This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Knowledge Base Archive
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- NetWitness Knowledge Base Archive
- SFTP collection not working after Hardening on VLC in RSA Security Analytics 10.6.0.1
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SFTP collection not working after Hardening on VLC in RSA Security Analytics 10.6.0.1
Article Number
000033507
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.0.1
Platform: N/A
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.0.1
Platform: N/A
Issue
After performing the hardening on the VLC, the sftp agent cannot connect to the VLC.
On sftp agent, running psftp command produces following error:
The SSH debug log /var/log/secure shows following error:
............................
On sftp agent, running psftp command produces following error:
C:\sasftpagent>psftp -i private.ppk -l sftp -v x.x.x.x
Looking up host "x.x.x.x"
Connecting to x.x.x.x port 22
Server version: SSH-2.0-OpenSSH_5.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Local:_Aug_13_2014_15:13:55
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 f6:a4:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:18
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Reading private key file "private.ppk"
Using username "sftp".
Offered our public key null
Offered public key
Offer of public key accepted
Authenticating with public key "rsa-key-20160610"
Sent public key signature
Access granted
Opening session as main channel
Opened main channel
Started a shell/command
Connected to x.x.x.x
Fatal: Received unexpected end-of-file from SFTP serverThe SSH debug log /var/log/secure shows following error:
............................
VLC sshd[32408]: pam_unix(sshd:account): expired password for user sftp (root enforced)
VLC sshd[32408]: debug3: PAM: sshpam_store_conv called with 1 messages
VLC sshd[32408]: debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required)
............................
VLC sshd[32413]: debug3: channel 0: close_fds r -1 w -1 e -1
VLC sshd[32412]: debug3: Wrote 88 bytes for a total of 4269
VLC sshd[32412]: debug1: Received SIGCHLD.Resolution
According to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/10Proc/Configure_STIG_Hardening_for_10.6_Updated_from_Earlier_Version, you must change all passwords on the system after running the hardening script.
The trace log "pam_unix(sshd:account): expired password for user sftp (root enforced)" indicates that the password for user sftp need reset. So you must reset the password for sftp account on the VLC as follows:
1. SSH to VLC using a normal user account(After hardening, super user access to a host through SSH is blocked).
2. Switch to root account with command "su -" and provide root's password, or switch to root account with command "sudo su -" and provide normal user's password.
3. Run command "passwd sftp" and set a new password for the account sftp. Make sure the password is STIG compliant. To understand a STIG compliant password please refer to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/00_Intro
After resetting the sftp account's password, please try sftp connection again.
Also please note that SITG compliant require the user passwords to be changed at least every 60 days. The user sftp password is subject to this policy as well.
The trace log "pam_unix(sshd:account): expired password for user sftp (root enforced)" indicates that the password for user sftp need reset. So you must reset the password for sftp account on the VLC as follows:
1. SSH to VLC using a normal user account(After hardening, super user access to a host through SSH is blocked).
2. Switch to root account with command "su -" and provide root's password, or switch to root account with command "sudo su -" and provide normal user's password.
3. Run command "passwd sftp" and set a new password for the account sftp. Make sure the password is STIG compliant. To understand a STIG compliant password please refer to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/00_Intro
After resetting the sftp account's password, please try sftp connection again.
Also please note that SITG compliant require the user passwords to be changed at least every 60 days. The user sftp password is subject to this policy as well.
Notes
How to enable SSH debug on SSH server side:
1. On the CentOS log collector/decoder system, edit /etc/ssh/sshd_config.
2. At the very beginning of the file (i.e. at line number 1), add the following line to enable debug logs for SSHD service.
LogLevel DEBUG3
Save and quit the file.
3. Restart SSHD service with this command: service sshd restart
4. Execute this command: cp /var/log/secure secure1.txt
5. Then reproduce the issue exactly once by running the psftp command on your Windows system at C:\NICsftpagent. Note: It is important that you reproduce the issue exactly once here.
6. Execute this command on the CentOS system: diff -u secure1.txt /var/log/secure > secure.txt
7. After this experiment is complete, please provide the secure.txt file to RSA support.
1. On the CentOS log collector/decoder system, edit /etc/ssh/sshd_config.
2. At the very beginning of the file (i.e. at line number 1), add the following line to enable debug logs for SSHD service.
LogLevel DEBUG3
Save and quit the file.
3. Restart SSHD service with this command: service sshd restart
4. Execute this command: cp /var/log/secure secure1.txt
5. Then reproduce the issue exactly once by running the psftp command on your Windows system at C:\NICsftpagent. Note: It is important that you reproduce the issue exactly once here.
6. Execute this command on the CentOS system: diff -u secure1.txt /var/log/secure > secure.txt
7. After this experiment is complete, please provide the secure.txt file to RSA support.
Tags (34)
- 10.4
- 10.4.x
- 10.5
- 10.5.x
- 10.6
- 10.6.x
- 10.x
- Appliance
- Core Appliance
- Customer Support Article
- KB Article
- Knowledge Article
- Knowledge Base
- Log Collection
- Log Collector
- NetWitness
- NetWitness Appliance
- NetWitness Platform
- NW
- NW Appliance
- NwLogCollector
- RSA NetWitness
- RSA NetWitness Platform
- RSA Security Analytics
- Security Analytics
- SIEM
- Version 10
- Version 10.4
- Version 10.4.x
- Version 10.5
- Version 10.5.x
- Version 10.6
- Version 10.6.x
- Version 10.x
No ratings
