Tripp Lite 0 Idades Manual

							221
Chapter 15: Advanced Configuration
The pmshell help message is NOT updated with the extra control command keys that ma\
y be configured. For example, to 
configure the Ctrl+p command to open the power menu when using serial port 3, enter the foll\
owing in the console server’s 
command shell:
     config -s config.ports.port3.power=16
     killall -HUP portmanager
The first command sets the power menu command to listen for Ctrl+p (d\
ecimal 16 is the character code sent when you press 
Ctrl+p in the serial port session - see the range of control codes below\
). The second command (killall -HUP portmanager) tells 
portmanager to reload the configuration so that the new control code w\
ill take effect. Rebooting the device also works. 
There is a script to set serial control codes on a range of ports so tha\
t bulk port configuration can be performed more easily. 
For example, to set the power menu control code to Ctrl+p (keycode 16) \
on ports 4 to 10 inclusive, enter the following in the 
command line:
    /etc/scripts/set-serial-control-codes 4 10 power 16
This sets the power menu control key to Ctrl+p (see the range of contro\
l codes below). 
Note: If you have not configured a particular serial port in the included ra\
nge, configuration for that port will be skipped. 
Control Codes (Ctrl+a=1 ... Ctrl+z=26):
Ctrl+a = 1
Ctrl+b = 2
Ctrl+c = 3
Ctrl+d = 4
Ctrl+e = 5
Ctrl+f = 6
Ctrl+g = 7
Ctrl+h = 8
Ctrl+i = 9
Ctrl+j = 10
Ctrl+k = 11
Ctrl+l = 12
Ctrl+m = 13
Ctrl+n = 14
Ctrl+o = 15
Ctrl+p = 16
Ctrl+q = 17
Ctrl+r = 18
Ctrl+s = 19
Ctrl+t = 20
Ctrl+u = 21
Ctrl+v = 22
Ctrl+w = 23
Ctrl+x = 24
Ctrl+y = 25
Ctrl+z = 26  
						

							222
Chapter 15: Advanced Configuration
pmchat
The pmchat command acts similar to the standard chat command, but all serial port access is directed via the portmanager.
Example: To run a chat script via the portmanager:
# pmchat -v -f /etc/config/scripts/port08.chat < /dev/port08 
For more information on using chat (and pmchat) you should consult the UNIX man pages:
http://techpubs.sgi.com/library/tpl/cgibin/getdoc.cgi?coll=linux&db=man&\
fname=/usr/share/catman/man8/chat.8.html
pmusers
The pmusers command is used to query the portmanager for active user sessions.
Example: To detect which users are currently active on which serial ports:
# pmusers 
This command will output nothing if there are no active users currently \
connected to any ports, otherwise it will respond with a 
sorted list of usernames per active port:
Port 1:
 user1
 user2
Port 2:
 user1
Port 8:
 user2 
The above output indicates that a user named “user1” is actively connected to ports 1 and 2, while “user2” is connected to 
both ports 1 and 8
Note: With v3.11 firmware and later, the pmusers command is extended with the --disconnect option, which allows an 
admin user or root to disconnect console server sessions from the command line. The follow\
ing connection types can be 
disconnected:
telnet
SSH
Raw TCP
Unauth’ed Telnet
You cannot disconnect an RFC2217 session.
If the --disconnect option is specified, the pmusers command goes into disconnect mode where you can specify the users with \
-u, the ports with -l (by label) or -n (by name).
By default, the command will prompt the user before actually disconnecti\
ng the matching sessions. This can be overridden 
with the --no-prompt argument.
Example: pmuser sessions:
    # pmusers --disconnect 
    Disconnect all users from all ports? (y/n) 
    y 
    5 sessions were disconnected
    # pmusers --disconnect -u robertw 
    Disconnect user robertw from all ports? (y/n) 
    y 
    1 session was disconnected
    # pmusers --disconnect -u robertw -n 5 
    Disconnect user robertw from port 5 (BranchRouter01)? (y/n) 
    y 
    No sessions were disconnected  
						

