Tripp Lite 0 Idades Manual
Have a look at the manual Tripp Lite 0 Idades Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 7 Tripp Lite manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
221 Chapter 15: Advanced Configuration The pmshell help message is NOT updated with the extra control command keys that ma\ y be configured. For example, to configure the Ctrl+p command to open the power menu when using serial port 3, enter the foll\ owing in the console server’s command shell: config -s config.ports.port3.power=16 killall -HUP portmanager The first command sets the power menu command to listen for Ctrl+p (d\ ecimal 16 is the character code sent when you press Ctrl+p in the serial port session - see the range of control codes below\ ). The second command (killall -HUP portmanager) tells portmanager to reload the configuration so that the new control code w\ ill take effect. Rebooting the device also works. There is a script to set serial control codes on a range of ports so tha\ t bulk port configuration can be performed more easily. For example, to set the power menu control code to Ctrl+p (keycode 16) \ on ports 4 to 10 inclusive, enter the following in the command line: /etc/scripts/set-serial-control-codes 4 10 power 16 This sets the power menu control key to Ctrl+p (see the range of contro\ l codes below). Note: If you have not configured a particular serial port in the included ra\ nge, configuration for that port will be skipped. Control Codes (Ctrl+a=1 ... Ctrl+z=26): Ctrl+a = 1 Ctrl+b = 2 Ctrl+c = 3 Ctrl+d = 4 Ctrl+e = 5 Ctrl+f = 6 Ctrl+g = 7 Ctrl+h = 8 Ctrl+i = 9 Ctrl+j = 10 Ctrl+k = 11 Ctrl+l = 12 Ctrl+m = 13 Ctrl+n = 14 Ctrl+o = 15 Ctrl+p = 16 Ctrl+q = 17 Ctrl+r = 18 Ctrl+s = 19 Ctrl+t = 20 Ctrl+u = 21 Ctrl+v = 22 Ctrl+w = 23 Ctrl+x = 24 Ctrl+y = 25 Ctrl+z = 26
222 Chapter 15: Advanced Configuration pmchat The pmchat command acts similar to the standard chat command, but all serial port access is directed via the portmanager. Example: To run a chat script via the portmanager: # pmchat -v -f /etc/config/scripts/port08.chat < /dev/port08 For more information on using chat (and pmchat) you should consult the UNIX man pages: http://techpubs.sgi.com/library/tpl/cgibin/getdoc.cgi?coll=linux&db=man&\ fname=/usr/share/catman/man8/chat.8.html pmusers The pmusers command is used to query the portmanager for active user sessions. Example: To detect which users are currently active on which serial ports: # pmusers This command will output nothing if there are no active users currently \ connected to any ports, otherwise it will respond with a sorted list of usernames per active port: Port 1: user1 user2 Port 2: user1 Port 8: user2 The above output indicates that a user named “user1” is actively connected to ports 1 and 2, while “user2” is connected to both ports 1 and 8 Note: With v3.11 firmware and later, the pmusers command is extended with the --disconnect option, which allows an admin user or root to disconnect console server sessions from the command line. The follow\ ing connection types can be disconnected: telnet SSH Raw TCP Unauth’ed Telnet You cannot disconnect an RFC2217 session. If the --disconnect option is specified, the pmusers command goes into disconnect mode where you can specify the users with \ -u, the ports with -l (by label) or -n (by name). By default, the command will prompt the user before actually disconnecti\ ng the matching sessions. This can be overridden with the --no-prompt argument. Example: pmuser sessions: # pmusers --disconnect Disconnect all users from all ports? (y/n) y 5 sessions were disconnected # pmusers --disconnect -u robertw Disconnect user robertw from all ports? (y/n) y 1 session was disconnected # pmusers --disconnect -u robertw -n 5 Disconnect user robertw from port 5 (BranchRouter01)? (y/n) y No sessions were disconnected
223 Chapter 15: Advanced Configuration # pmusers --disconnect -n 5 Disconnect all users from port 5 (BranchRouter01)? (y/n) y 2 sessions were disconnected # pmusers --disconnect -u robertw -u pchunt -n 4 -n 6 Disconnect users robertw, pchunt from ports 4, 6? (y/n) y 10 sessions were disconnected # pmusers --disconnect -u tester --no-prompt No sessions were disconnected portmanager daemon There is normally no need to stop and restart the daemon. To restart the daemon normally, just run the command: # portmanager Supported command line options are: Force portmanager to run in the foreground: --nodaemon Set the level of debug logging: --loglevel={debug,info,warn,error,alert} Change which configuration file it uses: -c /etc/config/portmanager.conf Signals Sending a SIGHUP signal to the portmanager will cause it to re-read its \ configuration file 15.2.2 External Scripts and Alerts The portmanager has the ability to execute external scripts on certain e\ vents. When a port is opened by the portmanager: • When the portmanager opens a port, it attempts to execute /etc/config/scripts/portXX.init (where XX is the number of the port, e.g. 08). The script is run with STDIN and STDOUT both connected to