= Securing NetApp =

**Summary**: This article is about securing access to a NetApp filer. \\
**Date**: 11 May 2011 \\
**Refactor**: 3 January 2025: Checked links and formatting. \\
[{{tag>netapp}}]

We'll discuss the following options in securing access:
* Recreate SSL Certificates
* Enabling SSH access
* Disabling Telnet access
* Allowing multiple sessions
* Using an Administrative Host
* Defining users in a LDAP environment
* Using privileged commands

Note that wherever possible I'll use the command line to change settings. Only when using other tools gives an more clear overview I'll use other tools.

= Recreate SSL Certificates =

If you need to recreate the SSL certificates you can run the following command on the CLI prompt and follow the questions:
<code>
filerb> secureadmin setup ssl
SSL Setup has already been done before. Do you want to proceed? [no] yes
Country Name (2 letter code) [US]: NL
State or Province Name (full name) [California]: Zuid Holland
Locality Name (city, town, etc.) [Santa Clara]: Delft
Organization Name (company) [Your Company]: SHIFT
Organization Unit Name (division):  IT
Common Name (fully qualified domain name) [filerb.shift.local]:
Administrator email:  sjoerd @ getshifting.com
Days until expires [5475] :
Key length (bits) [512] :
</code>

= Enabling SSH access =

Connecting through SSH to a netapp filer is really simple, just set the option to on. However, it might be necessary to configure the ssh server and certificates:

<code>
netappfiler01> options ssh.enable
ssh.enable                   off
netappfiler01> options ssh.enable on
SSH Server is not configured. Please use the command
'secureadmin setup ssh' to configure the server.
netappfiler01> secureadmin setup ssh
SSH Setup
---------
Determining if SSH Setup has already been done before...no

SSH server supports both ssh1.x and ssh2.0 protocols.

SSH server needs two RSA keys to support ssh1.x protocol. The host key is
generated and saved to file /etc/sshd/ssh_host_key during setup. The server
key is re-generated every hour when SSH server is running.

SSH server needs a RSA host key and a DSA host key to support ssh2.0 protocol.
The host keys are generated and saved to /etc/sshd/ssh_host_rsa_key and
/etc/sshd/ssh_host_dsa_key files respectively during setup.

SSH Setup will now ask you for the sizes of the host and server keys.
 For ssh1.0 protocol, key sizes must be between 384 and 2048 bits.
 For ssh2.0 protocol, key sizes must be between 768 and 2048 bits.
 The size of the host and server keys must differ by at least 128 bits.

Please enter the size of host key for ssh1.x protocol [768] :
Please enter the size of server key for ssh1.x protocol [512] :
Please enter the size of host keys for ssh2.0 protocol [768] :

You have specified these parameters:
        host key size = 768 bits
        server key size = 512 bits
        host key size for ssh2.0 protocol = 768 bits
Is this correct? [yes]

Setup will now generate the host keys. It will take a minute.
After Setup is finished the SSH server will start automatically.

netappfiler01> Mon Apr 18 13:28:06 CEST [secureadmin.ssh.setup.success:info]: SSH setup is done and ssh2 should be enabled. Host keys are stored in /etc/sshd/ssh_host_key, /etc/sshd/ssh_host_rsa_key, and /etc/sshd/ssh_host_dsa_key.

netappfiler01> options ssh.enable on
netappfiler01> Mon Apr 18 13:28:32 CEST [openssh.invalid.channel.req:warning]: SSH client (SSH-2.0-OpenSSH_4.2) from 10.10.10.2 sent unsupported channel request (10, env).
netappfiler01>
</code>

Also set the timeout for idle SSH sessions:
<code>
options ssh.idle.timeout 300
</code>

= Disabling Telnet access =

When you're sure the filers are accessible over ssh you can disable telnet access. To do so, simply disable the telnet option:

<code>
netappfiler01> options telnet
telnet.access                legacy     (same value required in local+partner)
telnet.distinct.enable       off        (same value required in local+partner)
telnet.enable                on         (same value required in local+partner)
netappfiler01> options telnet.enable off
Reminder: you MUST also set option telnet.enable on the partner node
or the next takeover will not function correctly.
netappfiler01> options telnet
telnet.access                legacy     (same value required in local+partner)
telnet.distinct.enable       off        (same value required in local+partner)
telnet.enable                off        (same value required in local+partner)
</code>
Now, when trying to access the filer over telnet you won't succeed.

