This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
SylvainSELOI
New Contributor
New Contributor
‎2017-09-14 04:52 AM

IPTABLES configuration, RSA SecurID AM

Jump to solution

Hi,

. I want to allow one specific IP address (10.56.23.12)  to access the webUI (443)  and the selfservice console (port 7002).

 

iptables -A INPUT -s 10.56.23.12 -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -s 10.56.23.12 -p tcp --dport 7002 -j ACCEPT

 

Is it enought, or do I need to add a specific drop rule as well, if I want to prevent any other IP to use 443 and 7002?

I am not too familiar wiht iptables rules.

Thanks for your help.

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2017-09-14 02:41 PM

Jump to solution

Hi Sylvain,

I would not recommend that you alter the iptables configuration. It is very easy to lock yourself out of access to the appliance. Depending on the changes, you might require physical access to the system console be able to recover network access to the appliance. Manual changes to the appliance Operating System configuration like this are not supported. RSA customer support would reserve the right to request that manual changes such as these be reverted prior to any support being provided.

 

The other problem you're facing is that other iptables rules are permitting systems from any address to access those ports, so your rules don't have any effect. The Self-Service Console (SSC) is on port 7004, not 7002. The Security Console is also on port 7004, not 443. There is a re-direction service that listens on port 443 redirects incoming requests for the "convenience" URLs (e.g., https://<hostname>/sc, https://<hostname>/ssc) to their respective network endpoints.

 

For example, you would have to remove or alter other iptables rules such as:

 

-A rsaserv -p tcp -m tcp --dport 7004 -j ACCEPT

This permits access to the SSC at port 7004. Limiting access to this port to only that from a specific IP might also adversely impact other functionality. For example, software token CT-KIP activation requests also are handled by that network endpoint. Primary and Replica servers exchange information on port 7002. In addition, the "iptables" rules are altered by administrative actions and/or the application of software patches. Either of these functions could cause undesirable side effects if the iptables configuration is manually altered.

 

If you want to limit access to Authentication Manager, I would recommend you install a separate network firewall in-front of Authentication Manager and limit connections at that point. The RSA Authentication Manager 8.2 SP1 Planning Guide has a detailed list of the ports and their use. You will have more complete control over the filtering and logging, maintain support for your Authentication Manager, and avoid having your changes possibly undone by administrative changes or software updates. 

 

-Piers

View solution in original post

Reply
1 Reply
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2017-09-14 02:41 PM

Jump to solution

Hi Sylvain,

I would not recommend that you alter the iptables configuration. It is very easy to lock yourself out of access to the appliance. Depending on the changes, you might require physical access to the system console be able to recover network access to the appliance. Manual changes to the appliance Operating System configuration like this are not supported. RSA customer support would reserve the right to request that manual changes such as these be reverted prior to any support being provided.

 

The other problem you're facing is that other iptables rules are permitting systems from any address to access those ports, so your rules don't have any effect. The Self-Service Console (SSC) is on port 7004, not 7002. The Security Console is also on port 7004, not 443. There is a re-direction service that listens on port 443 redirects incoming requests for the "convenience" URLs (e.g., https://<hostname>/sc, https://<hostname>/ssc) to their respective network endpoints.

 

For example, you would have to remove or alter other iptables rules such as:

 

-A rsaserv -p tcp -m tcp --dport 7004 -j ACCEPT

This permits access to the SSC at port 7004. Limiting access to this port to only that from a specific IP might also adversely impact other functionality. For example, software token CT-KIP activation requests also are handled by that network endpoint. Primary and Replica servers exchange information on port 7002. In addition, the "iptables" rules are altered by administrative actions and/or the application of software patches. Either of these functions could cause undesirable side effects if the iptables configuration is manually altered.

 

If you want to limit access to Authentication Manager, I would recommend you install a separate network firewall in-front of Authentication Manager and limit connections at that point. The RSA Authentication Manager 8.2 SP1 Planning Guide has a detailed list of the ports and their use. You will have more complete control over the filtering and logging, maintain support for your Authentication Manager, and avoid having your changes possibly undone by administrative changes or software updates. 

 

-Piers

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.