Veritas-bu

[Veritas-bu] Netbackup / Port security.

2000-12-22 17:32:56
Subject: [Veritas-bu] Netbackup / Port security.
From: fx [François-Xavier Peretmere] fx AT Veritas DOT com
Date: Fri, 22 Dec 2000 23:32:56 +0100
>> From: Sixbury, Dan [mailto:dsixbury AT saint-lukes DOT org]
>> Sent: Thursday 21 December, 2000 00:12

>> Thanks for the info... some additional comments are below.
>
>> 1.  Does telnet have to be enabled?
>>
>>  hopefully not.
>>
>> I asked this because in the troubleshooting guide I remember seeing
>> something about trying to telnet to the server or client on
>> the 13782 port as a test.

 don't confuse the program telnet with the telnet protocol. using
the telnet program to test if you can connect to a given port doesn't
means you need to allow the telnet protocol. telneting to bpcd port
is like emulating the slave to client connection.
 it's the same than telneting to some web server on port 80 to
check if the web server is reachable by some HTTP client (Netscape,
MsIe...)

>>  bpcd process is launched by inetd, it's running under the account
>> configured in inetd.conf. no need for the root password to backup.
>
> So bpcd on the master server is the only netbackup process
> that needs to be in the inetd.conf file? This would cover our Master/Media
> server, but what about other Unix or NT clients configuration?

 bpcd could be run as a standalone process, but you don't want that.
so yes, bpcd is launched by inetd on every NetBackup machine,
client or server.

>> On the NT client, the admin account was changed, so I assumed
>> that I needed to update the services for Netbackup to show
>> the new "real" admin as theowner of the service.
>
>  euuhh? default account for NetBackup services on a WinNT
> client is "system account". don't need to touch anything here, except if your
> client needs to backup trough the network - system account is a builtin
> account with almost every right *locally*, but no rights trough
> the network.
>
> In our case the administrator account had its rights removed and a new
> account was created to have all of the normal administrative (system)
> rights.  I assume that the netbackup software needs to be
> installed as the "new" administrator.  i.e. on NT administrator has NO access
> rights, and root (insert new account name here) has complete
> administrative rights.

 ok, but you like complications. the builtin system account is made
for services as NetBackup client. so you don't need to worry about
password expiration and so on. if you made the NB service running
under another account, don't forget to give him backup and restore
rights at least.

> > I have also used an allow statement within hosts.allow file for the
> clients in
> > question and bpcd is in the inetd.conf file.
>
>  don't understand. hosts.allow has nothing to do here if we're talking
> about backups. or i missed something...
>
> One of the security measures was using a hosts.allow so that
> only certain hosts could have any kind of connection whatsoever.  Of
> course right now I am getting 24 and 14 errors which point to socket write
> errors or file write errors.  Both can be related to socket errors.

 hum. even in some sysadmin previous life, i never used hosts.allow,
i don't remember what it's doing. if this filter ports, then it's a
concern. if it's just a matter of hosts, then if hosts is allowed, there
should be no problem.

> I saw another email of yours that had a very interesting link to
> firewalls/security, etc.

 every mail of me is interesting ;-))

> I am also using multiplexing which I noticed could cause additional caveats
> in a secure environment, so I will look into that as well.

 if by secure you mean firewall, so yes, using MPX means more ports
to open because the processes running to master all the streams.

 fx

--
     fx AT veritas DOT com       | the only problem with troubleshooting
François-Xavier Peretmere | is that sometimes trouble shoots back
 http://www.veritas.com/  |               - alt.sysadmin.recovery




<Prev in Thread] Current Thread [Next in Thread>