							223
Chapter 15: Advanced Configuration
    # pmusers --disconnect -n 5 
    Disconnect all users from port 5 (BranchRouter01)? (y/n) 
    y 
    2 sessions were disconnected
    # pmusers --disconnect -u robertw -u pchunt -n 4 -n 6 
    Disconnect users robertw, pchunt from ports 4, 6? (y/n) 
    y 
    10 sessions were disconnected
    # pmusers --disconnect -u tester --no-prompt 
    No sessions were disconnected
portmanager daemon
There is normally no need to stop and restart the daemon.  To restart the daemon normally, just run the command:
# portmanager
Supported command line options are:
Force portmanager to run in the foreground: --nodaemon
Set the level of debug logging:     --loglevel={debug,info,warn,error,alert} 
Change which configuration file it uses: -c /etc/config/portmanager.conf
Signals
Sending a SIGHUP signal to the portmanager will cause it to re-read its \
configuration file
15.2.2  External Scripts and Alerts
The portmanager has the ability to execute external scripts on certain e\
vents. 
When a port is opened by the portmanager:
• When the portmanager opens a port, it attempts to execute /etc/config/scripts/portXX.init (where XX is the number of the 
port, e.g. 08).  The script is run with STDIN and STDOUT both connected to the se\
rial port.
• If the script cannot be executed, then portmanager will execute /etc/config/scripts/portXX.chat via the chat command on 
the serial port.
When an alert occurs on a port:
• When an alert occurs on a port, the portmanager will attempt to execute /etc/config/scripts/portXX.alert (where XX is the 
port number, e.g. 08)
• The script is run with STDIN containing the data which triggered the ale\
rt, and STDOUT redirected to /dev/null, NOT to the 
serial port.  If you wish to communicate with the port, use pmshell or p\
mchat from within the script.
• If the script cannot be executed, then the alert will be mailed to the a\
ddress configured in the system administration 
section.
When a user connects to any port:
• If a file called /etc/config/pmshell-start.sh exists it is run when \
a user connects to a port. It is provided 2 arguments, the 
"Port number" and the "Username". Here is a simple example:

#!/bin/sh
PORT="$1"
USER="$2"
echo "Welcome to port $PORT $USER"
< /etc/config/pmshell-start.sh>
• The return value from the script controls whether the user is accepted o\
r not, if 0 is returned (or nothing is done on exit as 
in the above script) the user is permitted, otherwise the user is denie\
d access.  
						

							224
Chapter 15: Advanced Configuration
• Here is a more complex script which reads from configuration to displa\
y the port label if available and denies access to the 
root user:

#!/bin/sh
PORT="$1"
USER="$2"
LABEL=$(config -g config.ports.port$PORT.label | cut -f2- -d' ')
if [ "$USER" == "root" ]; then
    echo "Permission denied for Super User"
   exit 1
fi
if [  -z  "$LABEL" ]; then
echo "Welcome $USER, you are connected to Port $PORT"
else
echo "Welcome $USER, you are connected to Port $PORT ($LABEL)"
fi

