Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 2.2.0
All material in these pages, including text, layout, presentation, logos, icons, photos, and all other artwork is the Intellectual
Property of NetGuardians SA, unless otherwise stated, and subject to NetGuardians SA copyright. No commercial use of any
material is authorised without the express permission of NetGuardians SA. Information contained in, or derived from these
pages must not be used for development, production, marketing or any other act, which infringes copyright. This document is
for informational purposes only. NetGuardians SA makes no warranties, expressed or implied, in this document.
TABLE OF CONTENTS
2 CTS Usage 5
2.1 CTS menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Standard CTS session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Change user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 SCP command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.2 Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Edit ssh authorized keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2
LIST OF FIGURES
3
CHAPTER
1
CONSOLE TRACKING SYSTEM AT A
GLANCE
The NetGuardians Console Tracking System is the NG|Screener SSH proxy that registers all console
activities.
The Console Tracking System (CTS) will track and register any actions done by Unix server admin-
istrators at the operating system level.
Instead of connecting directly to the Unix system, administrators should first connect to CTS (by
SSH) and may then connect the system to be administered (Telnet and SSH are supported). CTS
will track all activities and register them in the NG|Analytics server. Usual NG|Screener analysis tools
(reports, alerts, forensic browsing) are available to take benefit from this data. In addition, CTS admin-
istrators can define a list of servers that individual users can access to, enabling them to define strict
security policies.
4
CHAPTER
2
CTS USAGE
Unix administrators should connect to CTS before connecting to the server to be administrated. To
connect to CTS, connect via SSH to the CTS server.
Refresh
Quit
1. Connect to CTS1 with SSH (with any SSH client, i.e. PuTTY)
2. Enter CTS Username and Password
3. Select a main command or the hosts number in the list
5
NG|Console Tracking System User Guide 2.2. STANDARD CTS SESSION
6
NG|Console Tracking System User Guide 2.3. CHANGE USER PASSWORD
To change the password, at any other time, connect to CTS, select the aoption Change your
password from the main commands menu 2.1, and follow instructions as described from the 2nd step
(Point 2) above.
7
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE
8
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE
1. Advanced Menu : Enables to enter more specific parameters for the SCP command (as IP
protocol). For more information, please refer to section 2.4.2
2. Refresh : Enables to refresh the menu (if for example new files have been uploaded)
3. Quit : Enables to return to the previous menu for connecting to a specified host
The part FILES AND DIRECTORIES displays the HOME directory of the current user, and all files and
directories inside. It is possible to browse inside directories by typing their own number in the list, as
shown below :
9
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE
For each directory selected, it is requested to choose between browsing inside (b option), or transferring
it with its whole content (t option). By default, the b option is selected, and pressing <ENTER>
enables to browse quickly in the directory selected.
Once the browsing option has been selected, the new current directory is updated, and its content is
displayed. The same choices are then available (browsing deeply or transfer files or directories). A
new option appears in MAIN COMMANDS which allow to go back to the previous directory.
After choosing a file to transfer, it is then requested to choose to which host to send it. Only hosts
displayed in the list are available.
Note : If the administrator has selected Allow any hosts in the CTS User Administration page,
you may either select a host in the provided list or type any IP address. For more information, please
refer to the CTS Administration Guide.
10
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE
Then, enter the username and the password and the file is transfered
11
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE
12
NG|Console Tracking System User Guide 2.5. EDIT SSH AUTHORIZED KEYS
The next step is to enter the arguments for the SCP command.
Examples:
/tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev
/tmp/TestFile.txt ng-dev@10.194.6.17:
-4 -P 22 /tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev
-4 -P 22 /tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev
-4 -P 22 -r /tmp/MyDir ng-dev@10.194.6.17:/home/ng-dev
13
CHAPTER
3
PASSWORDLESS CONNECTION
WITH CTS
In order to make the use of the CTS as easy as possible for users, it is possible to connect to the CTS
without entering any password, by only using keys exchange. It is also possible to directly access the
remote server without having to enter in the CTS. This section explains firstly how to generate a key
pair used in both cases.
