Tripp Lite 0 Idades Manual

							21
A Welcome screen, which lists initial installation configuration steps, will be\
 displayed. These steps are:  
• Change default administration password (System/Administration page. Ref\
er Chapter 3.2)
• Configure the local network settings (System/IP page. Refer Chapter 3\
.3)
To configure Console Server features:
• Configure serial ports settings (Serial & Network/Serial Port page. Refer Chapter 4)
• Configure user port access (Serial & Network/Users page. Refer Chapte\
r 4)
After completing each of the above steps, you can return to the config\
uration list by clicking the Tripp Lite logo in the top left corner 
of the screen:
Chapter 3: Initial System Configuration
• At the Management Console menu select System: Administration
Note: If you are not able to connect to the Management Console at 192.168.0.\
1 or  if the default Username / Password were 
not accepted then reset your Console Server (refer Chapter 10) 
3.1.3   Initial B092-016 connection
You can configure the B092-016 Console Server using a connected compute\
r and browser connection as described in the two 
sections above, or you can configure it directly. To do this you will need to connect a console (keyboard, mouse and displ\
ay) or 
a KVM switch directly to its mouse, keyboard and VGA ports. When you ini\
tially power on the B092-016, you will be prompted 
on your directly connected video console to log in
• Enter the default administration username and password (Username: root Password: default). The B092-016 control 
panel will be displayed
• Click the Configure button on the control panel. This will load the Firefox browser and ope\
n the B092-016 Management Console 
   
						

							22
Chapter 3: Initial System Configuration
3.2 Administrator Password
For security reasons, only the administration user named root can initially log into your Console Server. Only those people who 
know the root password can access and reconfigure the Console Server i\
tself.
However, anyone who correctly guesses the root password (and the default root \
password which is default) could gain access. 
It is therefore essential that you enter and confirm a new root passwo\
rd before giving the Console Server any access to, or 
control of, your computers and network appliances.  
• Select Change default administration password from the Welcome page, which will take you to Serial & Network:  
 Users & Groups 
• Select Edit for the user root 
• Add a new Password and then re-enter it in Confirm. This is the new password for root, the main administrative user 
 account, so it is important that you choose a complex password, and keep\
 it safe
Note: There are no restrictions on the characters that can be used in the Sy\
stem Password (which can contain up to 254 
characters). However, only the first eight Password characters are used to make the passwo\
rd hash. 
• Click Apply
Note: If the Console Server has flash memory you will be given the option t\
o Save Password across firmware erases. 
Checking this will save the password hash in the non-volatile configur\
ation partition, which does not get erased on firmware 
reset. However take care as if this password is lost, the device will ne\
ed to be firmware recovered.
• Select System: Administration  
						

							23
Chapter 3: Initial System Configuration
• You may now wish to enter a System Name and System Description for the Co\
nsole Server to give it a unique ID and  
 make it simple to identify
Note: The System Name can contain from 1 to 64 alphanumeric characters (howe\
ver you can also use the special characters 
“-” “_” and “.” ). There are no restrictions on the c\
haracters that can be used in the System Description (which can contain up 
to 254 characters).
• The MOTD Banner can be used to display a “message of the day” text\
 to authenticating users when the ssh, ftp or web  
 access the Console Server
• Click Apply. As you have changed the password you will be prompted to log in again.\
 This time use the new password
Note: If you are not confident your Console Server has been supplied with \
the current release of firmware, you can upgrade. 
Refer to Upgrade Firmware - Chapter 10
3.2.1   Set up new administrator
It is also recommended that you set up a new Administrator user as soon \
as convenient and log-in as this new user for all 
ongoing administration functions (rather than root). 
This Administrator can be configured in the admin group with full access privileges through the Serial & Network: Users & 
Groups menu (refer to Chapter 4 for details)  
						

							24
Chapter 3: Initial System Configuration
3.3 Network IP Address
It is time to enter an IP address for the principal 10/100 LAN port on the Console Server; or enable its DHCP client so that it 
automatically obtains an IP address from a DHCP server on the network to\
 which it is to be connected. 
• On the System: IP menu select the Network Interface page then check DHCP or Static for the Configuration Method
• If you select Static you must manually enter the new IP Address, Subnet Mask, Gateway and DNS server details. This 
selection automatically disables the DHCP client 
 
• If you selected DHCP the Console Server will look for configuration details from a DHCP se\
rver on your management LAN. 
This selection automatically disables any static address. The Console Se\
rver MAC address can be found on a label on the 
base plate
Note: In its factory default state (with no Configuration Method selected\
) the Console Server has its DHCP client enabled, so 
it automatically accepts any network IP address assigned by a DHCP serve\
r on your network. In this initial state, the Console 
Server will then respond to both its Static address (192.168.0.1) and \
its newly assigned DHCP address
• By default the Console Server LAN port auto detects the Ethernet connect\
ion speed. However you can use the Media 
menu to lock the Ethernet to 10 Mb/s or 100Mb/s and to Full Duplex (FD) or Half Duplex (HD)
Note: If you have changed the Console Server IP address, you may need to recon\
figure your PC/workstation so it has an IP 
address that is in the same network range as this new address  (as deta\
iled in an earlier note in this chapter)
• Click Apply
• You will need to reconnect the browser on the PC/workstation that is conn\
ected to the Console Server by entering  
http://new IP address  
						