15.3 Raw Access to Serial Ports 
15.3.1   Access to serial ports
You can use tip and stty to completely bypass the portmanager and have ra\
w access to the serial ports.
When you run tip on a portmanager controlled port, portmanager closes th\
at port, and stops monitoring it until tip releases 
control of it.
With stty, the changes made to the port only "stick" until that port is closed an\
d opened again. So it is doubtful that people will 
want to use stty for more than initial debugging of the serial connectio\
n.
If you want to use stty to configure the port, you can put stty comman\
ds in /etc/config/scripts/portXX.init which gets run 
whenever portmanager opens the port.
Otherwise, any setup you do with stty will get lost when the portmanager\
 opens the port.  (the reason that portmanager sets 
things back to its config rather than using whatever is on the port, i\
s so the port is in a known good state, and will work, no 
matter what things are done to the serial port outside of portmanager).\
15.3.2  Accessing the console/modem port 
The console dial-in is handled by mgetty, with automatic PPP login extensions.  mgetty is a smart getty replacement, designed 
to be used with Hayes compatible data and data/fax modems.  mgetty knows about modem initialization,  manual  modem  
answering (so your modem doesn’t answer if the machine isn’t read\
y), UUCP locking (so you can use the same device  for 
dial-in  and dial-out).  mgetty provides very extensive logging facilities. All standard mgetty options are supported.
Modem initialization strings:
• To override the standard modem initialization string either use the Manag\
ement Console (refer Chapter 5) or the command 
line config tool (refer Dial-In Configuration Chapter 14).
Enabling Boot Messages on the Console:
• If you are not using a modem on the DB9 console port and instead wish to\
 connect to it directly via a Null Modem cable 
you may want to enable verbose mode allowing you to see the standard lin\
ux start-up messages. This can be achieved 
with the following commands:
 # /bin/config --set=config.console.debug=on # /bin/config --run=co\
nsole # reboot
• If at some point in the future you chose to connect a modem for dial-in \
out-of-band access the procedure can be reversed 
with the following commands.
 # /bin/config --del=config.console.debug # /bin/config --run=conso\
le # reboot  
						

							225
Chapter 15: Advanced Configuration
15.4  IP- Filtering
The Console Server uses the iptables utility to provide a stateful firewall of LAN traffic. By default r\
ules are automatically 
inserted to allow access to enabled services, and serial port access via enabled protocols. The commands which add these 
rules are contained in configuration files:
/etc/config/fw.rules
This is an executable shell script which is run whenever the LAN interfa\
ce is brought up and whenever modifications are made 
to the iptables configuration as a result of CGI actions or the config command line tool.
The basic steps performed are as follows:
•  Running iptables configuration is erased, per-interface and other standard system chains are installed
•  Fall through Block rules (default deny) are installed
•  Serial & Network: Services policies are installed in per-interface chains
•  Custom Serial & Network: Firewall rules are inserted at the top of the r\
ule sets, taking priority over any other configuration
If you require further firewall customization, extra rules can be pers\
isted by creating a file at /etc/config/scripts/firewall-post 
containing iptables commands to amend the firewall policy.
There’s good documentation about using the iptables command at the Li\
nux netfilter website http://netfilter.org/documentation/
index.html. There are also many high-quality tutorials and HOWTOs available via the netfilter website, in particular peruse the 
tutorials listed on the netfilter HOWTO page. 
15.5   SNMP Status Reporting and Traps
Console Servers can send traps/messages to multiple remote SNMP Network \
Managers on defined trigger events (as detailed 
in Chapter 7). Console Servers also contain an SNMP Service (snmpd) w\
hich can provide status information on demand. From 
the snmpd manual page: 
 snmpd is an SNMP agent which binds to a port and awaits requests from SN\
MP management software. Upon receiving 
a request, it processes the request(s), collects the requested informa\
tion and/or performs the requested operation(s) and 
returns the information to the sender. 
15.5.1 Retrieving status information using SNMP
Console Servers can provide serial and device status information through\
 SNMP. This includes
 • Serial port status
 • Active users
 • Remote Power Control (RPC) and Power Distribution Unit (PDU) status
 • Environmental Monitoring Device (EMD) status
 • Signal alert status
 • Environmental alert status and
 • UPS alert status
The MIBs in your Console Server are located in /etc/snmp/mibs. 
TL-STATUS-MIB.mib    This new MIB contains serial and connected device status information  
(for snmpstatusd & snmpalertd)
TL-STATUSv2-MIB.mib  This new MIB contains extended status and alert
TL-SMI-MIB.mib    Enterprise structure of management information
TLTRAP-MIB.mib   SMIv1 traps from old MIBS (as smilint will not let SMIv1 structures coexist with SMIv2)
15.5.2 Check firewall rules
 • Select System: Services and ensure the SNMP daemon box has been checked for the interface required  
This will allow SNMP requests through the firewall for the specified\
 interface.  
						

