This configuration can be implemented on ONTAP 8.1.1 and 8.1.2. Some options are not available on 7.3x or 8.0x but that shouldnt prevent you from hardening as many options as possible. If its not available on your version, skip and move to the next option. I’ll cover securing the controllers, OnCommand Unified Manager and 7.3.x FilerView with Certificates in another post.

Secure shell should already be enabled on your controller. If the system has been around a while or the deployment engineer accepted defaults, chances are you have weak keys. Note that this process generates keys for sshv1 which is insecure and no longer used (it will be disable later in this HOWTO). Also, the host/server key size must differ by 128 bits explaining the size differential in the steps that follow. As the root user, run:

1) SSH has to be disabled before you configure it.
> secureadmin disable all

2) If it has been setup before, use the -f switch.
> secureadmin setup -f ssh

SSH Setup
Determining if SSH Setup has already been done before…yes
You have chosen to re-run SSH Setup. The old host keys will be
backed up to the following files:
Do you want to proceed? [no] y

SSH server supports both ssh1.x and ssh2.0 protocols.

SSH server needs two RSA keys to support ssh1.x protocol. The host key is
generated and saved to file /etc/sshd/ssh_host_key during setup. The server
key is re-generated every hour when SSH server is running.

SSH server needs a RSA host key and a DSA host key to support ssh2.0 protocol.
The host keys are generated and saved to /etc/sshd/ssh_host_rsa_key and
/etc/sshd/ssh_host_dsa_key files respectively during setup.

SSH Setup will now ask you for the sizes of the host and server keys.
For ssh1.0 protocol, key sizes must be between 384 and 2048 bits.
For ssh2.0 protocol, key sizes must be between 768 and 2048 bits.
The size of the host and server keys must differ by at least 128 bits.

Please enter the size of host key for ssh1.x protocol [768] :2048
Please enter the size of server key for ssh1.x protocol [512] :1920
Please enter the size of host keys for ssh2.0 protocol [768] :2048

You have specified these parameters:
host key size = 2048 bits
server key size = 1920 bits
host key size for ssh2.0 protocol = 2048 bits
Is this correct? [yes] yes

Setup will now generate the host keys. It will take a minute.
After Setup is finished the SSH server will start automatically.

Sun Mar 31 08:35:48 EST [sim812:secureadmin.ssh.setup.passed:info]: SSH setup is done and ssh2 is enabled. Host keys are stored in /etc/sshd/ssh_host_key,

/etc/sshd/ssh_host_rsa_key, and /etc/sshd/ssh_host_dsa_key.

3) If using Putty or xterm, logout and login back in to accept the new, stronger keys.

4) Set the ssh.idle.timeout (set in seconds)
> options ssh.idle.timeout 600

4) Disable ssh1 and never use it unless you abolutely have no other choice.
> options ssh1.enable off

5) Enable the ability to separate SSH and ONTAP console sessions.
> options telnet.distinct.enable on

6) Disable RSH and never use it.
> options rsh.access “none”
> options rsh.enable off

7) Disable telnet and never use it.
> options telnet.access “none”
> options telnet.enable off

8) Disable webdav.
> options webdav.enable off

9) Configure Autologout.
> options autologout.console.enable on
> options autologout.console.timeout 60
> options autologout.telnet.enable on
> options autologout.telnet.timeout 5 (The SSH timeout is controlled by the telnet timeout setting)

10) Set the default user account settings. You may want to tune this to your environemnt. Note that Windows users cant use the max password size of 16.
> options security.passwd.rules.enable on
> options security.passwd.rules.everyone on
> options security.passwd.rules.minimum 8
> options security.passwd.rules.maximum 16
> options security.passwd.rules.minimum.alphabetic 2
> options security.passwd.rules.minimum.digit 2
> options security.passwd.rules.minimum.symbol 2
> options security.passwd.rules.history 6
> options security.passwd.lockout.numtries 6
> options security.passwd.firstlogin.enable off  (This setting locks out root so don’t turn it on!)
Note: root and the service processors’s naroot user share the same password so root’s password cannot exceed 16 characters.

11) Configure options for the service processor.
> options sp.autologout.enable on
> options sp.autologout.timeout 60 (set in minutes. This can be shortened but uninterrupted SP access is critical during updrades or troubleshooting)
> options sp.ssh.access * (this should be set to a specific IP/CIDR range rather than * to be more secure. If you must access your controllers from many networks, leave it at *.

