prompt ( ->) is displayed. Table 12-1. Supported CLI Verbs for System Verb Definition cd Navigates through the MAP using the shell. delete Deletes an object instance. help Displays help for a specific target. reset Resets the target. show Displays the target properties, verbs, and subtargets. start Turns on a target. stop Shuts down a target. exit Exits from the SM-CLP shell session. version Displays the version attributes of a target. Table 12-2. Supported CLI Verbs for Fans, Batteries, Intrusion, Hardware Performance, Power supplies, Temperatures and Voltages Verb Definition cd Navigates through the MAP using the shell. help Displays help for a specific target. show Displays the target properties, verbs, and subtargets. exit Exits from the SM-CLP shell session. version Displays the version attributes of a target.