							226
Chapter 15: Advanced Configuration
15.5.3 Enable SNMP service
Note: For firmware versions 3.10.2 and above, a new SNMP status and trap MIB\
S were created to provide more and better 
structured SNMP status and traps from console servers. There is an option in the SNMP menu to Use Legacy Notifications 
for the SNMP traps. In setting this option, the console server will send\
 SNMP traps that are compatible with those sent from 
older firmware versions before new MIBS were added. This ensures that the firmware upgrade will not upset th\
e existing SNMP 
management settings already in place.
When upgrading from an old firmware version that does not support newe\
r SNMP MIBs/traps (versions before 3.10.2) to 
firmware that does support the new MIBs/traps:
• If the SNMP service was enabled and an SNMP manager was configured bef\
ore upgrading the firmware, the console 
server will be configured to use the legacy traps after upgrading.
• If the SNMP service was not enabled or no SNMP manger was configured b\
efore the upgrade, then the console server will 
be configured to use the new SNMP traps after the upgrade. Note: this \
will not have any effect until the SNMP service is 
turned on and an SNMP manager is configured.
• When starting up using the new firmware after a config erase, the co\
nsole server will be configured to use the new SNMP 
traps. 
• When upgrading from a firmware version that supports the new traps to \
a newer version that supports the new traps, the 
‘use legacy traps’ setting should be kept the same – no checkin\
g SNMP service/manager configuration is needed.
The Console Server supports different versions of SNMP including SNMPv1,\
 SNMPv2c and SNMPv3.  
SNMP, although an industry standard, brings with it a variety of security co\
ncerns.  For example, SNMPv1 and SNMPv2c offer 
no inherent privacy, while SNMPv3 is susceptible to man-in-the-middle attacks.  Recent IETF developments suggests tunnelling 
SNMP over widely accepted technologies such as SSH (Secure Shell) or TLS (Transport Layer Security) rather than relying on a 
less mature security systems such as SNMPv3's USM (User-based Security Model).  
Additional information regarding SNMP security issues and SNMPv3 can be \
found at:
 http://net-snmp.sourceforge.net/wiki/index.php/TUT:Security 
http://www.ietf.org/html.charters/snmpv3-charter.html. 
• Select Alerts & Logging: SNMP
• The SNMP Service Details tab is shown by default.   The SNMP Service Details tab controls aspect\
s of the SNMP 
Service including Security Level.  It manages requests from external age\
nts for status information. 
• Check the Enable the SNMP Service box to start the SNMP Service.  The Service is disabled by default.  
• Select either UDP or TCP for the TCP/IP Protocol.   UDP is the recommended protocol and is selected by def\
ault.  TCP 
should only be used in special cases such as when Port Forwarding SNMP requests/responses to or from the Console 
Server device is required.  
						

							227
Chapter 15: Advanced Configuration
• Complete the Location and Contact fields.  The Location field should describe the physical location o\
f the Console Server 
and will be used in response to requests for the SNMPv2-MIB::sysLocation\
.0 of the device.  The Contact field refers to the 
person responsible for the Console Server such as the System Administrat\
or and will be used in response to requests as 
follows: SNMPv2-MIB::sysContact.0.
• Enter the Read-Only Community and Read-Write Community.  This is required for SNMP v1 & v2c only.  The Read-
Only Community field is used to specify the SNMPv1 or SNMPv2c communit\
y that will be allowed read-only (GET and 
GETNEXT) access.  This must be specified in order for both versions t\
o become enabled.  The Read-Write Community field 
is used to specify the SNMPv1 or SNMPv2c community that will be allowed \
read-write (GET, GETNEXT and SET) access.
• Configure SNMP v3, if required.  SNMP v3 provides secure SNMP operatio\
ns through the use of USM (User-based 
Security Model). It offers various levels of security including user-based authentication and basic encryption.  
  o The Engine ID is used to localize the SNMPv3 user.  It will be automatically generated from a Network Interface  
    (eth0) hardware address, if left blank, or must be entered as a hex va\
lue e.g. 0x01020304.
 o Specify the Security Level:
 noauth  No authentication or encryption is required. This is the minimum level o\
f security.
 auth  Authentication will be required but encryption is not enforced. An authe\
ntication protocol (SHA or  
    MD5) and password will be required. 
 priv  Enforces the use of encryption. This is the highest level of security an\
d requires an encryption  
    protocol (DES or AES) and password in addition to the authentication p\
rotocol and password. 
 o Complete the Read Only Username.  Enter the read only security name. This field is mandatory and must\
 be  
    completed when configuring the Console Server for SNMPv3.
 o  For a Security Level of auth, select the Auth. Protocol (SHA or MD5) and the Auth. Password.  A password of  
    at least 8 characters is required.
 o For a Security Level of priv, select the Privacy Protocol (DES or AES) and the Privacy Password.  AES is  
    recommended as it provides stronger privacy but requires more intense ca\
lculations.  A password of at least 8  
   characters is required.
• Click Apply
• Setup serial ports and devices as per operational requirements such as U\
PS, RPC/PDU and EMD 
• Copy the mibs from /etc/snmp/mibs on the Console Server product to a loc\
al directory using scp or Winscp. For example:  
 scp root@b095:/etc/snmp/mibs/*  
						