3.1.1 On Unix
1. Open the terminal
2. Enter the following commands to create keys : ssh-keygen
3. Enter a passphrase1
id_rsa : Containing users private key (which must never be transmitted to anybody !)
id_rsa.pub : Containing users public key (which must be sent on the CTS, see below)
1 A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace,
14
NG|Console Tracking System User Guide 3.1. PUBLIC/PRIVATE KEY GENERATION
3.1.2 On Windows
Follow your SSH clients instructions for generating a key pair. This example demonstrates key pair
generation in the popular program PuTTY.
1. Download PuttyGen.exe. (http://www.chiark.greenend.org.uk/ sgtatham/putty/download.html)
3. Move the mouse on the blank area as displayed by puttygen to generate the key.
4. Copy the content of public key as shown on the following picture :
15
NG|Console Tracking System User Guide 3.2. TRANSPARENT CONNECTION TO CTS
Before following the next procedure, it is required that a user has already been created on webmin.
After both keys have been generated, the public key has to be copied on the CTS :
16
NG|Console Tracking System User Guide 3.2. TRANSPARENT CONNECTION TO CTS
1. Connect with SSH to the CTS using users username and password
Then, follow the next instructions, depending on which way you are connecting to the CTS.
ssh usr01@ctsserver
3. You are now able to connect to the CTS with putty without entering a password.2
2 In case of the key was created using ssh-keygen, refer to section 3.2.3
17
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS
Note : This section requests that the previous section showing how to generate and perfom a pass-
wordless connection to the CTS has already been completed.
18
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS
By using Automatic host redirection, users are directly redirected on the server they want to reach.
Then, the password to connect to the remote server is requested.
On Unix
If users connect from a Unix system, they only need to enter the following command :
CONNECT =" ssh < remote_server >" ssh -o SendEnv = CONNECT user@ctsserver
Both passwords (to connect to the CTS and to the remote server) are requested, if no key has been
set up previously.
Note : The SSH configuration can be set up in the configuration file /.ssh/config as following :
Host cts
HostName < ctsserver >
User foxy
ForwardAgent yes
SendEnv CONNECT
On windows
Users can use putty and the following configuration to use automatic host redirection.
19
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS
2. Click Add
20
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS
3. A key can also be used if the transparent connection to the CTS has been set up. (section 3). If it
is not the case, both passwords (to connect to the CTS and to the remote server) are requested.
4. Each configuration can be saved in putty by clicking Save in the Session tab.
To avoid users to enter their passwords while they are connecting to a remote server, CTS enables
them to connect directly. The CTS becomes then totally transparent for users, but it still tracks their
actions on the remote systems.
Remote Server3 :
After these steps, the remote host is well configured to accept connection from the user who owns
the right private key. The following steps need to be executed regarding the system used to connect.
3 We assume that the remote server runs a Unix system. For any other system, the procedure needs to be adapted according
21
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS
On Unix
Connecting directly to the remote server request to send use the key authentication mecanism and the
automatic host redirection. Since the private key has to be used to authenticate on the remote server,
ssh-agent needs to be used as following :
2. Then, the following command can be used to connect to the remote server :
On Windows
Connecting directly to the remote server request to send use the key authentication mecanism and the
automatic host redirection. Since the private key has to be used to authenticate on the remote server,
pageant needs to be used as following :
3. In Connection/SSH/Auth, select Allow agent forwarding and select the private key
22
NG|Console Tracking System User Guide 3.4. SSH AGENT
The user is now able to connect to the CTS with an encrypted private key, handled by the ssh agent.
They do not need anymore to enter their passwords everytime they connect.
23
NG|Console Tracking System User Guide 3.4. SSH AGENT
24