- What is the security configuration on the Statseeker server?
- What are Statseeker System User Accounts?
- How do I reset my root password?
- How do I add a New Web User?
- What characters can I use for my User passwords?
- How do you allow pass through HTTP basic authentication via the URL?
- What authentication methods does Statseeker support?
- What version of OpenSSL is installed with Statseeker and is it vulnerable to the heartbleed exploit?
- Is Statseeker vulnerable to Shellshock (BASH) vulnerability (CVE-2014-6271 or CVE-2014-7169)?
What is the security configuration on the Statseeker server?
Statseeker is a highly scalable monitoring tool for the network running on the FreeBSD operating system and as such, only requires ICMP access and SNMP READ access to devices that it monitors. Things to note with respect to security are:
- Is configured to only process local mail
- Will not accept remote SMTP connections
- runs as a non-privileged user
- will make outgoing connections to the configured SMTP gateway
- You cannot login as root via a network connection. You must login as the statseeker user, and then su to root
- TCP port 23: telnet
- TCP port 20/21: ftp
- TCP port 22: ssh
- TCP port 80: http
- TCP port 443: https
- TCP port 30000-30007: Realtime LAN Analyzer
- UDP port 123: NTP
- UDP port 162: snmptrap
- UDP port 514: syslog
- Ports that are configured for NetFlow/sFlow collectors
Notes on Open Ports:
- TCP port 443: https and UDP port 123: NTP are not opened by default
- UDP port 123: NTP will be opened if NTP is configured in the Date, Time and NTP menu of ssadmin
- TCP port 23: telnet and TCP port 20/21: ftp can be disabled in the Network Configuration menu of ssadmin
- TCP port 80: http and TCP port 443: https can be enabled or disabled in the Web Server menu of ssadmin
- Ports for NetFlow/sFlow can be configured in the Administration Tool
- UDP SNMP
- UDP snmptrap
- TCP http
What are Statseeker System User Accounts?
There are three main Statseeker System User Accounts:
- root – a UNIX superuser account used to run start/stop scripts and processes which need access to privileged files or ports
- statseeker – a UNIX account used by the Statseeker application
- admin – a web administrator account which can perform Statseeker configuration changes
- By default, all other web users run as non-privileged users
- The admin user has access to all groups and entities
- The admin account has rights to modify the Statseeker configuration and to change the configuration within the Statseeker Administration Tool
The Administration Tool can be used to add new web users and to manage that user’s access to devices, interfaces and reports within Statseeker. See User Accounts for more details. By default these accounts are restricted, and have no access the to the Administration Tool, API, or other administration or configuration functionality. An Admin role can be assigned to any of these accounts to grant the same privileges as the system admin account.
How do I reset my root password?
There are three ways to change the root password:
- From NIM Console > Administration Tool > Statseeker Administration > OS Configuration > Edit (upper right corner) > Root Password: Change
- From SSADMIN > Option 7 – Passwords > Option 1 – Set root Unix Password
- From the Statseeker server command line interface (CLI)
The third option, resetting the password from the CLI, can be used when the current root password is unknown. For details on this see Resetting the Root Server Password from the CLI
Note: for further assistance with managing the Statseeker server accounts, please contact Statseeker Technical Support.
How do I add a New Web User?
To create a new user or remove/edit an existing user:
- Select Administration Tool > User Profile/Grouping > Add/Edit Users
- Enter a User Name
- Click Add
- Enter an email address (often used for alerting)
- Enter a password
- Select the default Time Zone relevant to the user’s reporting requirements
- Click Add User
The user account has now been created.
By default, newly created web users have no visibility to any Statseeker group, device, interface or report, this access needs to be granted from within the Administration Tool. To modify the groups/entities that a user can view:
- From the NIM Console select Administration Tool > User Profile/Grouping > Groups to an Entity
- From Entity Type, select Users
- Select the user to edit their permissions
- Add the groups to the user’s Include list to grant access the group’s contents
Note: by default, Statseeker does not have a group containing reports. New users will require access to a group tailored to contain reports applicable to the devices they have visibility to.
For more details on managing user accounts see:
What characters can I use for my User passwords?
The following characters are not supported:
- \ – backslash
- ‘ – single-quote
Other alpha-numeric, special characters, and spaces are permitted.
How do you allow pass through HTTP basic authentication via the URL?
This can be achieved by adding the username and password to the URL of the Statseeker server
Note: some browsers do not support passing username and password in this manner.
What authentication methods does Statseeker support?
Basic file, LDAP and Active Directory user authentication, see User Authentication for detailed instructions.
What version of OpenSSL is installed with Statseeker and is it vulnerable to the heartbleed exploit?
Per the CERT website, the Heartbleed OpenSSL vulnerability affected:
- OpenSSL 1.0.1 through 1.0.1f
- OpenSSL 1.0.2-beta
Statseeker does not utilise an OpenSSL version affected by the Heartbleed vulnerability.
To confirm the version used by your installation run the following from the command line on your Statseeker server
Is Statseeker vulnerable to Shellshock (BASH) vulnerability (CVE-2014-6271 or CVE-2014-7169)?
Statseeker does not include the BASH shell as part of the standard installation package and is therefore not vulnerable to the Shellshock (CVE-2014-6271 or CVE-2014-7169) exploit.