							228
Chapter 15: Advanced Configuration
• Using the snmpwalk and snmpget commands, the status information can be retrieved from any console serv\
er. For 
example:
 snmpwalk -Oa -v1 -M .:/usr/share/snmp/mibs -c public b095 STATUS-MIB::ogStatus
 snmpget -Oa -v1 -M .:/usr/share/snmp/mibs -c public b095 OG-STATUSMIB::
 ogSerialPortStatusSpeed.2
noauth 
snmpwalk -Oa –v3 –l noAuthNoPriv –u readonlyusername -M .:/usr/\
share/snmp/mibs b095 STATUS-MIB::Status
auth 
snmpwalk -Oa –v3 –l authNoPriv –u readonlyusername –a SHA –\
A “authpassword” -M .:/usr/share/snmp/mibs b095 STATUS-
MIB::ogStatus
priv 
snmpwalk -Oa –v3 –l authNoPriv –u readonlyusername –a SHA –\
A “authpassword” –x DES –X “privpassword” -M .:/usr/sh\
are/
snmp/mibs b095 STATUS-MIB::ogStatus
 -l    Security Level
  -u   Security Name or Read Only Username
  -a   Authentication Protocol – SHA or MD5
  -A   Authentication Password
  -x   Privacy Protocol – DES or AES
  -X   Privacy Password
A mib browser may be used to explore the enterprise MIB structure.   
						

							229
Chapter 15: Advanced Configuration
15.5.4  /etc/config/snmpd.conf
The net-snmpd is an extensible SNMP which includes built-in support for a wide range \
of MIB information modules, and can 
be extended using dynamically loaded modules, external scripts and comma\
nds. snmpd when enabled should run with a 
default configuration. Its behavior can be customized via the options \
in /etc/config/snmpd.conf. 
Note: If the SNMP Service is enabled through the Web Based Management Console this configuration file will be overidde\
n 
and you will lose any customization.
Changing standard system information such as system contact, name and lo\
cation can be achieved by editing 
/etc/config/snmpd.conf file and locating the following lines:
sysdescr   "tripplite"
syscontact root (configure /etc/default/snmpd.conf)
sysname Not defined (edit /etc/default/snmpd.conf)
syslocation Not defined (edit /etc/default/snmpd.conf)
Simply change the values of sysdescr, syscontact, sysname and syslocation to the desired settings and restart snmpd. 
The snmpd.conf provides is extremely powerful and too flexible to completely cover h\
ere. The configuration file itself is 
commented extensively and good documentation is available at the net-snmp website http://www.net-snmp.org, specifically:
Man Page:  http://www.net-snmp.org/docs/man/snmpd.conf.html
FAQ: http://www.net-snmp.org/docs/FAQ.html
Net-SNMPD Tutorial: http://www.net-snmp.org/tutorial/tutorial-5/demon/snmpd.html
15.5.5  Adding multiple remote SNMP managers
You can add multiple SNMP servers for alert traps add the first and sec\
ond SNMP servers using the Management Console 
(refer Chapter 7) or the command line config tool. Further SNMP servers must be added manually using config.
Log in to the Console Server’s command line shell as root or an admin\
 user.  Refer back to the Management Console UI or 
user documentation for descriptions of each field.
To set the SNMP Manager Address field: 
  config –set="config.system.snmp.address3=w.x.y.z"
.. replacing w.x.y.z with the IP address or DNS name. 
To set the Manager Trap Port field
   config --set=”config.system.snmp.trapport3=162” 
.. replacing 162 with the TCP/UDP port number
To set the SNMP Manager Protocol field: 
  config --set="config.system.snmp.protocol3=UDP" or 
  config --set="config.system.snmp.protocol3=TCP" 
To set the SNMP Manager Version field: 
  config --set="config.system.snmp.version3=3" 
To set the SNMP Manager v1 & v2c community field: 
  config --set="config.system.snmp.community3=public" 
To set the SNMP Manager v3 Engine ID field: 
  config –set="config.system.snmp.engineid3=0x8000000001020304"
.. replacing 0x8000000001020304 with the hex Engine-ID 
To set the SNMP Manager v3 Security Level field: 
  config --set="config.system.snmp.seclevel3=noAuthNoPriv" or 
  config --set="config.system.snmp.seclevel3=authNoPriv" or 
  config --set="config.system.snmp.seclevel3=authPriv" 
To set the SNMP Manager v3 Username field: 
  config --set="config.system.snmp.username3=username"   
						

