000030600 - Configure the SA Server to be an NTP server for the other hosts within an RSA Security Analytics environment

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030600
Applies ToRSA Product Set: Security Analytics

RSA Product/Service Type: Security Analytics Server, Core Appliance, Event Stream Analysis (ESA), Malware Analysis, Archiver, Warehouse (SAW)

RSA Version/Condition: 10.4.1.x, 10.5.0.x

Platform: CentOS

O/S Version: EL6
IssueBest practices suggest that the SA Server should be configured to act as NTP server for all other hosts within a Security Analytics environment. 
This ensures that hosts within a site are in sync time-wise to prevent puppet problems.
ResolutionConfiguration changes need to be made on both the SA Server and each host that is going to point to the SA Server for NTP requests.
On the SA Server:
1. SSH into the SA Server
2. Backup the existing iptables configuration
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

3. Add an NTP entry for the INPUT chain:
iptables -A INPUT -p udp --dport 123 -j ACCEPT

4. Add an NTP entry for the OUTPUT chain:
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Note: NTP best practices suggest that both directions should be added, even though you may only need to perform the addition to the INPUT chain.
5. Save the changes to iptables:
service iptables save

6. Edit the iptables configuration: vi /etc/sysconfig/iptables
The entry that was just added to the INPUT chain will most likely show up after the REJECT entry for the INPUT chain:
     # Generated by iptables-save v1.4.7 on Wed Jun 17 05:03:36 2015
     *filter
     :INPUT ACCEPT [0:0]
     :FORWARD DROP [0:0]
     :OUTPUT ACCEPT [0:0]
     -A INPUT -m comment --comment "000 INPUT allow related and established" -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A INPUT -p icmp -m comment --comment "001 accept all icmp requests" -j ACCEPT
     -A INPUT -i lo -p tcp -m comment --comment "002 INPUT allow loopback" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 8140 -m comment --comment "1 Puppet Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 443 -m comment --comment "1 SA Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --dports 22 -m comment --comment "100 allow ssh" -m state --state NEW -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 61614 -m comment --comment "2 STOMP Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 80 -m comment --comment "2 Yum Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50025 -m comment --comment "200 allow IPDBExtractor" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 56025 -m comment --comment "200 allow IPDBExtractor SSL" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT
     -A INPUT -p udp -m multiport --ports 50514 -m comment --comment "306 Rsyslog port used by audit framework" -j ACCEPT
     -A INPUT -i lo -j ACCEPT
     -A INPUT -p icmp -j ACCEPT
     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 56006 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 60007 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 51024:51033 -j ACCEPT
     -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
     -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
     -A INPUT -j REJECT --reject-with icmp-host-prohibited
-->  -A INPUT -p udp -m udp --dport 123 -j ACCEPT
     -A INPUT -m comment --comment "999 deny all other requests" -j REJECT --reject-with icmp-host-prohibited
     -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
     COMMIT
     # Completed on Wed Jun 17 05:03:36 2015

This will prevent connections to the SA Server from working.
To correct this, move
-A INPUT -p udp -m udp --dport 123 -j ACCEPT

to the line above the
-A INPUT -j REJECT --reject-with icmp-host-prohibited

The file should look like this:
     # Generated by iptables-save v1.4.7 on Wed Jun 17 05:03:36 2015
     *filter
     :INPUT ACCEPT [0:0]
     :FORWARD DROP [0:0]
     :OUTPUT ACCEPT [0:0]
     -A INPUT -m comment --comment "000 INPUT allow related and established" -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A INPUT -p icmp -m comment --comment "001 accept all icmp requests" -j ACCEPT
     -A INPUT -i lo -p tcp -m comment --comment "002 INPUT allow loopback" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 8140 -m comment --comment "1 Puppet Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 443 -m comment --comment "1 SA Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --dports 22 -m comment --comment "100 allow ssh" -m state --state NEW -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 61614 -m comment --comment "2 STOMP Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 80 -m comment --comment "2 Yum Port" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 50025 -m comment --comment "200 allow IPDBExtractor" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 56025 -m comment --comment "200 allow IPDBExtractor SSL" -j ACCEPT
     -A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT
     -A INPUT -p udp -m multiport --ports 50514 -m comment --comment "306 Rsyslog port used by audit framework" -j ACCEPT
     -A INPUT -i lo -j ACCEPT
     -A INPUT -p icmp -j ACCEPT
     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 56006 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 60007 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport 51024:51033 -j ACCEPT
     -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
     -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-->  -A INPUT -p udp -m udp --dport 123 -j ACCEPT
     -A INPUT -j REJECT --reject-with icmp-host-prohibited
     -A INPUT -m comment --comment "999 deny all other requests" -j REJECT --reject-with icmp-host-prohibited
     -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
     COMMIT
     # Completed on Wed Jun 17 05:03:36 2015

7. Restart iptables
service iptables restart

All Hosts
Note: There is no need to update the /etc/ntp.conf on the SA Server if it is the puppetmaster.local host.
1. SSH into the host.
2. Make a backup of the current NTP configuration file:
cp /etc/ntp.conf /etc/ntp.conf.orig

3. Edit the NTP configuration file:
vi /etc/ntp.conf

The default /etc/ntp.conf should have a section that looks like:
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

The current entries can be left alone or removed, but the following line needs to be added above these lines:
server puppetmaster.local iburst

Note: If this file was previously modified to configure usage of different NTP servers, ensure that the puppetmaster.local entry is listed first.
Once the change is made, save the file
4. Restart the NTP service:
service ntpd restart

Attachments

    Outcomes