the se\ rial port. • If the script cannot be executed, then portmanager will execute /etc/config/scripts/portXX.chat via the chat command on the serial port. When an alert occurs on a port: • When an alert occurs on a port, the portmanager will attempt to execute /etc/config/scripts/portXX.alert (where XX is the port number, e.g. 08) • The script is run with STDIN containing the data which triggered the ale\ rt, and STDOUT redirected to /dev/null, NOT to the serial port. If you wish to communicate with the port, use pmshell or p\ mchat from within the script. • If the script cannot be executed, then the alert will be mailed to the a\ ddress configured in the system administration section. When a user connects to any port: • If a file called /etc/config/pmshell-start.sh exists it is run when \ a user connects to a port. It is provided 2 arguments, the "Port number" and the "Username". Here is a simple example: #!/bin/sh PORT="$1" USER="$2" echo "Welcome to port $PORT $USER" < /etc/config/pmshell-start.sh> • The return value from the script controls whether the user is accepted o\ r not, if 0 is returned (or nothing is done on exit as in the above script) the user is permitted, otherwise the user is denie\ d access.
224 Chapter 15: Advanced Configuration • Here is a more complex script which reads from configuration to displa\ y the port label if available and denies access to the root user: #!/bin/sh PORT="$1" USER="$2" LABEL=$(config -g config.ports.port$PORT.label | cut -f2- -d' ') if [ "$USER" == "root" ]; then echo "Permission denied for Super User" exit 1 fi if [ -z "$LABEL" ]; then echo "Welcome $USER, you are connected to Port $PORT" else echo "Welcome $USER, you are connected to Port $PORT ($LABEL)" fi 15.3 Raw Access to Serial Ports 15.3.1 Access to serial ports You can use tip and stty to completely bypass the portmanager and have ra\ w access to the serial ports. When you run tip on a portmanager controlled port, portmanager closes th\ at port, and stops monitoring it until tip releases control of it. With stty, the changes made to the port only "stick" until that port is closed an\ d opened again. So it is doubtful that people will want to use stty for more than initial debugging of the serial connectio\ n. If you want to use stty to configure the port, you can put stty comman\ ds in /etc/config/scripts/portXX.init which gets run whenever portmanager opens the port. Otherwise, any setup you do with stty will get lost when the portmanager\ opens the port. (the reason that portmanager sets things back to its config rather than using whatever is on the port, i\ s so the port is in a known good state, and will work, no matter what things are done to the serial port outside of portmanager).\ 15.3.2 Accessing the console/modem port The console dial-in is handled by mgetty, with automatic PPP login extensions. mgetty is a smart getty replacement, designed to be used with Hayes compatible data and data/fax modems. mgetty knows about modem initialization, manual modem answering (so your modem doesn’t answer if the machine isn’t read\ y), UUCP locking (so you can use the same device for dial-in and dial-out). mgetty provides very extensive logging facilities. All standard mgetty options are supported. Modem initialization strings: • To override the standard modem initialization string either use the Manag\ ement Console (refer Chapter 5) or the command line config tool (refer Dial-In Configuration Chapter 14). Enabling Boot Messages on the Console: • If you are not using a modem on the DB9 console port and instead wish to\ connect to it directly via a Null Modem cable you may want to enable verbose mode allowing you to see the standard lin\ ux start-up messages. This can be achieved with the following commands: # /bin/config --set=config.console.debug=on # /bin/config --run=co\ nsole # reboot • If at some point in the future you chose to connect a modem for dial-in \ out-of-band access the procedure can be reversed with the following commands. # /bin/config --del=config.console.debug # /bin/config --run=conso\ le # reboot
225 Chapter 15: Advanced Configuration 15.4 IP- Filtering The Console Server uses the iptables utility to provide a stateful firewall of LAN traffic. By default r\ ules are automatically inserted to allow access to enabled services, and serial port access via enabled protocols. The commands which add these rules are contained in configuration files: /etc/config/fw.rules This is an executable shell script which is run whenever the LAN interfa\ ce is brought up and whenever modifications are made to the iptables configuration as a result of CGI actions or the config command line tool. The basic steps performed are as follows: • Running iptables configuration is erased, per-interface and other standard system chains are installed • Fall through Block rules (default deny) are installed • Serial & Network: Services policies are installed in per-interface chains • Custom Serial & Network: Firewall rules are inserted at the top of the r\ ule sets, taking