							230
Chapter 15: Advanced Configuration
To set the SNMP Manager v3 Auth. Protocol and password fields: 
  config –set="config.system.snmp.authprotocol3=SHA" or 
  config --set="config.system.snmp.authprotocol3=MD5"
  config --set="config.system.snmp.authpassword3=password 1" 
To set the SNMP Manager v3 Privacy Protocol and password fields: 
  config –set="config.system.snmp.privprotocol3=AES" or
  config –set="config.system.snmp.privprotocol3=DES"
  config --set="config.system.snmp.privpassword3=password 2"
Once the fields are set, apply the configuration with the following \
command:
 config --run snmp
You can add a third or more SNMP servers by incrementing the "2" in the a\
bove commands, e.g. config.system.snmp.
protocol3, config.system.snmp.address3, etc
15.6  Secure Shell (SSH) Public Key Authentication
This section covers the generation of public and private keys in a Linux\
 and Windows environment and configuring SSH for 
public key authentication. The steps to use in a Clustering environment \
are:
• Generate a new public and private key pair 
• Upload the keys to the Master and to each Slave Console Server
• Fingerprint each connection to validate
15.6.1   SSH Overview
Popular TCP/IP applications such as telnet, rlogin, ftp, and others transmit their passwords unencrypted. Doing this across 
public networks like the Internet can have catastrophic consequences. It\
 leaves the door open for eavesdropping, connection 
hijacking, and other network-level attacks. 
Secure Shell (SSH) is a program to log into another computer over a network, to execut\
e commands in a remote machine, 
and to move files from one machine to another. It provides strong authentication and secure communications over insec\
ure 
channels. 
OpenSSH, the de facto open source SSH application, encrypts all traffic (including passwords) to effect\
ively eliminate these 
risks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a vari\
ety of authentication methods.
OpenSSH is the port of OpenBSD's excellent OpenSSH[0] to Linux and other versions of Unix. OpenSSH is based on the last 
free version of Tatu Ylonen's sample implementation with all patent-encumbered algorithms\
 removed (to external libraries), all 
known security bugs fixed, new features reintroduced and many other cl\
ean-ups. http://www.openssh.com/ The only changes in 
the SSH implementation are:
• PAM support
• EGD[1]/PRNGD[2] support and replacements for OpenBSD library functions that  are absent from other versions of UNIX
• The config files are now in /etc/config. e.g.
 o /etc/config/sshd_config instead of /etc/sshd_config
 o /etc/config/ssh_config instead of /etc/ssh_config
 o /etc/config/users//.ssh/ instead of /home//.ssh/