Environment
Sentinel 6.x
Sentinel 7.x
Sentinel Log Manager
Novell SUSE Linux Enterprise
RedHat Linux
Situation
In Sentinel 6.x and later, and Log Manager, some of the Connectors are configured by default to
listen on ports that are less-than 1024. On Microsoft Windows
where security does not control these ports that is not a
problem. On the more-secure Linux and Unix platforms access
to ports below 1024 is not allowed to any processes that are not
running as root. The Collector Manager services on these
platforms run, by default, as a non-privileged user and should not be run as
root. This means either nonstandard ports must be used which
could require reconfiguration of an existing environment or else
security best practices would need to be compromised on the server
itself.
Resolution
To work around the limitation of processes binding low-order ports
there are a few options. First on Solaris 10+ there is an
option using Role Based Access Controls (RBAC) which lets the
administrator flag a user as being privileged enough to bind these
ports. TID# 3544831 has more information pertaining to this
functionality on Solaris.
On the Linux platforms iptables can be used to forward the traffic from the low ports to a high port which can be successfully bound by the Collector Manager service. In the case of the Audit connector port 289 TCP (the default for Novell Audit) can be forwarded to 1289 TCP. The Audit connector can then be configured to listen on 1289 TCP and any Platform Agents sending data to the server can do so to either port. For new implementations of event sources it is recommended that the data go directly to 1289. For existing implementations pointing to either port will work properly though future or modified installations can point to 1289 as part of the new configuration while the old boxes still use 289. Once all systems sending events are pointing to 1289 the iptables rule can be removed leaving the 289 port free for other applications.
To forward ports from 289 to 1289 use the following command as the root user:
iptables -t nat -I PREROUTING -p tcp --dport 289 -j REDIRECT --to-port 1289
This tells the firewall to forward all TCP traffic from port 289 to port 1289.
On SLES it is also possible to modify the /etc/sysconfig/SuSEfirewall2 file modifying the FW_REDIRECT line to have the following which has the same effect as the command above:
FW_REDIRECT="0/0,123.45.67.89/32,tcp,289,1289"
Be sure to substitute this server's IP address in for the 123.45.67.89 address in the line above. The line states that the firewall should allow all traffic (0/0) to this server (123.45.67.89/32) on TCP port 289 to be forwarded to 1289. This method will persist through reboots where the iptables command above will not. Using the iptables command is still viable though a script should probably be used and set to auto-load during bootup to set the redirected traffic automatically.
For other connectors like syslog which use other ports the same commands can be used with the correct values substituted. The high port chosen is up to the administrator.
Appliance installations of Log Manager and Sentinel 7.0 forward these ports automatically for convenience. TCP 289 is forwarded to TCP 1289, UDP 514 is forwarded to UDP 1514, and the HTTP and HTTPS interface ports are also forwarded for convenient access to the system (80 to 8080, and 443 to 8443).
On the Linux platforms iptables can be used to forward the traffic from the low ports to a high port which can be successfully bound by the Collector Manager service. In the case of the Audit connector port 289 TCP (the default for Novell Audit) can be forwarded to 1289 TCP. The Audit connector can then be configured to listen on 1289 TCP and any Platform Agents sending data to the server can do so to either port. For new implementations of event sources it is recommended that the data go directly to 1289. For existing implementations pointing to either port will work properly though future or modified installations can point to 1289 as part of the new configuration while the old boxes still use 289. Once all systems sending events are pointing to 1289 the iptables rule can be removed leaving the 289 port free for other applications.
To forward ports from 289 to 1289 use the following command as the root user:
iptables -t nat -I PREROUTING -p tcp --dport 289 -j REDIRECT --to-port 1289
This tells the firewall to forward all TCP traffic from port 289 to port 1289.
On SLES it is also possible to modify the /etc/sysconfig/SuSEfirewall2 file modifying the FW_REDIRECT line to have the following which has the same effect as the command above:
FW_REDIRECT="0/0,123.45.67.89/32,tcp,289,1289"
Be sure to substitute this server's IP address in for the 123.45.67.89 address in the line above. The line states that the firewall should allow all traffic (0/0) to this server (123.45.67.89/32) on TCP port 289 to be forwarded to 1289. This method will persist through reboots where the iptables command above will not. Using the iptables command is still viable though a script should probably be used and set to auto-load during bootup to set the redirected traffic automatically.
For other connectors like syslog which use other ports the same commands can be used with the correct values substituted. The high port chosen is up to the administrator.
Appliance installations of Log Manager and Sentinel 7.0 forward these ports automatically for convenience. TCP 289 is forwarded to TCP 1289, UDP 514 is forwarded to UDP 1514, and the HTTP and HTTPS interface ports are also forwarded for convenient access to the system (80 to 8080, and 443 to 8443).
Change Log
2012-09-02 AB: Correct UDP and 10289 throughout; also added note about Sentinel and Log Manager appliance options.