priority over any other configuration If you require further firewall customization, extra rules can be pers\ isted by creating a file at /etc/config/scripts/firewall-post containing iptables commands to amend the firewall policy. There’s good documentation about using the iptables command at the Li\ nux netfilter website http://netfilter.org/documentation/ index.html. There are also many high-quality tutorials and HOWTOs available via the netfilter website, in particular peruse the tutorials listed on the netfilter HOWTO page. 15.5 SNMP Status Reporting and Traps Console Servers can send traps/messages to multiple remote SNMP Network \ Managers on defined trigger events (as detailed in Chapter 7). Console Servers also contain an SNMP Service (snmpd) w\ hich can provide status information on demand. From the snmpd manual page: snmpd is an SNMP agent which binds to a port and awaits requests from SN\ MP management software. Upon receiving a request, it processes the request(s), collects the requested informa\ tion and/or performs the requested operation(s) and returns the information to the sender. 15.5.1 Retrieving status information using SNMP Console Servers can provide serial and device status information through\ SNMP. This includes • Serial port status • Active users • Remote Power Control (RPC) and Power Distribution Unit (PDU) status • Environmental Monitoring Device (EMD) status • Signal alert status • Environmental alert status and • UPS alert status The MIBs in your Console Server are located in /etc/snmp/mibs. TL-STATUS-MIB.mib This new MIB contains serial and connected device status information (for snmpstatusd & snmpalertd) TL-STATUSv2-MIB.mib This new MIB contains extended status and alert TL-SMI-MIB.mib Enterprise structure of management information TLTRAP-MIB.mib SMIv1 traps from old MIBS (as smilint will not let SMIv1 structures coexist with SMIv2) 15.5.2 Check firewall rules • Select System: Services and ensure the SNMP daemon box has been checked for the interface required This will allow SNMP requests through the firewall for the specified\ interface.
226 Chapter 15: Advanced Configuration 15.5.3 Enable SNMP service Note: For firmware versions 3.10.2 and above, a new SNMP status and trap MIB\ S were created to provide more and better structured SNMP status and traps from console servers. There is an option in the SNMP menu to Use Legacy Notifications for the SNMP traps. In setting this option, the console server will send\ SNMP traps that are compatible with those sent from older firmware versions before new MIBS were added. This ensures that the firmware upgrade will not upset th\ e existing SNMP management settings already in place. When upgrading from an old firmware version that does not support newe\ r SNMP MIBs/traps (versions before 3.10.2) to firmware that does support the new MIBs/traps: • If the SNMP service was enabled and an SNMP manager was configured bef\ ore upgrading the firmware, the console server will be configured to use the legacy traps after upgrading. • If the SNMP service was not enabled or no SNMP manger was configured b\ efore the upgrade, then the console server will be configured to use the new SNMP traps after the upgrade. Note: this \ will not have any effect until the SNMP service is turned on and an SNMP manager is configured. • When starting up using the new firmware after a config erase, the co\ nsole server will be configured to use the new SNMP traps. • When upgrading from a firmware version that supports the new traps to \ a newer version that supports the new traps, the ‘use legacy traps’ setting should be kept the same – no checkin\ g SNMP service/manager configuration is needed. The Console Server supports different versions of SNMP including SNMPv1,\ SNMPv2c and SNMPv3. SNMP, although an industry standard, brings with it a variety of security co\ ncerns. For example, SNMPv1 and SNMPv2c offer no inherent privacy, while SNMPv3 is susceptible to man-in-the-middle attacks. Recent IETF developments suggests tunnelling SNMP over widely accepted technologies such as SSH (Secure Shell) or TLS (Transport Layer Security) rather than relying on a less mature security systems such as SNMPv3's USM (User-based Security Model). Additional information regarding SNMP security issues and SNMPv3 can be \ found at: http://net-snmp.sourceforge.net/wiki/index.php/TUT:Security http://www.ietf.org/html.charters/snmpv3-charter.html. • Select Alerts & Logging: SNMP • The SNMP Service Details tab is shown by default. The SNMP Service Details tab controls aspect\ s of the SNMP Service including Security Level. It manages requests from external age\ nts for status information. • Check the Enable the SNMP Service box to start the SNMP Service. The Service is disabled by default. • Select either UDP or TCP for the TCP/IP Protocol. UDP is the recommended protocol and is selected by def\ ault. TCP should only be used in special cases such as when Port Forwarding SNMP requests/responses to or from the Console Server device is required.
