3. Installation

Download

Contents

Download
Stand Alone Installation
Distributed Installation
Installation on mgt host
Installation on targets
Remote mgt setup road map
SSH setup
SUDO setup
Logs centralization setup

Download the last version of isba from here. Then ungzip and untar it somewhere, for example in /tmp:

cd /tmp
tar zxvf isba-X.Y.tgz

or

cd /tmp
gunzip isba-X.Y.tgz
tar xvf isba-X.Y.tar

Now you must decide which kind of installation you need: "stand alone" or "distributed" installation:

Stand Alone Installation
Choose this setup if remote management is not required. Isba will be used only for ruleset edition and ipfilter configuration files generation (ipf.conf and ipnat.conf). If your target host is the host isba runs on, you'll be able to install rules in the kernel, otherwise you'll have to upload the ipfilter configuration files on target and reload rules manually.

On the machine you'll run isba you'll need the following software packages:

Package

The version you have

IP-Filter 3.x.x

ipf -V

Perl 5.004+

perl --version

Perl/Tk 800.022+

perl -e 'use Tk; print $Tk::VERSION '

C compiler  
Stand-alone install prerequisites
Go to the install directory of isba (/tmp/isba-X.Y) and trim the Makefile to fit your site (CC, ISBADIR, BINDEST and MANDEST). Default values are: Stand-alone installation
   CC=gcc
   ISBADIR=/usr/local/isba
   BINDIR=/usr/local/bin
   MANDIR=/usr/local/man
 
Compile isba:  
   % make  
Now install isba under root with:  

   % /bin/su -
   #
make install-mgt

 
That's all! you can skip the other sections of this chapter. Make the DISPLAY variable point to your X-display, and you can launch isba:  
   DISPLAY=<my-display-machine>:0
   /usr/local/bin/isba
 
You may want to look at the sample rulesets provided in the "Help>Samples" menu.  
Distributed installation
 

Choose this setup if the machine you'll run isba on (the "management" host) is different from your firewalled host(s) (the "target" hosts).

The management host will need the following software packages:

Package

The version you have

IP-Filter 3.x.x

ipf -V

Perl 5.004+

perl --version

Perl/Tk 800.022+

perl -e 'use Tk; print $Tk::VERSION'

C compiler  
SSH client  

The target hosts will need the following packages:

Package

The version you have

IP-Filter 3.x.x

ipf -V

C compiler if possible  
SSH Server  
Distributed install prerequisites
Installation on management host
 
Unpack isba on your management host, follow the instructions of the stand-alone installation, then come back here.  
Installation on targets
 
Isba needs two binaries on each target host: vlog and ipf-rollback.  
If you have a C compiler on your targets, you can follow the instructions of the stand-alone installation, EXCEPT that you must replace "make install-mgt" with "make install-target".  
Alternately, you can copy vlog and ipf-rollback from your management host to each of your target hosts (the preferred location is /usr/local/bin).  
Remote management setup road map
 
Before setting up remote management, you must answer two questions:  
question A: which user will you run isba under on mgt host ? "mgtuser"

answer A1: root ... as you wish ;) follow the case A2 instructions
answer A2: a normal user
answer A3: several normal users (e.g. the firewall admins)

question B: which user will you run remote commands under on target hosts ? "targetuser"
answer B1: root
answer B2: a normal user
answer B3: several normal users (e.g. the firewall admins)

Now use the table below to know what configuration work you have to do according to your setup.

 
  A1   A2 A3
B1
X
  • create the mgt user on mgt host
  • follow the SSH SETUP below, with root as targetuser
  • create all mgt users on mgt host
  • follow the SSH SETUP below for each mgtuser, with root as targetuser
B2
X
  • create the mgt user on mgt host
  • create the target user on all targets
  • follow the SSH SETUP below, with root as targetuser
  • follow the SUDO SETUP below
  • create all mgt users on mgt host
  • create the target user on all targets
  • follow the SSH SETUP below for each mgtuser, with root as targetuser
  • follow the SUDO SETUP below for each mgtuser
B3
X

X (unlikely case)

  • create all mgt users on mgt host
  • create all target users on all targets
  • follow the SSH SETUP below for each mgtuser

That's it, Isba is ready to remotely manage your target hosts.

If you want your management host to receive the ipfilter logs of all your target hosts, follow the Logs centralization setup below.

 
SSH setup
 

The goal is to be able to copy files and to run ipfilter commands on target host(s) from the management host.

The only authentication scheme supported by isba is RSA because it enables you to type the passphrase only once per isba session while keeping maximum security:

  • at startup, Isba launches itself as a child process of ssh-agent(1), which will be in charge of keeping your SSH identity in a secure manner
  • when isba first needs to run something on a target, it will call ssh-add(1) to ask you the passphrase of your local private RSA key (on management host: ~/.ssh/identity)
  • then ssh-agent will remember it in a secure manner and forward it to isba each time it needs to, so you won't have to type it again until you quit isba.
 

