M e r i d i a n I I U s e r M a n u a l
60
C H A P T E R F I V E
61
M e r i d i a n I I U s e r M a n u a l
S E C U R I T Y
•
Direct
root
logins are only permitted on the local RS-232 console or via SSH.
•
The secure copy utility,
scp
, eliminates the need to use the insecure FTP protocol for transferring
program updates to Meridian II.
•
ΗTTP access for system monitoring only, is allowed only via SSL, so passwords and session data
are encrypted on the wire. Access via HTTPS may be restricted or completely disabled. See
Restrict
Access - HTTPS
and
Disable SNMP, SSH and HTTPS
below.
•
SNMP access for system monitoring only, is configurable to provide the security of the latest ver-
sion 3 Internet standard which supports both view-based access control and user-based security using
modern encryption techniques. Previous versions v1 and v2c supported access control essentially
via passwords transmitted over the network in plain text. Refer to
Chapter 6 - SNMP
and
Restrict
Access - Telnet, SSH and SNMP
(below) for details. SNMP may also be completely disabled. See
Disable SNMP, SSH and HTTPS
below.
•
Individual host access to protocol server daemons
in.telnetd,
snmpd
or
sshd
are controlled by
directives contained in the files
/etc/hosts.allow
and
/etc/hosts.deny
,
which are configured using the
interactive script
accessconfig.
See
Restrict Access - Telnet, SSH and SNMP
below.
•
Insecure protocols like Time, Daytime and Telnet may be completely disabled by configuration of
the
inetd
super-server daemon using the interactive script
inetdconfig
. See
Disable Telnet, Time
and Daytime
below.
Restrict Access
The following paragraphs describe how to restrict SNMP, SSH, Telnet and HTTPS access to specific
hosts. Also described is how to restrict NTP query access.
Restrict Access - Telnet, SSH and SNMP
By default, Meridian II is configured to allow access by all users via Telnet, SSH and SNMP. To
ensure security and to protect against denial-of-service attacks, you should restrict access by using the
accessconfig
command.
accessconfig
modifies two files,
/etc/hosts.allow
and
/etc/hosts/deny
, which are used by
tcpd
and
the standalone daemons,
snmpd
and
sshd
, to determine whether or not to grant access to a request-
ing host. These two files may contain configuration information for a number of protocol servers, but
in Meridian II only access control to the protocol server daemons
in.telnetd
,
sshd
and
snmpd
is
configured.
As shipped from the factory, these two files are empty. When you run
accessconfig
, these lines
are added to the
/etc/hosts.deny
file:
in.telnetd: ALL
sshd: ALL
snmpd: ALL
Summary of Contents for Meridian II
Page 2: ......
Page 20: ...M e r i d i a n I I U s e r M a n u a l This page intentionally left blank...
Page 139: ...119 M e r i d i a n I I U s e r M a n u a l R E A R P A N E L I O...
Page 216: ...M e r i d i a n I I U s e r M a n u a l 196 A P P E N D I X J...
Page 235: ...215 M e r i d i a n I I U s e r M a n u a l S P E C I F I C AT I O N S...
Page 236: ...M e r i d i a n I I U s e r M a n u a l 216 A P P E N D I X K...
Page 239: ......
