TELNET FROM IP CLIM Provider

[smfre...@gmail.com]

Does anyone know on how to do a telnet to a particular port from the nonstop IP Clim provider ?

[NoTelnetHere]

Telnet, na-na-na. You should use SSH i.e. have the correct user access. CLIM is just a Debian box.

[smfre...@gmail.com]

On Friday, July 8, 2016 at 3:14:26 PM UTC-4, Rocket99 wrote:
> Telnet, na-na-na. You should use SSH i.e. have the correct user access. CLIM is just a Debian box.

Thanks for your response.

I am just trying to check if a port is open in the firewall by doing a telnet to the destination on a specific port.

We recently moved to IP Clims so am not sure on how shud i check for the port from a IP on the clim. Is there a different way ????

[Bill Honaker]

What was your network connection before? IOAME? S-series G4SA?

It's not clear which firewall access you're checking. If you are running telnet on your workstation to see if the port is open in the firewall (and listening on the server), it would not change due to CLIM.

Note that the specific IP stack runs in the CLIM, so the connection ends there. The protocol between the CLIM and the SAM is proprietary, and uses secured connections between the CLIM and the IOP.

If on the other hand you're running Telnet on the NonStop to check connectity to a resouce elsewhere, you need to make sure that you setup a define in your command process (TACL, bash, or osh) that specifies the correct stack, unless you intend to use the
default of $ZTC0. For TACL, 'ADD DEFINE =TCPIP^PROCESS^NAME,CLASS MAP,FILE $ZTC5'. for bash and osh: 'add_define =tcpip^process^name class=map file=\g\ztc5'.

If you need to use DNS or HOSTS file resolution, you can do that with other dfines. Check the 'TCP/IP Applications and Utilities User Guide' or the 'HPENonStopTCP/IP Programming Manual' for more information (hint: Search for "tcpip^process^name").

Bill

[wbreidbach]

Am Freitag, 8. Juli 2016 19:16:13 UTC+2 schrieb smfre...@gmail.com:
> Does anyone know on how to do a telnet to a particular port from the nonstop IP Clim provider ?

Using Telnet on a specific port is pretty easy:
telnet <destination-address> <port>
Example:
telnet 192.168.1.1 1234
Of course you have to use the correct IP-stack but that has already been mentioned and explained.
Please notice: If the connection does not work, wait for the timeout, it takes a while. Telnet will not accept the break-key while trying to connect.

[Rocket99]

To use ssh to get to your clim if all is setup correctly:

ssh -t -S <nonstop-ssh2-process> -i $system.zservice.superkey root@<clim-ip-or-hostname>

[Roberto Veldhoven]

You may want to select a local IP-address if you have more in your stack:
> telnet -s 111.222.333.444 192.168.1.1 1234
Firewalls may allow only one of your local IP-addresses, depending on configuration.

[smfre...@gmail.com]

On Monday, July 11, 2016 at 4:10:29 AM UTC-4, Rocket99 wrote:
> To use ssh to get to your clim if all is setup correctly:
>
> ssh -t -S <nonstop-ssh2-process> -i $system.zservice.superkey root@<clim-ip-or-hostname>

Thanks a Lot, information was very useful.

[Rocket99]

That ssh cmd needs to be issued from the NonStop SSH client. Using SSH port forwarding you should be able to get to a CLIM from a PC SSH client too. There are in the case of cause dependancies like network access and ssh2 daemon config on the NonStop.

[comforte...@gmail.com]

On Friday, July 8, 2016 at 7:16:13 PM UTC+2, smfre...@gmail.com wrote:
> Does anyone know on how to do a telnet to a particular port from the nonstop IP Clim provider ?

The original question was how to do a Telnet *from* the NonStop IP Clim provider. The reason given was checking firewall rules and that usage seems fine. Assuming telnet client is installed on the CLIM, the given command would work - but you would still need a shell prompt on the CLIM - more on this below.

----------------------------------------------------------------

Then the thread somehow turned into "how can I 'Telnet' *into* the IP Clim provider" with the answer given being "just use SSH client on NonStop and here is the full syntax".

From a security perspective, I would heavily recommend *against* doing this. In effect you gain an un-audited, weakly authenticated, root logon to the IP Clim provider. It takes about two commands to completely fry the IP Clim box. This will take down your whole IP connectivity real fast. Do you have a backup of your CLIM config?

Executive Summary: Don't try this at home and certainly not on a production system.

If you want to administer the IP Clim box, there are well-documented (well I hope so) commands starting with CLIMCMD. Use these.

----------------------------------------------------------

Back to the original request: How do I check firewall rules and how they affect where the CLIM can connect to (and where not): The complete exercise will always use a separate box connected to the same switch as the CLIM. Not that there is stuff such as TCP half-connects which you cannot test with Telnet at all.

If using a "firewall probe" is not possible: open a case with HPE :-)

[comforte...@gmail.com]

Correction: towards the end, it should say "Note that there is stuff such as" rather than "Not that there is"

[Wendy]

On Tuesday, January 3, 2017 at 1:21:58 PM UTC-8, comforte...@gmail.com wrote:
> Correction: towards the end, it should say "Note that there is stuff such as" rather than "Not that there is"

There's quite a bit of documentation on CLIM security and SSH access in the NonStop Security Hardening Guide and the CLuster I/O Protocols (CIP) Configuration and Management Guide.

By default only SUPER group members can get CLIM SSH root access, as the SUPERKEY file is created with SUPER group read access. Customers can use Safeguard ACLs to further restrict read access if they so choose and configure auditing as needed.

SSH CLIM access from the NSC uses password-based authentication (and of course the user already needs to be authenticated on the NSC).

The hardening guide contains a section on CLIM access that covers this pretty well. I'm currently working on an update and will add text on the ability to use Safeguard ACLs to further restrict access to SUPERKEY (and USERKEY, if desired) and ensure audit generation on the NSK side.

I'll also add a mention of the transport of authentication events from the CLIM to the NSK, which is described in the CIP management guide; they wind up in an EMS alternate collector.

The CLIM management guide also has a discussion of what direct Linux commands are safe to use.

[Bill Honaker]

As of J06.20 (and equivalent releases), a 'user' level access to the CLIMCMD (and CLSFTP) functions is available to members of the Safeguard Security Group ‘SECURITY-CLIM-ADMIN’.

The default pwd for that user is '/home/user' instead of '/home/root'.

I don't think the OP was looking for this type of access, his post seemed to be asking how to initiate a TELNET session outbound from a CIPSAM IP stack.
His stated purpose was to validate that the firewall rules allowed the connection to occur. While a telnet session from the CLIM could also be used, the telnet client isn't installed in the CLIM by default.

[comforte...@gmail.com]

I am not sure whether it is installed on an IP CLIM, but the tool nmap is ideal for firewall config checking. It as also used by the bad guys for network discovery - but that does not make the tool itself bad...

See https://nmap.org

[Wendy]

On Monday, January 9, 2017 at 4:26:30 AM UTC-8, comforte...@gmail.com wrote:
> I am not sure whether it is installed on an IP CLIM, but the tool nmap is ideal for firewall config checking. It as also used by the bad guys for network discovery - but that does not make the tool itself bad...
>
> See https://nmap.org

HPE does not ship nmap on CLIMs.