							25
Chapter 3: Initial System Configuration
3.3.1  IPv6 configuration
By default, the Console Server Ethernet interfaces support IPv. However, they can also be configured for IPv6 operation:
• On the System: IP menu select General Settings page and check Enable IPv6
 
• You will then need to configure the IPv6 parameters on each network int\
erface page   
						

							26
3.3.2 Dynamic DNS (DDNS) configuration
Dynamic DNS (DDNS) enables a Console Server with a dynamically assigne\
d IP address (that may change from time to time) 
to be located using a fixed host or domain name.
• The first step in enabling DDNS is to create an account with the suppo\
rted DDNS service provider of your choice. 
Supported DDNS providers include:
  o DyNS www.dyns.cx 
  o dyndns.org www.dyndns.org
  o GNUDip gnudip.cheapnet.net 
  o ODS www.ods.org 
  o TZO www.tzo.com 
  o 3322.org (Chinese provider) www.3322.org 
Upon registering with the DDNS service provider, you will select a username and password, as well as a hostname that 
you will use as the DNS name (to allow external access to your machine \
using a URL).
The Dynamic DNS service providers allow the user to choose a hostname UR\
L and set an initial IP address to 
correspond to that hostname URL. Many Dynamic DNS providers offer a sele\
ction of URL hostnames available for free 
use with their service. However, with a paid plan, any URL hostname (including your own registered dom\
ain name) can 
be used. 
You can now enable and configure DDNS on any of the Ethernet or cellula\
r network connections on the Console Server (by 
default DDNS is disabled on all ports): 
•  Select the DDNS service provider from the drop down Dynamic DNS list on the System:IP or System:Dial menu
 
• In DDNS Hostname enter the fully qualified DNS hostname for your console server e.g. your-hostname.dyndns.org
• Enter the DDNS Username and DDNS Password for the DDNS service provider account 
• Specify the Maximum interval between updates - in days. A DDNS update will be sent even if the address has not chang\
ed
• Specify the Minimum interval between checks for changed addresses - in seconds. Updates will still only be sent if \
the 
address has changed 
• Specify the Maximum attempts per update i.e. the number of times to attempt an update before giving up (defaul\
ts to 3)
Chapter 3: Initial System Configuration  
						

							27
3.4 System Services and Service Access
Service Access specifies which access protocols/services can be used t\
o access the Console Server (and connected serial ports). 
The Administrator can access and configure the Console Server (and co\
nnected devices) using a range of access protocols/
services – and for each such access, the particular service must be r\
unning with access through the firewall enabled. 
By default HTTP, HTTPS, Telnet and SSH services are running, and these services are enabled on all network i\
nterfaces. However, 
again by default, only HTTPS and SSH access to the Console Server is enabled, while HTTP and Telnet access is disabled. 
For other services, such as SNMP/Nagios NRPE/NUT, the service must first be started on the relevant network interface \
using 
Service Settings. Then the Service Access can be set to allow or block a\
ccess.
To enable and configure a service:
• Select the Service Settings tab on the System: Services page and enable required services
Chapter 3: Initial System Configuration
To change the access settings:
• Select the Service Access tab on the System: Services page. This will display the service currently enabled for the 
Console Server’s network interfaces.
  o Network interface (for the principal Ethernet connection)
  o Dial out (V90 and cellular modem)
  o Dial in (internal or external V90 modem) 
  o WiFi (802.11 wireless)
  o OoB Failover (second Ethernet connections)
  o VPN (IPSec or Open VPN connection over any network interface)  
•  Check/uncheck for each network which service access is to be enabled /di\
sabled
In the example shown below local Administrators on local Network Interfa\
ce LAN do not have Telnet access to the Console 
Server itself (only SSH and HTTPS access) but they do have Telnet access to the serial console devices attached to the 
Console Server. 
   
