Imperva Cyber Community

 View Only
  • 1.  MX-HA Hardening Configuration

    Posted 09-01-2020 18:49
    Hi team

    I have a question/ problem, im trying to implement an MX-HA configuration between 2 MX, i have no problems until i get to the hardening communication between both.

    It shows this error: "SSH must be configured for both 'root' and 'oracle' on both servers"

    i type on the secondary MX this command: impctl hardening config --root-source-ip-exception="source ip address" as require the primary MX and it shows a status OK on the opening of SSH session between them.

    im my lab i check and add the same to root (as it required), also to system that is the DB user also i try to add secure user but any user works, also i was checking the admin guide on version 13.0 and 13.5 but there is no info about securing and hardening oracle user on MX-HA configuration?

    Do you have any idea on this info and which specific user i have to provide access?
    #DatabaseActivityMonitoring

    ------------------------------
    Jose Bolanos
    SISAP
    ------------------------------


  • 2.  RE: MX-HA Hardening Configuration

    Posted 09-03-2020 14:44
    Hi,

    My understanding is all that all is required is to set up SSH trust for both the oracle and root users.  But, you do have to add the exception for root.

    - BA

    ------------------------------
    Brian Anderson
    ------------------------------



  • 3.  RE: MX-HA Hardening Configuration

    Posted 08-29-2022 05:57
    Hi Team,

     Please refer this link helped me :https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/v2v_guide/preparation_before_the_p2v_migration-enable_root_login_over_ssh

    Ensure that file under /etc/ssh/sshd_config  entries of IP would be correct on both active and standby MGMT Server

    # Per CCE: Set UsePrivilegeSeparation yes in /etc/ssh/sshd_config

    ------------------------------------------------------------------------------------------------------------------------------------
    UsePrivilegeSeparation yes
    # Per CCE: Set StrictModes yes in /etc/ssh/sshd_config
    StrictModes yes
    ListenAddress 172.**.**.* # management interface
    ListenAddress 172.**.**.* # lan interface ( heartbeat IP)

    ------------------------------------------------------------------------------------------------------------------------------------------

    Regards,
    Gokul Palanisamy.

    ------------------------------
    Gokul SOC
    SOC analyst
    Indian Overseas Bank
    Chennai TN
    ------------------------------