= Allowing multiple sessions =

Over SSH, it is not possible to have multiple users log on at the same time. It is however possible to have more than one user sending secure commands to the filer:

<code>
Multiple = ssh [-1|-2] [-6] -l username {IP_addr|hostname} command
Single = ssh [-1|-2] [-6] -l username {IP_addr|hostname}
</code>
\\
In case you haven't disabled telnet you can allow multiple telnet sessions at the same time:
<code>
netappfiler01> options telnet.distinct.enable on
Reminder: you MUST also set option telnet.distinct.enable on the partner node
or the next takeover will not function correctly.
</code>

= Using an Administrative Host =

Using Administrative hosts can be an effective way to make sure nobody but you can access the filers. However, you need to be careful with this option. Just imagine this, the workstation you manage the filer from is broken because the filer is broken. So, make sure you have multiple options to manage your filer from. There are several options that need to be configured.

== trusted.hosts ==

>Specifies up to 5 clients that will be allowed telnet, rsh, and administrative HTTP (i.e. FilerView) access to the server. The host names should be entered as a comma-separated list with no spaces in between. Enter a "*" to allow access to all clients; this is the default. Enter a "-" to disable access to the server. NOTE: this option used to be called telnet.hosts, and in fact that is still an alias for this option. This value is ignored for telnet if telnet.access is set, and is ignored for administrative HTTP if httpd.admin.access is set. See na_protocolaccess(8) for more details.

<code>
netappfiler01> options trusted.hosts 10.10.10.10,10.10.10.8,10.10.10.18
Reminder: you MUST also set option trusted.hosts on the partner node
or the next takeover will not function correctly.
</code>

> Note: Don't forget to add your monitoring hosts!

== ssh.access ==

>Controls which hosts can access the storage system through a Secure Shell session for administrative purposes. You can restrict Secure Shell access to the storage system by specifying host names, IP addresses, or network interface names.

<code>
netappfiler01> options ssh.access "host=10.10.10.10,10.10.10.8,10.10.10.18"
</code>

= Defining users in a LDAP environment =

== Centralized Administration Of Administrative Users ==

Goal: Enabling the centralized administration of administrative users
# Make sure the value of the security.admin.authentication option includes nsswitch.
# Set the value of the security.admin.nsswitchgroup option to the name of a group within the confines of the nsswitch.conf file that specifies the users to whom you want to grant administrative access.

<code>
netappfiler01*> options security.admin.authentication nsswitch,internal
netappfiler01*> options security.admin.nsswitchgroup "IT-INFRA"
netappfiler01*>  options security.admin.nsswitchgroup
security.admin.nsswitchgroup IT-INFRA
netappfiler01*>  options security.admin.authentication
security.admin.authentication nsswitch,internal
</code>

== CIFS ==

=== CIFS License ===

<code>
netappfiler01> license
                 cifs not licensed
</code>

=== CIFS Setup ===

<code>
netappfiler01> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the /etc/passwd-style workgroup
        'WORKGROUP'.
Do you want to continue and change the current filer account information? [n]: y
        Your filer does not have WINS configured and is visible only to
        clients on the same subnet.
Do you want to make the system visible via WINS? [n]:
        This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
        The default name for this CIFS server is 'netappfiler01'.
Would you like to change this name? [n]:
        Data ONTAP CIFS services support four styles of user authentication.
        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 4
What is the name of the Workgroup? [WORKGROUP]: AD
CIFS - Starting SMB protocol...
Welcome to the AD Windows(R) workgroup

