SSH

Security Precautions

It is assumed that the usual standards of corporate security are followed when integrating Tectia Manager into an existing environment.

Pay attention to the following security issues:

  • The Management Server host root accounts must be limited to authorized superusers, only.

  • The Management Server does not contain passwords or other access data for opening terminals to the monitored hosts, only for controlling the Management Agents.

  • The Management Server (dbsrv8) accepts connections from the network by default (port 2638). It is important to change the default password.

  • There should be no unnecessary open ports on the managed and monitored hosts.

  • The administrator group roles can be segregated according to the allowed host groups and management actions.

  • The Management Agent and administration interface connections are TLS-secured. The weak TLS ciphers (56-bit keys) are NOT supported by the web administration interface.

  • All administrator actions, including logins and logouts, are stored in the administrator audit log.

  • The Management Agent runs with root or admin privileges (system service or daemon).

  • The web-server administrator access is allowed via an encrypted tunnel only.

  • Critical database contents are 3DES-encrypted (host PSKs, admin passwords).

In case you identify any further issues compromising system security, please inform SSH, see instructions at http://www.ssh.com/index.php/support-overview.html.

Please note that this Administrator Manual does NOT detail general security precautions that are required when incorporating a system such as Tectia Manager into a production environment. These issues include:

  • Hardening the Tectia Manager host on the operating system level

  • The physical security of the Tectia Manager and its Management Server

  • The security on administrator workstations connecting to the Management Server through the administration interface (for example, turning off browser password caching).