Installation

3. Installation

Download

Contents

Download
Stand Alone Installation
Distributed Installation
Installation on mgt host
Installation on targets
Remote mgt setup road map
SSH setup
SUDO setup
Logs centralization setup

Download the last version of isba from here. Then ungzip and untar it somewhere, for example in /tmp:

cd /tmp
tar zxvf isba-X.Y.tgz

cd /tmp
gunzip isba-X.Y.tgz
tar xvf isba-X.Y.tar

Now you must decide which kind of installation you need: "stand alone" or "distributed" installation:

Stand Alone Installation

Choose this setup if remote management is not required. Isba will be used only for ruleset edition and ipfilter configuration files generation (ipf.conf and ipnat.conf). If your target host is the host isba runs on, you'll be able to install rules in the kernel, otherwise you'll have to upload the ipfilter configuration files on target and reload rules manually.

On the machine you'll run isba you'll need the following software packages:

Package	The version you have
IP-Filter 3.x.x	ipf -V
Perl 5.004+	perl --version
Perl/Tk 800.022+	perl -e 'use Tk; print $Tk::VERSION '
C compiler

Stand-alone install prerequisites

Go to the install directory of isba (/tmp/isba-X.Y) and trim the Makefile to fit your site (CC, ISBADIR, BINDEST and MANDEST). Default values are:

Stand-alone installation

   CC=gcc
   ISBADIR=/usr/local/isba
   BINDIR=/usr/local/bin
   MANDIR=/usr/local/man

Compile isba:

% make

Now install isba under root with:

% /bin/su -
# make install-mgt

That's all! you can skip the other sections of this chapter. Make the DISPLAY variable point to your X-display, and you can launch isba:

DISPLAY=<my-display-machine>:0
/usr/local/bin/isba

You may want to look at the sample rulesets provided in the "Help>Samples" menu.

Distributed installation

Choose this setup if the machine you'll run isba on (the "management" host) is different from your firewalled host(s) (the "target" hosts).

The management host will need the following software packages:

Package	The version you have
IP-Filter 3.x.x	ipf -V
Perl 5.004+	perl --version
Perl/Tk 800.022+	perl -e 'use Tk; print $Tk::VERSION'
C compiler
SSH client

The target hosts will need the following packages:

Package	The version you have
IP-Filter 3.x.x	ipf -V
C compiler if possible
SSH Server

Distributed install prerequisites

Installation on management host

Unpack isba on your management host, follow the instructions of the stand-alone installation, then come back here.

Installation on targets

Isba needs two binaries on each target host: vlog and ipf-rollback.

If you have a C compiler on your targets, you can follow the instructions of the stand-alone installation, EXCEPT that you must replace "make install-mgt" with "make install-target".

Alternately, you can copy vlog and ipf-rollback from your management host to each of your target hosts (the preferred location is /usr/local/bin).

Remote management setup road map

Before setting up remote management, you must answer two questions:

question A: which user will you run isba under on mgt host ?

"mgtuser"

answer A1: root ... as you wish ;) follow the case A2 instructions
answer A2: a normal user
answer A3: several normal users (e.g. the firewall admins)

question B: which user will you run remote commands under on target hosts ?

"targetuser"

answer B1: root
answer B2: a normal user
answer B3: several normal users (e.g. the firewall admins)

Now use the table below to know what configuration work you have to do according to your setup.

	A1	A2	A3
B1	X	create the mgt user on mgt host follow the SSH SETUP below, with root as targetuser	create all mgt users on mgt host follow the SSH SETUP below for each mgtuser, with root as targetuser
B2	X	create the mgt user on mgt host create the target user on all targets follow the SSH SETUP below, with root as targetuser follow the SUDO SETUP below	create all mgt users on mgt host create the target user on all targets follow the SSH SETUP below for each mgtuser, with root as targetuser follow the SUDO SETUP below for each mgtuser
B3	X	X (unlikely case)	create all mgt users on mgt host create all target users on all targets follow the SSH SETUP below for each mgtuser

That's it, Isba is ready to remotely manage your target hosts.

If you want your management host to receive the ipfilter logs of all your target hosts, follow the Logs centralization setup below.

SSH setup

The goal is to be able to copy files and to run ipfilter commands on target host(s) from the management host.

The only authentication scheme supported by isba is RSA because it enables you to type the passphrase only once per isba session while keeping maximum security:

at startup, Isba launches itself as a child process of ssh-agent(1), which will be in charge of keeping your SSH identity in a secure manner
when isba first needs to run something on a target, it will call ssh-add(1) to ask you the passphrase of your local private RSA key (on management host: ~/.ssh/identity)
then ssh-agent will remember it in a secure manner and forward it to isba each time it needs to, so you won't have to type it again until you quit isba.