CIFS local server is running.

netappfiler01>
netappfiler01> Fri May  6 13:46:10 CEST [netappfiler01: nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.
</code>

=== Nsswitch.conf ===

<code>
netappfiler01> rdfile /etc/nsswitch.conf
#Auto-generated by setup Mon Mar 28 11:08:27 GMT 2011
hosts: files       nis     dns
passwd: files      nis     ldap
netgroup: files    nis  ldap
group: files       nis     ldap
shadow: files      nis

netappfiler01> wrfile /etc/nsswitch.conf
hosts: files       nis     dns
passwd: ldap       nis     files
netgroup: ldap     nis     files
group: ldap        nis     files
shadow: files      nis
</code>

=== hosts ===

<code>
netappfiler01*> rdfile /etc/hosts
127.0.0.1       localhost
10.10.252.100  netappfiler01  netappfiler01-e0M
10.10.17.100   netappfiler01-e0a
10.10.15.100   netappfiler02
10.10.80.20    mailhost
10.10.4.100    ad.company.local ad
</code>

==== Processing nsswitch and hosts ====

<code>
source /etc/rc
</code>

=== LDAP Configuration ===


Source = [[http://media.netapp.com/documents/tr-3464.pdf|INTEGRATION OF A NETAPP STORAGE SYSTEM WITH A UNIX BASED LDAP SERVER - TR-3464]]

Some original settings:
<code>
options ldap.nssmap.attribute.gecos  gecos
options ldap.nssmap.attribute.gidNumber gidNumber
options ldap.nssmap.attribute.groupname cn
options ldap.nssmap.attribute.homeDirectory homeDirectory
options ldap.nssmap.attribute.loginShell loginShell
options ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
options ldap.nssmap.attribute.memberUid memberUid
options ldap.nssmap.attribute.netgroupname cn
options ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
options ldap.nssmap.attribute.uid    uid
options ldap.nssmap.attribute.uidNumber uidNumber
options ldap.nssmap.attribute.userPassword userPassword
options ldap.nssmap.objectClass.nisNetgroup nisNetgroup
options ldap.nssmap.objectClass.posixAccount posixAccount
options ldap.nssmap.objectClass.posixGroup posixGroup

options ldap.usermap.attribute.unixaccount unixaccount
options ldap.usermap.attribute.windowsaccount windowsaccount
options ldap.usermap.base
options ldap.usermap.enable          off
</code>

AD with Services for UNIX:
<code>
options ldap.nssmap.attribute.gecos name
options ldap.nssmap.attribute.gidNumber msSFU30GidNumber
options ldap.nssmap.attribute.groupname cn
options ldap.nssmap.attribute.homeDirectory msSFU30HomeDirectory
options ldap.nssmap.attribute.loginShell msSFU30LoginShell
options ldap.nssmap.attribute.memberNisNetgroup msSFU30MemberNisNetgroup
options ldap.nssmap.attribute.memberUid msSFU30MemberUid
options ldap.nssmap.attribute.netgroupname name
options ldap.nssmap.attribute.nisNetgroupTriple msSFU30MemberOfNisNetgroup
options ldap.nssmap.attribute.uid sAMAccountName
options ldap.nssmap.attribute.uidNumber msSFU30UidNumber
options ldap.nssmap.attribute.userPassword msSFU30Password
options ldap.nssmap.objectClass.nisNetgroup msSFU30NisNetgroup
options ldap.nssmap.objectClass.posixAccount User
options ldap.nssmap.objectClass.posixGroup Group
</code>

