They do not know it but can attack through vocabulary exhaustion - result could be lock of the admin/node or break in (depending of invalid password limit). Same as if you can limit which systems can telnet/ftp to a server and other cannot using tcp_wrapper or IP filtering. But for TSM both approaches cannot work - there is no way to distinguish them. I also revoke all privileges from SERVER_CONSOLE admin and delete default node CLIENT.
Zlatko Krastev IT Consultant Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: Backups through a firewall Providing they know the admin userid and password. Admin sessions don't use the PASSWORDACCESS GENERATE. A good reason to either lock, delete or change the default ADMIN/ADMIN userid in TSM. -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Zlatko Krastev Sent: Wednesday, May 22, 2002 8:29 AM To: [EMAIL PROTECTED] Subject: Re: Backups through a firewall You cannot hide them so I see no reason to change them. If firewall is set-up correct it should allow traffic outside DMZ to those ports. If an intruder compromised a TSM node in DMZ you modified ports are known. The main security issue (IMO) is than *SM is using same port for backups and for admin client sessions. And opening this port in the firewall opens ability to connect as administrator to the server. Zlatko Krastev IT Consultant Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: Backups through a firewall Hi, Wanda wrote: > All the firewall guy had to do was create a rull that allows TCP/IP traffic > through the firewall for port 1500 for the particular client address. > > If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. > If you want to use the web client to do TSM backups/restores remotely, that > uses port 1581. > > All those ports are configurable, i.e., you can tell TSM client and server > to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