In this section:

mgtuser = the user you will run isba under on the mgt host.
   If there are several, repeat this section for each of them.
targetuser = the user you will run remote commands under on target hosts.
   If there are several, repeat this section for each of them.
a. generate an RSA key pair for mgtuser  
On the management host, run ssh-keygen to create a 1024-bits key pair in ~mgtuser/.ssh (with a non-empty passphrase):  
mgt-host# su - mgtuser
mgt-host% mkdir -p ~/.ssh
mgt-host% ssh-keygen -b 1024
Initializing random number generator...
Generating p: .............................++ (distance 556)
Generating q: ...............++ (distance 240)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/mgtuser/.ssh/identity):
Enter passphrase: <non-null passphrase>
Enter the same passphrase again: <non-null passphrase>
Your identification has been saved in /home/mgtuser/.ssh/identity.
Your public key is:
1024 37 16309323 ... 34098287207 mgtuser@mgt-host
Your public key has been saved in /home/mgtuser/.ssh/identity.pub
b. install the public key on target host(s)  
Now you have a brand new RSA key pair for your user mgtuser. You must copy the public part (~mgtuser/.ssh/identity.pub) to each target host in the "targetuser" account:  
for each target host  
  append the file mgt-host:~mgtuser/.ssh/identity.pub
  to the file target-host:~targetuser/.ssh/authorized_keys
(create this file if needed)
done  
Note (case A3): if you intend to run isba under several different users (on mgt host), then the 'authorized_keys' file on target hosts must contain the concatenation of the public keys of all management users (or at least those that are allowed to do remote management).  
Note (case B3): if you intend to use several users on target hosts for remote commands, then the 'authorized_keys' files of all these users (on target hosts) must hold the public keys of all management users (or at least those that are allowed to do remote management).  
c. enable RSA in SSH configuration  
on management host, the ssh_config system file (in /etc or /etc/ssh) should contain the line:  

RSAAuthentication yes

 
on each target host, the sshd_config system file (in /etc or /etc/ssh) should contain the same line:  

RSAAuthentication yes

 
d. try your SSH channels  

Try to connect from the management host to each target host.

This step is mandatory, because the first time you run SSH on a remote host, SSH asks you a question ("host key not found ... are you sure ..."), and this is not managed by isba. So you must do this step for EACH management user, for EACH target user and for EACH target host:

 
for each target host
  for each mgtuser
    for each targetuser
      mgtuser@mgt-host% ssh targetuser@target-host

Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'target-host' added to the list of known hosts.
Enter passphrase for RSA key 'mgtuser@mgt-host': <passphrase>
Last login: Fri Mar 30 17:05:29 2001 from anywhere
Connected on /dev/pts/2 with TERM=dtterm
target-host% exit
    done
  done
done
e. tell isba about it  

This step will actually be done at ruleset edition time.

To be able to issue remote commands, isba needs to know the name of the targetuser. You type it in the Ruleset Targets table in the 'Properties' tab. Note that if the targetuser is equal to the mgtuser, you can omit it (this is useful in the case A3/B3: multiple firewall admins can edit and install the ruleset). For example:

 
Sudo setup
 
You're here because you don't want to allow root SSH on your target host(s). You'd rather use a normal user: "targetuser".  
a. create the targetuser on target host  
b. give rights to targetuser on target host  
Edit the /etc/sudoers file (use "visudo"). Tell it that user targetuser has authorization to run the ipf, ipnat, ipfs, ipfstat, ipftest, ipmon, vlog and ipf-rollback commands. You must provide the real paths of all these commands; these may vary with OSs.

For example:
 
#
# /etc/sudoers
#

# Command alias specification
Cmnd_Alias IPF_CMDS = /sbin/ipf, \
    /sbin/ipnat, \
    /sbin/ipfs, \
    /sbin/ipfstat, \
    /opt/ipf/bin/ipftest, \
    /opt/ipf/bin/ipmon, \
    /usr/local/bin/vlog, \
    /usr/local/bin/ipf-rollback

# User privilege specification
targetuser ALL = NOPASSWD: IPF_CMDS
c. test your sudo settings  
for each target host
  for each targetuser
    target-host# su - targetuser
target-host% sudo ipfstat -ion
empty list for ipfilter(out)
empty list for ipfilter(in)
target-host% exit
  done
done
d. tell isba about it  

This step will actually be done at ruleset edition time.

In the ruleset you will make for this target(s), you'll have to tell isba to use targetuser in SSH commands, and to use sudo to run ipfilter commands. You'll do that in the Ruleset Targets table in the Properties tab.

 
See the example screenshot above (in SSH Setup, paragraph e.)
Logs centralization setup
 

You can setup syslogd on your targets so that they send their ipfilter log lines in real time to your management host.

This setup is simple but it has drawbacks:

  • it is not secure: anyone on your network can send fake ipfilter loglines to your mgt host
  • it is not reliable: your mgt host may not have every loglines (some may miss because of a reboot of the management host for example)
 
Here is an example of syslogd configuration entries:  
#
# /etc/syslog.conf
#
# to remove ipfilter logs from /var/log/messages:
# *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none
*.notice;auth,authpriv,cron,local0,ftp,kern,lpr,mail,user.none

/var/log/messages
/var/log/messages
# to archive ipfilter logs locally to /var/log/ipflog:
local0.info

/var/log/ipflog
# to send ipfilter logs to the management host:
# (mgthost must be defined in /etc/hosts)
local0.info


@mgthost
On your management host you can set up similar entries (excepted the last one). Its /var/log/ipflog file will receive the log lines of all your target hosts in real time and in chronological order.  

Isba User's Guide - last modified on 09-Jan-2002 12:39 MET - Copyright (c) 2001