12) Disable NDMP until needed. Ndmp is very usefull in certain Sysadmin situations but doesnt need to be left on unless you dump to VTLs or tape libraries.
> options ndmpd.enable off

13) Disable specific protocols on the management interface. Its a good idea to block protocols on interfaces that will never carry that traffic type. These options allow you to properly isolate traffic which complements VLAN separation.

> options interface.blocked.cifs e0M
> options interface.blocked.ftpd e0M
> options interface.blocked.iscsi e0M
> options interface.blocked.nfs e0M
> options interface.blocked.snapmirror e0M
To open the interface enter interface.blocked.nfs “”

14) NetApp recommended IP options:
> options ip.fastpath.enable off
> options ip.icmp_ignore_redirect.enable on
> options ip.match_any_ifaddr off
> options ip.ping_throttle.alarm_interval 15
> options ip.ping_throttle.drop_level 100

15) Disable TFTP.
> options tftpd.enable off

16) Enable SSL on the controller.
> options ssl.enable on
> options ssl.v2.enable off
> options ssl.v3.enable on
> options tls.enable on

Enable SSL for System Manager:
> options httpd.admin.enable off
> options httpd.admin.ssl.enable on
> options httpd.timeout 600  (timeout time in seconds, 600 = 10 minutes)

16) Enable SNMPv3 for secure communication between OnCommand(DFM) and the controller. See my other post for the simple steps here:


17) Create a banner for SSH and SP console login. Using a text editor, create a login banner. Copy the text to your Windows/Unix buffer so you can paste it in the follow steps.
> options ssh2.banner.enable on
> wrfile /etc/motd and paste your banner text into the terminal. Press CTRL+C to save the file (ignore the warning).
> wrfile /etc/issue and paste the text above into the terminal. Press CTRL+C to save the file (ignore the warning).

18) Create Administrative users. Don’t login as root. Create user accounts in the administrators group so you have an audit trail. Also note that the parameters for mix/max password age (-m -M) fit common best practices.

> useradmin user add john.doe -g Administrators -m 1 -M 90

a) For OnCommand Unified Manager, consider an account such as:
> useradmin user add OnCommandAdmin -g Administrators -m 1 -M 365

b) For NetApp Virtual Storage Console (VSC), consider an account such as:
> useradmin user add VSCadmin -g Administrators -m 1 -M 365

c) When setting user password expiry, you occasionally get locked out. To determine a users status, check the “Status” sections of the following command:
> useradmin user list john.doe

If Status is expired, the only way to enable the user account is to change the password. Login as root or an admin user and enter:
> passwd
Login: john.doe
New password:
Retype new password:

19) Configure NFS Parameters. Since most of us have VMware ESXi clusters in our environment, we must use NFSv3. ESXi does not support NFSv4 so the enhanced security is not available. Enable NFS over TCP rather than UDP for ESXi hosts.
> options nfs.tcp.enable on

20) Identify your admin host on the controller. This is a hidden option that is not seen with the options command unless it is defined. If you enter > options admin.hosts no output is returned if it is not configured. This should be set to a dedicated host, possibly your OnCommand Unified Manager server that should also have System Manager, Performance Adviser, ConfigAdviser, VASA plugin, ONTAP Powershell Toolkit and other NetApp management tools.
> options admin.hosts <your server name>

21) Configure Syslog to send to a remote syslog server like Splunk, Kiwi, WhatsUp, etc.
> rdfile /etc/syslog.conf.sample
Copy the text below, paste into notepad.exe and add your syslog server hostname or IP address. Note: use tab key, not space bar to separate the blank space between *.info/*.err;kern.*.local7* and <your syslog IP/hostname>

# Log messages of priority info or higher to the console and to /etc/messages
*.info                                  /dev/console
*.info                                  /etc/messages
*.*                @<your syslog server>

# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to a remote host, e.g. adminhost
# *.err;kern.*                          @adminhost
*.*                @<your syslog server>

# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to the local7 facility of the
# syslogd on a remote host, e.g. adminhost.
# *.err;kern.*                          local7.*@adminhost
local7.*            @<your syslog server>

a) After you have made the changes to the file above, perform the following:
> wrfile /etc/syslog.conf

b) Paste the text from notepad into the blank console, press enter to add a line at the bottom of the input and press CTRL+C to end the session.  Ignore the error that appears.

c) The Syslog service should restart in 15 seconds. If it does not, send a test message:
> logger Hello World

d) If you dont see “kern.syslogd.restarted:info]: syslogd: Restarted” on the console within 20-30 seconds of saving the file, manually restart syslog service.
> priv set advanced
*> syslog reset_syslog
*> priv set admin