227 Chapter 15: Advanced Configuration • Complete the Location and Contact fields. The Location field should describe the physical location o\ f the Console Server and will be used in response to requests for the SNMPv2-MIB::sysLocation\ .0 of the device. The Contact field refers to the person responsible for the Console Server such as the System Administrat\ or and will be used in response to requests as follows: SNMPv2-MIB::sysContact.0. • Enter the Read-Only Community and Read-Write Community. This is required for SNMP v1 & v2c only. The Read- Only Community field is used to specify the SNMPv1 or SNMPv2c communit\ y that will be allowed read-only (GET and GETNEXT) access. This must be specified in order for both versions t\ o become enabled. The Read-Write Community field is used to specify the SNMPv1 or SNMPv2c community that will be allowed \ read-write (GET, GETNEXT and SET) access. • Configure SNMP v3, if required. SNMP v3 provides secure SNMP operatio\ ns through the use of USM (User-based Security Model). It offers various levels of security including user-based authentication and basic encryption. o The Engine ID is used to localize the SNMPv3 user. It will be automatically generated from a Network Interface (eth0) hardware address, if left blank, or must be entered as a hex va\ lue e.g. 0x01020304. o Specify the Security Level: noauth No authentication or encryption is required. This is the minimum level o\ f security. auth Authentication will be required but encryption is not enforced. An authe\ ntication protocol (SHA or MD5) and password will be required. priv Enforces the use of encryption. This is the highest level of security an\ d requires an encryption protocol (DES or AES) and password in addition to the authentication p\ rotocol and password. o Complete the Read Only Username. Enter the read only security name. This field is mandatory and must\ be completed when configuring the Console Server for SNMPv3. o For a Security Level of auth, select the Auth. Protocol (SHA or MD5) and the Auth. Password. A password of at least 8 characters is required. o For a Security Level of priv, select the Privacy Protocol (DES or AES) and the Privacy Password. AES is recommended as it provides stronger privacy but requires more intense ca\ lculations. A password of at least 8 characters is required. • Click Apply • Setup serial ports and devices as per operational requirements such as U\ PS, RPC/PDU and EMD • Copy the mibs from /etc/snmp/mibs on the Console Server product to a loc\ al directory using scp or Winscp. For example: scp root@b095:/etc/snmp/mibs/*
228 Chapter 15: Advanced Configuration • Using the snmpwalk and snmpget commands, the status information can be retrieved from any console serv\ er. For example: snmpwalk -Oa -v1 -M .:/usr/share/snmp/mibs -c public b095 STATUS-MIB::ogStatus snmpget -Oa -v1 -M .:/usr/share/snmp/mibs -c public b095 OG-STATUSMIB:: ogSerialPortStatusSpeed.2 noauth snmpwalk -Oa –v3 –l noAuthNoPriv –u readonlyusername -M .:/usr/\ share/snmp/mibs b095 STATUS-MIB::Status auth snmpwalk -Oa –v3 –l authNoPriv –u readonlyusername –a SHA –\ A “authpassword” -M .:/usr/share/snmp/mibs b095 STATUS- MIB::ogStatus priv snmpwalk -Oa –v3 –l authNoPriv –u readonlyusername –a SHA –\ A “authpassword” –x DES –X “privpassword” -M .:/usr/sh\ are/ snmp/mibs b095 STATUS-MIB::ogStatus -l Security Level -u Security Name or Read Only Username -a Authentication Protocol – SHA or MD5 -A Authentication Password -x Privacy Protocol – DES or AES -X Privacy Password A mib browser may be used to explore the enterprise MIB structure.