						

							28
The Services Access settings specify which services the Administrator ca\
n use over which network interface to access the 
console server. It also nominates the enabled services that the Administrator and the \
User can use to connect through the 
Console Server to attached serial and network connected devices.
•  The following general service access options can be specified:
HTTPSThis ensures the Administrator has secure browser access to all the Management Console menus on the Co\
nsole 
Server. It also allows appropriately configured Users secure browser access \
to selected Manage menus.  For 
information on certificate and user client software configuration re\
fer Chapter 9 - Authentication. By default 
HTTPS is enabled, and it is recommended that only HTTPS access be used if the Console Server is to be 
managed over any public network (e.g. the Internet). 
HTTPThe HTTP service allows the Administrator basic browser access to the Manageme\
nt Console. It is recommended 
the HTTP service be disabled if the Console Server is to be remotely accessed \
over the Internet. 
TelnetThis gives the Administrator telnet access to the system command line sh\
ell (Linux commands). While this may 
be suitable for a local direct connection over a management LAN, it is r\
ecommended this service be disabled if 
the Console Server is to be remotely administered. This service may also\
 be useful for local Administrator and the 
User access to selected serial consoles
SSHThis service provides secure SSH access.  It is recommended you choose SSH as the protocol where the 
Administrator connects to the Console Server over the Internet or any ot\
her public network. This will provide 
authenticated communications between the SSH client program on the remote PC/workstation and the SSH sever 
in the Console Server. For more information on SSH configuration refer Chapter 9 - Authentication.  
•  There are also a number of related service options that can be configu\
red at this stage:
SNMP This will enable netsnmp in the Console Server, which will keep a remote log of all posted information. SNMP is 
disabled by default. To modify the default SNMP settings, the Administrator must make the edit\
s at the command 
line as described in Chapter 15 – Advanced Configuration
TFTP/
FTP  
If a USB flash card or internal flash is detected on the Console Ser\
ver, then enabling this service will set up 
default tftp and ftp servers on the USB flash. These server are used to store config fi\
les, maintain access and 
transaction logs etc. Files transferred using tftp will be stored under /var/tmp/usbdisk/tftpboot
Ping This allows the Console Server to respond to incoming ICMP echo requests\
. Ping is enabled by default, however 
for security reasons this service should generally be disabled post init\
ial configuration
Nagios  Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons 
NUT  Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons
•  And there are some serial port access parameters that can be configure\
d on this menu:
Base The Console Server uses specific default ranges for the TCP/IP ports for the various access services that Users 
and Administrators can use to access devices attached to serial ports (\
as covered in Chapter 4 – Configuring 
Serial Ports). The Administrator can also set alternate ranges for these services, \
and these secondary ports will 
then be used in addition to the defaults.  
The default TCP/IP base port address for telnet access is 2000, and the range for telnet is IP Address: Port (2000 
+ serial port #) i.e. 2001 – 2048. So if the Administrator were to s\
et 8000 as a secondary base for telnet then 
serial port #2 on the Console Server can be telnet accessed at IP Addres\
s:2002 and at IP Address:8002. The 
default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000 
RAW/
Direct 
You can also specify that serial port devices can be accessed from nomina\
ted network interfaces using Raw TCP, 
direct Telnet/SSH, unauthenticated Telnet services etc
• Click Apply. As you apply your services selections, the screen will be updated with\
 a confirmation message:
 Message Changes to configuration succeeded
Chapter 3: Initial System Configuration  
						

							29
 
• The B092-016 Console Server with PowerAlert also presents some additional service and configuration opti\
ons:
VNC The B092-016 Console Server has an internal VNC server. When enabled, it allows remote users to connect 
to the Console Server and run the PowerAlert software and any other embedded thin client programs as if the\
y 
were plugged in locally to the KVM connectors on the B092-016 (refer to\
 Chapter 16 for more details). Users 
connect using port 5900 and need to run a VNC client applet
Secure 
VNC
This enables a secure encrypted remote connection using VNC over SSL on port 5800 to the B092-016 
Console Server (refer to Chapter 16)
PowerAlert This configuration option will automatically start the PowerAlert application on the B092-016 and display 
the console as soon as you log into the local display or VNC session (r\
efer to Chapter 16). The complete 
PowerAlert manual can be downloaded at www.tripplite.com/EN/support/PowerAlert/Downloads.cfm 
Chapter 3: Initial System Configuration  
						

							30
Chapter 3: Initial System Configuration
3.4.1  Brute force protection
Brute force protection (Micro Fail2ban) temporarily blocks source IPs that show malicious signs, such as too many password 
failures. This may help mitigate scenarios where the appliance’s netw\
ork services are exposed to an untrusted network such 
as the public WAN, and scripted attacks or software worms are attempting to guess (bru\
te force) user credentials and gain 
unauthorized access.
Brute Force Protection may be enabled for the listed services. Once protection \
is enabled, 3 or more failed connection 
attempts within 60 seconds from a specific source IP trigger it to be \
banned from connecting for the next 60 seconds. Active 
Bans are also listed and may be refreshed by reloading the page.
Note: When an appliance is running on an untrusted network, it is recommended \
that a variety of strategies are used to lock 
down remote access.  This includes strong passwords (or even better, SSH public key authentication), VPN, and using Firewall 
Rules to whitelist remote access from trusted source networks only.