Hi
Not entirely centos related but that what the boxes are running so here i go ;)
2 of our centos boxes run nagios for network monitoring and send email and paging alerts and are connected to standard phone lines using modems to send the pages. I'm looking for a way in the event of provider failure to login to these machines and so am looking at the ability to connect to the console over the modem.
Any good how-to's on this ? Also interested to know real life seciruty risks etc. Is it possible to limit phone numbers that are abor to connect etc?
thanks
Here are my notes from doing this on a red hat 7.3 box.
If you don't need ppp but just want console, you can ignore the ppp part and just set up mgetty.
ppp configuration is surprisingly simple.
You'll need the pppd and mgetty packages if you don't have them.
/etc/mgetty+sendfax/
login.config:
uncomment the "AutoPPP?" line or you'll just get a login prompt
also, if you are using chap authentication (maybe good, maybe bad) you will want to enable it in the command line for pppd in the AutoPPP? line
mgetty.config:
speed 38400 data-only y
possibly port-specific options. If you're doing a lot of analog-to-analog dial you want to disable the 56k negotiation in the modem init string, because it will never get past 33.6 on a connection that is analog on both ends. (v.92 might do better).
This seems to work with USR modems: # this init-chat is the compiled-in default plus ATS32=224 at the end # this disables x2, v.90, v.92 init-chat "" ATQ0V1H0 OK ATS0=0Q0&D3&C1 OK ATS32=224 OK
/etc/ppp/options:
auth lock nobsdcomp proxyarp refuse-pap require-chap multilink 192.168.1.1:
ip addr above should be replaced by dialin server man page. see man page.
/etc/ppp/chap-secrets:
1. Secrets for authentication using CHAP 2. client server secret IP addresses
meeting yourdialinserver password Ipaddr-to-assign
/etc/inittab: S4:2345:respawn:/sbin/mgetty -D /dev/ttyS4 S5:2345:respawn:/sbin/mgetty -D /dev/ttyS5
/etc/rc.d/rc.local:
1. ip forwarding is useful when we are a PPP dialin host
echo 1 > /proc/sys/net/ipv4/ip_forward
On Fri, Oct 21, 2005 at 11:46:51AM +0100, Tom Brown wrote:
Hi
Not entirely centos related but that what the boxes are running so here i go ;)
2 of our centos boxes run nagios for network monitoring and send email and paging alerts and are connected to standard phone lines using modems to send the pages. I'm looking for a way in the event of provider failure to login to these machines and so am looking at the ability to connect to the console over the modem.
Any good how-to's on this ? Also interested to know real life seciruty risks etc. Is it possible to limit phone numbers that are abor to connect etc?
thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
danno -- dan pritts - systems administrator - internet2 734/352-4953 office 734/834-7224 mobile
Dan Pritts wrote:
Here are my notes from doing this on a red hat 7.3 box.
If you don't need ppp but just want console, you can ignore the ppp part and just set up mgetty.
ppp configuration is surprisingly simple.
You'll need the pppd and mgetty packages if you don't have them.
/etc/mgetty+sendfax/
login.config:
uncomment the "AutoPPP?" line or you'll just get a login prompt
also, if you are using chap authentication (maybe good, maybe bad) you will want to enable it in the command line for pppd in the AutoPPP? line
mgetty.config:
speed 38400 data-only y
possibly port-specific options. If you're doing a lot of analog-to-analog dial you want to disable the 56k negotiation in the modem init string, because it will never get past 33.6 on a connection that is analog on both ends. (v.92 might do better).
This seems to work with USR modems: # this init-chat is the compiled-in default plus ATS32=224 at the end # this disables x2, v.90, v.92 init-chat "" ATQ0V1H0 OK ATS0=0Q0&D3&C1 OK ATS32=224 OK
/etc/ppp/options:
auth lock nobsdcomp proxyarp refuse-pap require-chap multilink 192.168.1.1:
ip addr above should be replaced by dialin server man page. see man page.
/etc/ppp/chap-secrets:
- Secrets for authentication using CHAP
- client server secret IP addresses
meeting yourdialinserver password Ipaddr-to-assign
/etc/inittab: S4:2345:respawn:/sbin/mgetty -D /dev/ttyS4 S5:2345:respawn:/sbin/mgetty -D /dev/ttyS5
/etc/rc.d/rc.local:
- ip forwarding is useful when we are a PPP dialin host
echo 1 > /proc/sys/net/ipv4/ip_forward
On Fri, Oct 21, 2005 at 11:46:51AM +0100, Tom Brown wrote:
Hi
Not entirely centos related but that what the boxes are running so here i go ;)
2 of our centos boxes run nagios for network monitoring and send email and paging alerts and are connected to standard phone lines using modems to send the pages. I'm looking for a way in the event of provider failure to login to these machines and so am looking at the ability to connect to the console over the modem.
Any good how-to's on this ? Also interested to know real life seciruty risks etc. Is it possible to limit phone numbers that are abor to connect etc?
thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
danno
dan pritts - systems administrator - internet2 734/352-4953 office 734/834-7224 mobile _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I just saw this...I'm thinking of implementing a dialin server for my job. Only problem is that I'd need to authenticate using RSA SecureID tokens. I *think* that the RSA box is running a RADIUS server. How would I go about getting the incoming login on the dialin box to use RADIUS to authenticate against the RSA RADIUS server? Is there a HOWTO somewhere?
Thanks!
Ben
On 04/01/06, Benjamin J. Weiss benjamin@birdvet.org wrote:
I just saw this...I'm thinking of implementing a dialin server for my job. Only problem is that I'd need to authenticate using RSA SecureID tokens. I *think* that the RSA box is running a RADIUS server. How would I go about getting the incoming login on the dialin box to use RADIUS to authenticate against the RSA RADIUS server? Is there a HOWTO somewhere?
Chances are the RSA server's running RSA/ACE Server. You might need the RSA Authentication Agent installed on the dial-in platform to provide RSA authentication via PAM.
http://www.rsasecurity.com/node.asp?id=1177&node_id=
Their documentation was pretty decent last time I used RSA products so you might want to have a root around on their website.
Will.
-
Benjamin J. Weiss -
Dan Pritts -
Tom Brown -
Will McDonald