AD with IdMgmt for Unix:
<code>
options ldap.nssmap.attribute.gecos name
options ldap.nssmap.attribute.gidNumber gidNumber
options ldap.nssmap.attribute.groupname cn
options ldap.nssmap.attribute.homeDirectory unixHomeDirectory
options ldap.nssmap.attribute.loginShell loginShell
options ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
options ldap.nssmap.attribute.memberUid memberUid
options ldap.nssmap.attribute.netgroupname name
options ldap.nssmap.attribute.nisNetgroupTriple memberOfNisNetgroup
options ldap.nssmap.attribute.uid uid
options ldap.nssmap.attribute.uidNumber uidNumber
options ldap.nssmap.attribute.userPassword unixUserPassword
options ldap.nssmap.objectClass.nisNetgroup nisNetgroup
options ldap.nssmap.objectClass.posixAccount user
options ldap.nssmap.objectClass.posixGroup group
</code>

LDAP Name and password:
> Confirm that the Distinguished Name (DN) specified is correct. If it is not, modify it and try again. Another way to enter a name for ldap.name is to enter it in Domain\Username format. Once you set the correct ldap.name, set the ldap.passwd again. If the password defined under ldap.passwd uses special characters, try using quotes around the password.

Options set:
<code>
ldap.ADdomain                company.local
ldap.base                    OU=InternetUsers,DC=company,DC=local
ldap.enable                  on
ldap.minimum_bind_level      anonymous
ldap.name                    AD\sa_ldap
ldap.passwd                  ******
ldap.port                    389
ldap.servers                 ad.company.local
ldap.ssl.enable              off
ldap.timeout                 20
</code>

Now LDAP works:
<code>
netappfiler01*> options ldap.name AD\sa_ldap

netappfiler01*> getXXbyYY getpwbyname_r sjoerd
pw_name = sjoerd
pw_passwd = {{******}}
pw_uid = 10000, pw_gid = 10000
pw_gecos = Sjoerd Hooft
pw_dir = /home/sjoerd
pw_shell = /bin/bash

netappfiler01*> getXXbyYY getpwbyuid_r 10000
pw_name = sjoerd
pw_passwd = {{******}}
pw_uid = 10000, pw_gid = 10000
pw_gecos = Sjoerd Hooft
pw_dir = /home/sjoerd
pw_shell = /bin/bash

netappfiler01*> getXXbyYY getgrlist sjoerd
pw_name = sjoerd
Groups: 10000 10001 10003

netappfiler01*> getXXbyYY getgrbyname IT-INFRA
name = IT-INFRA
gid = 10001

netappfiler01*> getXXbyYY getgrbygid 10001
name = IT-INFRA
gid = 10001
</code>

You can also setup a different ldap user to see more information:
<code>
ldap.name                    AD\Administrator:
netappfiler01*> getXXbyYY getpwbyname_r sjoerd
pw_name = sjoerd
pw_passwd = {clear}ABCD!efgh12345$67890
pw_uid = 10000, pw_gid = 10000
pw_gecos = Sjoerd Hooft
pw_dir = /home/sjoerd
pw_shell = /bin/bash
</code>

= Using Privileged Commands =

By default, not all commands are available when you log on. Some commands are not available until you specifically define that you want to use them.
\\
Access is provided using the "priv" command:
<code>
netappfiler01> priv set advanced
Warning: These advanced commands are potentially dangerous; use
         them only when directed to do so by IBM
         personnel.
netappfiler01*> priv set admin
netappfiler01>
</code>
As you can see, in the advanced mode the prompt gets changed by inserting an asterisk (*) at the end. If you set the advanced mode it keeps persistent between logins, you'll have to specifically tell the system to go to basic administration mode by typing "priv set admin".

= Logging administrative access =

> Logging administrative access enables and configures logging for administrative sessions. We recommend enabling this logging. The log file size you specify depends on your local security policy, but it should be large enough to record at least several days of administrative usage. You may set this to a large value (several megabytes) and then adjust it after you see how quickly it fills up in your environment.
<code>
netappfiler01> options auditlog
auditlog.enable              on         (value might be overwritten in takeover)
auditlog.max_file_size       10000000   (value might be overwritten in takeover)
</code>

= Useful Links =

* A threat started on getting the logon to work: http://communities.netapp.com/message/53880