|
|||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
Download the last version of isba from here. Then ungzip and untar it somewhere, for example in /tmp:
or
Now you must decide which kind of installation you need: "stand alone" or "distributed" installation: |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Choose this setup if remote management is not required. Isba will be used only for ruleset edition and ipfilter configuration files generation (ipf.conf and ipnat.conf). If your target host is the host isba runs on, you'll be able to install rules in the kernel, otherwise you'll have to upload the ipfilter configuration files on target and reload rules manually. | |||||||||||||||||||||||||||||
On the machine you'll run isba you'll need the following software packages:
|
Stand-alone install prerequisites | ||||||||||||||||||||||||||||
Go to the install directory of isba (/tmp/isba-X.Y) and trim the Makefile to fit your site (CC, ISBADIR, BINDEST and MANDEST). Default values are: | Stand-alone installation | ||||||||||||||||||||||||||||
   CC=gcc    ISBADIR=/usr/local/isba    BINDIR=/usr/local/bin    MANDIR=/usr/local/man |
|||||||||||||||||||||||||||||
Compile isba: | |||||||||||||||||||||||||||||
   % make | |||||||||||||||||||||||||||||
Now install isba under root with: | |||||||||||||||||||||||||||||
   % /bin/su - |
|||||||||||||||||||||||||||||
That's all! you can skip the other sections of this chapter. Make the DISPLAY variable point to your X-display, and you can launch isba: | |||||||||||||||||||||||||||||
   DISPLAY=<my-display-machine>:0    /usr/local/bin/isba |
|||||||||||||||||||||||||||||
You may want to look at the sample rulesets provided in the "Help>Samples" menu. | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Choose this setup if the machine you'll run isba on (the "management" host) is different from your firewalled host(s) (the "target" hosts). The management host will need the following software packages:
The target hosts will need the following packages:
|
Distributed install prerequisites | ||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Unpack isba on your management host, follow the instructions of the stand-alone installation, then come back here. | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Isba needs two binaries on each target host: vlog and ipf-rollback. | |||||||||||||||||||||||||||||
If you have a C compiler on your targets, you can follow the instructions of the stand-alone installation, EXCEPT that you must replace "make install-mgt" with "make install-target". | |||||||||||||||||||||||||||||
Alternately, you can copy vlog and ipf-rollback from your management host to each of your target hosts (the preferred location is /usr/local/bin). | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Before setting up remote management, you must answer two questions: | |||||||||||||||||||||||||||||
question A: which user will you run isba under on mgt host ? | "mgtuser" | ||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
question B: which user will you run remote commands under on target hosts ? | "targetuser" | ||||||||||||||||||||||||||||
answer B1: root |
|||||||||||||||||||||||||||||
Now use the table below to know what configuration work you have to do according to your setup. |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
That's it, Isba is ready to remotely manage your target hosts. If you want your management host to receive the ipfilter logs of all your target hosts, follow the Logs centralization setup below. |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
The goal is to be able to copy files and to run ipfilter commands on target host(s) from the management host. The only authentication scheme supported by isba is RSA because it enables you to type the passphrase only once per isba session while keeping maximum security:
|
|||||||||||||||||||||||||||||
In this section:
|
|||||||||||||||||||||||||||||
a. generate an RSA key pair for mgtuser | |||||||||||||||||||||||||||||
On the management host, run ssh-keygen to create a 1024-bits key pair in ~mgtuser/.ssh (with a non-empty passphrase): | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
b. install the public key on target host(s) | |||||||||||||||||||||||||||||
Now you have a brand new RSA key pair for your user mgtuser. You must copy the public part (~mgtuser/.ssh/identity.pub) to each target host in the "targetuser" account: | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Note (case A3): if you intend to run isba under several different users (on mgt host), then the 'authorized_keys' file on target hosts must contain the concatenation of the public keys of all management users (or at least those that are allowed to do remote management). | |||||||||||||||||||||||||||||
Note (case B3): if you intend to use several users on target hosts for remote commands, then the 'authorized_keys' files of all these users (on target hosts) must hold the public keys of all management users (or at least those that are allowed to do remote management). | |||||||||||||||||||||||||||||
c. enable RSA in SSH configuration | |||||||||||||||||||||||||||||
on management host, the ssh_config system file (in /etc or /etc/ssh) should contain the line: | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
on each target host, the sshd_config system file (in /etc or /etc/ssh) should contain the same line: | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
d. try your SSH channels | |||||||||||||||||||||||||||||
Try to connect from the management host to each target host. This step is mandatory, because the first time you run SSH on a remote host, SSH asks you a question ("host key not found ... are you sure ..."), and this is not managed by isba. So you must do this step for EACH management user, for EACH target user and for EACH target host: |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
e. tell isba about it | |||||||||||||||||||||||||||||
This step will actually be done at ruleset edition time. To be able to issue remote commands, isba needs to know the name of the targetuser. You type it in the Ruleset Targets table in the 'Properties' tab. Note that if the targetuser is equal to the mgtuser, you can omit it (this is useful in the case A3/B3: multiple firewall admins can edit and install the ruleset). For example: |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
You're here because you don't want to allow root SSH on your target host(s). You'd rather use a normal user: "targetuser". | |||||||||||||||||||||||||||||
a. create the targetuser on target host | |||||||||||||||||||||||||||||
b. give rights to targetuser on target host | |||||||||||||||||||||||||||||
Edit the /etc/sudoers file (use "visudo").
Tell it that user targetuser has authorization to run the ipf, ipnat,
ipfs, ipfstat, ipftest, ipmon, vlog and ipf-rollback commands. You must
provide the real paths of all these commands; these may vary with OSs. For example: |
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
c. test your sudo settings | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
d. tell isba about it | |||||||||||||||||||||||||||||
This step will actually be done at ruleset edition time. In the ruleset you will make for this target(s), you'll have to tell isba to use targetuser in SSH commands, and to use sudo to run ipfilter commands. You'll do that in the Ruleset Targets table in the Properties tab. |
|||||||||||||||||||||||||||||
See the example screenshot above (in SSH Setup, paragraph e.) | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
You can setup syslogd on your targets so that they send their ipfilter log lines in real time to your management host. This setup is simple but it has drawbacks:
|
|||||||||||||||||||||||||||||
Here is an example of syslogd configuration entries: | |||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
On your management host you can set up similar entries (excepted the last one). Its /var/log/ipflog file will receive the log lines of all your target hosts in real time and in chronological order. | |||||||||||||||||||||||||||||
Isba User's Guide - last modified on 09-Jan-2002 12:39 MET - Copyright (c) 2001 |