Operating System - Linux
1829767 Members
6188 Online
109992 Solutions
New Discussion

Re: Binding hpsmhd to a particular IP interface

 
Steve Medrick
Occasional Contributor

Binding hpsmhd to a particular IP interface

I'm trying to restrict the hpsmhd process to bind to ports 2301|2381 on only my management network NIC interfaces. This being on Linux servers of various RedHat flavors.

While:
perl /usr/local/hp/hpSMHSetup.pl

Is good at adding restriction lists, it would be better to just not allow the management web interface to exist at all on unsecured networks. Would mean that my process of regression testing the Proliant support pack updates could much more relaxed.

I've hunted for apache-like config files in which to directly modify a Listen: command. So far my grep -lr, and google/ITRC searches for such a switch/config file has been unsuccessful.

Any pointers would be appreciated

-steve
It's not the world we need to change, but ourselves.
8 REPLIES 8
Heironimus
Honored Contributor

Re: Binding hpsmhd to a particular IP interface

The version I have installed puts the configuration file at:

/opt/hp/hpsmh/conf/smhpd.conf

However, I think when I tried to modify it by hand long ago something kept rewriting it....
Steve Medrick
Occasional Contributor

Re: Binding hpsmhd to a particular IP interface


Clearly the right file...has Listen directives right at the top.

Did the following to modify it
cp -ip /opt/hp/hpsmh/conf/smhpd.conf /opt/hp/hpsmh/conf/smhpd.conf.STOCK

vi /opt/hp/hpsmh/conf/smhpd.conf
Change:
Listen 2301
Listen 2381
to:
Listen intIP:2301
Listen intIP:2381

And did a service hpsmhd restart

And as you predicted, the conf file got overwritten with a clean set of listen commands...

Change of question: Where is a authoritative copy of smhpd.conf that is being used to overwrite this file? Perhaps modifying the source is the solution?
It's not the world we need to change, but ourselves.
Heironimus
Honored Contributor

Re: Binding hpsmhd to a particular IP interface

I got curious and went to look at this again (the last time was 3 years ago). It looks like you should be able to use hpSMHSetup.pl to configure the binding, and it should write the configuration to /opt/hp/hpsmh/conf/smhpd.xml. Once you have the format of the entries in that simple (but poorly documented) XML file you can probably do other servers by hand.
Steve Medrick
Occasional Contributor

Re: Binding hpsmhd to a particular IP interface

Gotcha on the doc - I found the ip-binding switches in the XML files, but those have no effect on the live Listen configs of hpsmhd daemon. They instead create host-allow equivalents applied to packets received by the daemon (can be spoofed on the same broadcast realm by folks with clue) which still listens on all interfaces.

The best doc I found on the XML file (and thank you for that bread crumb, one step closer to figuring this out) is:

http://docs.hp.com/en/438862-008/ch05s03.html

These do in fact do the sort of thing I need, namely override the automatic configs the the service hpsmhd restart would otherwise 'cleanup'. If I could figure out a switch for the xml file that applies to the listen lines (binding apparently not meaning the same thing to its programmers as it does to us network folks) then I'd be in business.

Maybe I'm at the bug report stage for this?

It's not the world we need to change, but ourselves.
Heironimus
Honored Contributor

Re: Binding hpsmhd to a particular IP interface

Yeah, I'd say it's time to ask HP. But in all honesty I feel like the quality of hpsmh (and to a lesser degree the health agents) on Linux has been in decline over the past few years, so they may just tell you that you're out of luck.
Fahrenheit
Advisor

Re: Binding hpsmhd to a particular IP interface

I'm seeing the same thing on Windows.
Steve Medrick
Occasional Contributor

Re: Binding hpsmhd to a particular IP interface

HP support in case 3603946890 said,

"We have checked with the L2 team and understand that it is not possible to make the SMH ports to only listen to a specific IP using IP binding."

and,

"We will certainly share this with the development team and request them to include such a feature in the future releases of the software."

Proliant support pack monitoring tools are apparently only both useful and secure for customers big enough to run all their PSP'd servers behind port level firewalls that screen out their WANs.

I suppose some might have production hosts that are also so lightly loaded that they can additionally run effective host level firewall software. That is rarely the case if effective and efficient provisioning is taking place - leading me back to my point above.

I consider this thread closed. I'm off to look at third party monitoring tools.
It's not the world we need to change, but ourselves.
Steve Medrick
Occasional Contributor

Re: Binding hpsmhd to a particular IP interface

Closing thread
It's not the world we need to change, but ourselves.