229 Chapter 15: Advanced Configuration 15.5.4 /etc/config/snmpd.conf The net-snmpd is an extensible SNMP which includes built-in support for a wide range \ of MIB information modules, and can be extended using dynamically loaded modules, external scripts and comma\ nds. snmpd when enabled should run with a default configuration. Its behavior can be customized via the options \ in /etc/config/snmpd.conf. Note: If the SNMP Service is enabled through the Web Based Management Console this configuration file will be overidde\ n and you will lose any customization. Changing standard system information such as system contact, name and lo\ cation can be achieved by editing /etc/config/snmpd.conf file and locating the following lines: sysdescr "tripplite" syscontact root (configure /etc/default/snmpd.conf) sysname Not defined (edit /etc/default/snmpd.conf) syslocation Not defined (edit /etc/default/snmpd.conf) Simply change the values of sysdescr, syscontact, sysname and syslocation to the desired settings and restart snmpd. The snmpd.conf provides is extremely powerful and too flexible to completely cover h\ ere. The configuration file itself is commented extensively and good documentation is available at the net-snmp website http://www.net-snmp.org, specifically: Man Page: http://www.net-snmp.org/docs/man/snmpd.conf.html FAQ: http://www.net-snmp.org/docs/FAQ.html Net-SNMPD Tutorial: http://www.net-snmp.org/tutorial/tutorial-5/demon/snmpd.html 15.5.5 Adding multiple remote SNMP managers You can add multiple SNMP servers for alert traps add the first and sec\ ond SNMP servers using the Management Console (refer Chapter 7) or the command line config tool. Further SNMP servers must be added manually using config. Log in to the Console Server’s command line shell as root or an admin\ user. Refer back to the Management Console UI or user documentation for descriptions of each field. To set the SNMP Manager Address field: config –set="config.system.snmp.address3=w.x.y.z" .. replacing w.x.y.z with the IP address or DNS name. To set the Manager Trap Port field config --set=”config.system.snmp.trapport3=162” .. replacing 162 with the TCP/UDP port number To set the SNMP Manager Protocol field: config --set="config.system.snmp.protocol3=UDP" or config --set="config.system.snmp.protocol3=TCP" To set the SNMP Manager Version field: config --set="config.system.snmp.version3=3" To set the SNMP Manager v1 & v2c community field: config --set="config.system.snmp.community3=public" To set the SNMP Manager v3 Engine ID field: config –set="config.system.snmp.engineid3=0x8000000001020304" .. replacing 0x8000000001020304 with the hex Engine-ID To set the SNMP Manager v3 Security Level field: config --set="config.system.snmp.seclevel3=noAuthNoPriv" or config --set="config.system.snmp.seclevel3=authNoPriv" or config --set="config.system.snmp.seclevel3=authPriv" To set the SNMP Manager v3 Username field: config --set="config.system.snmp.username3=username"
230 Chapter 15: Advanced Configuration To set the SNMP Manager v3 Auth. Protocol and password fields: config –set="config.system.snmp.authprotocol3=SHA" or config --set="config.system.snmp.authprotocol3=MD5" config --set="config.system.snmp.authpassword3=password 1" To set the SNMP Manager v3 Privacy Protocol and password fields: config –set="config.system.snmp.privprotocol3=AES" or config –set="config.system.snmp.privprotocol3=DES" config --set="config.system.snmp.privpassword3=password 2" Once the fields are set, apply the configuration with the following \ command: config --run snmp You can add a third or more SNMP servers by incrementing the "2" in the a\ bove commands, e.g. config.system.snmp. protocol3, config.system.snmp.address3, etc 15.6 Secure Shell (SSH) Public Key Authentication This section covers the generation of public and private keys in a Linux\ and Windows environment and configuring SSH for public key authentication. The steps to use in a Clustering environment \ are: • Generate a new public and private key pair • Upload the keys to the Master and to each Slave Console Server • Fingerprint each connection to validate 15.6.1 SSH Overview Popular TCP/IP applications such as telnet, rlogin, ftp, and others transmit their passwords unencrypted. Doing this across public networks like the Internet can have catastrophic consequences. It\ leaves the door open for eavesdropping, connection hijacking, and other network-level attacks. Secure Shell (SSH) is a program to log into another computer over a network, to execut\ e commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insec\ ure channels. OpenSSH, the de facto open source SSH application, encrypts all traffic (including passwords) to effect\ ively eliminate these risks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a vari\ ety of authentication methods. OpenSSH is the port of OpenBSD's excellent OpenSSH[0] to Linux and other versions of Unix. OpenSSH is based on the last free version of Tatu Ylonen's sample implementation with all patent-encumbered algorithms\ removed (to external libraries), all known security bugs fixed, new features reintroduced and many other cl\ ean-ups. http://www.openssh.com/ The only changes in the SSH implementation are: • PAM support • EGD[1]/PRNGD[2] support and replacements for OpenBSD library functions that are absent from other versions of UNIX • The config files are now in /etc/config. e.g. o /etc/config/sshd_config instead of /etc/sshd_config o /etc/config/ssh_config instead of /etc/ssh_config o /etc/config/users//.ssh/ instead of /home//.ssh/