In this section:

mgtuser	= the user you will run isba under on the mgt host. If there are several, repeat this section for each of them.
targetuser	= the user you will run remote commands under on target hosts. If there are several, repeat this section for each of them.

a. generate an RSA key pair for mgtuser

On the management host, run ssh-keygen to create a 1024-bits key pair in ~mgtuser/.ssh (with a non-empty passphrase):

mgt-host# su - mgtuser
mgt-host% mkdir -p ~/.ssh
mgt-host% ssh-keygen -b 1024
Initializing random number generator...
Generating p: .............................++ (distance 556)
Generating q: ...............++ (distance 240)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/mgtuser/.ssh/identity):
Enter passphrase: <non-null passphrase>
Enter the same passphrase again: <non-null passphrase>
Your identification has been saved in /home/mgtuser/.ssh/identity.
Your public key is:
1024 37 16309323 ... 34098287207 mgtuser@mgt-host
Your public key has been saved in /home/mgtuser/.ssh/identity.pub

b. install the public key on target host(s)

Now you have a brand new RSA key pair for your user mgtuser. You must copy the public part (~mgtuser/.ssh/identity.pub) to each target host in the "targetuser" account:

for each target host
	append the file	mgt-host:~mgtuser/.ssh/identity.pub
	to the file	target-host:~targetuser/.ssh/authorized_keys (create this file if needed)
done

Note (case A3): if you intend to run isba under several different users (on mgt host), then the 'authorized_keys' file on target hosts must contain the concatenation of the public keys of all management users (or at least those that are allowed to do remote management).

Note (case B3): if you intend to use several users on target hosts for remote commands, then the 'authorized_keys' files of all these users (on target hosts) must hold the public keys of all management users (or at least those that are allowed to do remote management).

c. enable RSA in SSH configuration

on management host, the ssh_config system file (in /etc or /etc/ssh) should contain the line:

RSAAuthentication yes

on each target host, the sshd_config system file (in /etc or /etc/ssh) should contain the same line:

RSAAuthentication yes

d. try your SSH channels

Try to connect from the management host to each target host.

This step is mandatory, because the first time you run SSH on a remote host, SSH asks you a question ("host key not found ... are you sure ..."), and this is not managed by isba. So you must do this step for EACH management user, for EACH target user and for EACH target host:

for each target host
	for each mgtuser
		for each targetuser
			mgtuser@mgt-host% ssh targetuser@target-host Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'target-host' added to the list of known hosts. Enter passphrase for RSA key 'mgtuser@mgt-host': <passphrase> Last login: Fri Mar 30 17:05:29 2001 from anywhere Connected on /dev/pts/2 with TERM=dtterm target-host% exit
		done
	done
done

e. tell isba about it

This step will actually be done at ruleset edition time.

To be able to issue remote commands, isba needs to know the name of the targetuser. You type it in the Ruleset Targets table in the 'Properties' tab. Note that if the targetuser is equal to the mgtuser, you can omit it (this is useful in the case A3/B3: multiple firewall admins can edit and install the ruleset). For example:

Sudo setup

You're here because you don't want to allow root SSH on your target host(s). You'd rather use a normal user: "targetuser".

a. create the targetuser on target host

b. give rights to targetuser on target host

Edit the /etc/sudoers file (use "visudo"). Tell it that user targetuser has authorization to run the ipf, ipnat, ipfs, ipfstat, ipftest, ipmon, vlog and ipf-rollback commands. You must provide the real paths of all these commands; these may vary with OSs.

For example:

#
# /etc/sudoers
#

# Command alias specification
Cmnd_Alias IPF_CMDS = /sbin/ipf, \
    /sbin/ipnat, \
    /sbin/ipfs, \
    /sbin/ipfstat, \
    /opt/ipf/bin/ipftest, \
    /opt/ipf/bin/ipmon, \
    /usr/local/bin/vlog, \
    /usr/local/bin/ipf-rollback

# User privilege specification
targetuser ALL = NOPASSWD: IPF_CMDS

c. test your sudo settings

for each target host
	for each targetuser
		target-host# su - targetuser target-host% sudo ipfstat -ion empty list for ipfilter(out) empty list for ipfilter(in) target-host% exit
	done
done

d. tell isba about it

This step will actually be done at ruleset edition time.

In the ruleset you will make for this target(s), you'll have to tell isba to use targetuser in SSH commands, and to use sudo to run ipfilter commands. You'll do that in the Ruleset Targets table in the Properties tab.

See the example screenshot above (in SSH Setup, paragraph e.)

Logs centralization setup

You can setup syslogd on your targets so that they send their ipfilter log lines in real time to your management host.

This setup is simple but it has drawbacks:

it is not secure: anyone on your network can send fake ipfilter loglines to your mgt host
it is not reliable: your mgt host may not have every loglines (some may miss because of a reboot of the management host for example)

Here is an example of syslogd configuration entries:

# # /etc/syslog.conf #
# to remove ipfilter logs from /var/log/messages: # .notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none .notice;auth,authpriv,cron,local0,ftp,kern,lpr,mail,user.none	/var/log/messages /var/log/messages
# to archive ipfilter logs locally to /var/log/ipflog: local0.info	/var/log/ipflog
# to send ipfilter logs to the management host: # (mgthost must be defined in /etc/hosts) local0.info	@mgthost

On your management host you can set up similar entries (excepted the last one). Its /var/log/ipflog file will receive the log lines of all your target hosts in real time and in chronological order.