Console Server Security
A console server (also known as a terminal server) is a useful piece of equipment. It saves time, money and resources. If you’ve got more than a couple of Unix/Linux servers you will benefit by owning one. You can do away with all those separate consoles , so save money, both by not having to buy loads of consoles and the energy savings of only running one device instead of many. But in my opinion the main advantage is the convience and time saved by not having to trek down to that cold and noisy server room every time you need to use the system console.
In case you haven’t come across a console server before, a console server is a multiport device that connects to the serial ports of servers. You can connect via the network to the console server and therefore access the system console of the servers plugged in to it. This means that you can still access a server across a network even when the server isn’t connected to the network. This is useful for remote booting, trouble shooting, running diagnostics, firmware upgrades, etc, etc.
One aspect frequently overlooked is the security of the console server. Some old models don’t even require a passsword to log on to them. Any number of times I’ve connected to a port on a console server , the previous user forgot to log off when they disconnected and hey presto, I’m in as the root user without even having to enter a password. All your hacker needs to know is the IP address of the console server and they can try connecting to the ports in turn to see if they strike lucky.
Fortunately the modern day console server tends to be more sophisticated. However, before buying one you need to check out the security features your proposed purchase has. The absolute minimum is that you need to enter a password when you connect to it. This will ensure that even if the previous user did to forget to log off , there’s still an element of security because you still need to know the console server password. For many of todays console servers you can set up individual usernames and passwords for the people allowed system console access. This prevents the problems associated with shared passwords. The type of encryption used is also worth checking, the stronger the better.
Another important consideration is how you access the console server. Telnet has always been the traditional way to connect to a console server port but in todays security conscious world, telnet is rapidly being superceeded by ssh (the secure shell). With ssh problems of hackers sniffing the network for plain text passwords are alleviated. If your console server can support ssh your network becomes that much more secure.
Packet filtering is another big security plus. Generally you should have a good idea of the IP addresses that you’ll be likely to connect from so set up the console server to only allow connections from those addresses. This is generally acheived using packet filtering so if your console server has this feature you can take another step in protecting yourself.
But what about the console server itself, how do you know what’s going on with it? A good console server should have logging. A useful feature some employ is to use syslog like Unix servers do. The console server syslog can be redirected to a syslog server so you can keep a track of what’s happening without having to worry about the space limitations console servers have.
A console server can also be set up to be accessed via a modem. This would be useful for remote connections without a network being available. Of course modems are notorious security holes often exploited by hackers. If you connect a modem to your console server it is essential that proper authentication is carried out. For example Radius authentication can be employed so check what your console server uses. With a radius server some console servers will work with ACE/Secure ID authentication.
So any recommendations you ask me? Well if you’ve had a good look around this web site you’d probably have a shrewd idea. We use the Cyclades TS series console servers. They have all of the features mentioned in this article and the other reason we like them is they run linux. When you log on all the commands are familiar and it’s easy to navigate your way around. Of course there’s plenty of alternatives such as Lightwave or Cisco but when I recently checked they didn’t have all the features discussed in this article.
Hopefully this article has given you some ideas on console server security and will help you close a potential backdoor for hackers. Below is a summarised checklist of security features to check for.
Log on password
Connection via ssh
Logging (e.g. syslog)