Sentinel connectors cannot listen on low ports only accessible to privileged users.

  • 3493251
  • 18-Sep-2007
  • 05-Sep-2012

Environment


Sentinel 6.x
Sentinel 7.x
Sentinel Log Manager
Novell SUSE Linux Enterprise
RedHat Linux

Situation

In Sentinel 6.x and later, and Log Manager, some of the Connectors are configured by default to listen on ports that are less-than 1024. On Microsoft Windows where security does not control these ports that is not a problem. On the more-secure Linux and Unix platforms access to ports below 1024 is not allowed to any processes that are not running as root. The Collector Manager services on these platforms run, by default, as a non-privileged user and should not be run as root. This means either nonstandard ports must be used which could require reconfiguration of an existing environment or else security best practices would need to be compromised on the server itself.

Resolution

To work around the limitation of processes binding low-order ports there are a few options. First on Solaris 10+ there is an option using Role Based Access Controls (RBAC) which lets the administrator flag a user as being privileged enough to bind these ports. TID# 3544831 has more information pertaining to this functionality on Solaris.

On the Linux platforms iptables can be used to forward the traffic from the low ports to a high port which can be successfully bound by the Collector Manager service. In the case of the Audit connector port 289 TCP (the default for Novell Audit) can be forwarded to 1289 TCP. The Audit connector can then be configured to listen on 1289 TCP and any Platform Agents sending data to the server can do so to either port. For new implementations of event sources it is recommended that the data go directly to 1289. For existing implementations pointing to either port will work properly though future or modified installations can point to 1289 as part of the new configuration while the old boxes still use 289. Once all systems sending events are pointing to 1289 the iptables rule can be removed leaving the 289 port free for other applications.

To forward ports from 289 to 1289 use the following command as the root user:

iptables -t nat -I PREROUTING -p tcp --dport 289 -j REDIRECT --to-port 1289

This tells the firewall to forward all TCP traffic from port 289 to port 1289.

On SLES it is also possible to modify the /etc/sysconfig/SuSEfirewall2 file modifying the FW_REDIRECT line to have the following which has the same effect as the command above:

FW_REDIRECT="0/0,123.45.67.89/32,tcp,289,1289"

Be sure to substitute this server's IP address in for the 123.45.67.89 address in the line above. The line states that the firewall should allow all traffic (0/0) to this server (123.45.67.89/32) on TCP port 289 to be forwarded to 1289. This method will persist through reboots where the iptables command above will not. Using the iptables command is still viable though a script should probably be used and set to auto-load during bootup to set the redirected traffic automatically.

For other connectors like syslog which use other ports the same commands can be used with the correct values substituted. The high port chosen is up to the administrator.

Appliance installations of Log Manager and Sentinel 7.0 forward these ports automatically for convenience.  TCP 289 is forwarded to TCP 1289, UDP 514 is forwarded to UDP 1514, and the HTTP and HTTPS interface ports are also forwarded for convenient access to the system (80 to 8080, and 443 to 8443).

Change Log

2012-09-02 AB: Correct UDP and 10289 throughout; also added note about Sentinel and Log Manager appliance options.