Tags

,

The NetApp Data ONTAP Powershell Toolkit has come a long way. The latest release has many improvements including the new simplified installer. It couldn’t be easier to deploy and use.

See this .pdf to get started. Installing NetApp Data ONTAP Powershell Toolkit v2.3

The commands below represent the NetApp Powershell cmdlet version of the ONTAP commands referenced in a previous post titled https://slice2.com/2013/04/01/hardening-netapp-dataontap-8-1x/

Edit the text below to fit your environment and save as a .ps1 script. When done, simply execute it inside a powershell session or just run the command one at a time to get familiar.

1) Login to Controller.
If you want to use your controller name in the command , edit the Example line below. Otherwise, the Connect-NaController cmdlett will prompt you for a username and password and then the controller name you want to login to.
Example: Connect-NaController -Name <you filer hostname or ip> -Credential (Get-Credential) -https

Connect-NaController -Credential (Get-Credential) -https

2) Setup ssh with strong keys.

Set-NaOption -OptionName ssh1.enable off
Set-NaOption -OptionName ssh2.enable off
Initialize-NaSecureAdminSsh -Ssh1HostKeySize 2048 -Ssh1ServerKeySize 1920 -Ssh2HostKeySize 2048 -Force -Confirm

3) Set options.

Set-NaOption -OptionName ssh.idle.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName ssh1.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.distinct.enable -OptionValue on -Confirm
Set-NaOption -OptionName rsh.access -OptionValue “none” -Confirm
Set-NaOption -OptionName rsh.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.access -OptionValue “none” -Confirm
Set-NaOption -OptionName telnet.enable -OptionValue off -Confirm
Set-NaOption -OptionName webdav.enable -OptionValue off -Confirm
Set-NaOption -OptionName autologout.console.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.console.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName autologout.telnet.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.telnet.timeout -OptionValue 5 -Confirm
Set-NaOption -OptionName security.passwd.rules.enable -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.everyone -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum -OptionValue 8 -Confirm
Set-NaOption -OptionName security.passwd.rules.maximum -OptionValue 16 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.alphabetic -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.digit -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.symbol -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.history -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.lockout.numtries -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.firstlogin.enable -OptionValue off -Confirm
Set-NaOption -OptionName sp.autologout.enable -OptionValue on -Confirm
Set-NaOption -OptionName sp.autologout.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName sp.ssh.access -OptionValue * -Confirm
Set-NaOption -OptionName ndmpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName interface.blocked.cifs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.ftpd -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.iscsi -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.nfs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.snapmirror -OptionValue e0M -Confirm
Set-NaOption -OptionName ip.fastpath.enable -OptionValue off -Confirm
Set-NaOption -OptionName ip.icmp_ignore_redirect.enable -OptionValue on -Confirm
Set-NaOption -OptionName ip.match_any_ifaddr -OptionValue off -Confirm
Set-NaOption -OptionName ip.ping_throttle.alarm_interval -OptionValue 15 -Confirm
Set-NaOption -OptionName ip.ping_throttle.drop_level -OptionValue 100 -Confirm
Set-NaOption -OptionName tftpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName ssl.v2.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.v3.enable -OptionValue on -Confirm
Set-NaOption -OptionName tls.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.admin.enable -OptionValue off -Confirm
Set-NaOption -OptionName httpd.admin.ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName nfs.tcp.enable -OptionValue on -Confirm

4) Setup snmpv3 parameters.
You still have to setup OnCommand (DFM). This just takes care of the controller.
See https://slice2.com/2013/03/20/how-to-enable-snmpv3-in-ontap-7-3-38-x-and-dfmoncommand-core-4-05-x

Set-NaRole -Role snmpv3role -AddCapabilities login-snmp -Confirm
Set-NaGroup -Group snmpv3group -AddRoles snmpv3role -Confirm
Set-NaUser -User snmpv3user -AddGroups snmpv3group -Confirm

5) You need to add your OnCommand/DFM Server name below. Use fqdn or ip address. Also edit the read only (ro) community  string to your setting if not public and the Location and Contact.

Set-NaOption -OptionName snmp.enable -OptionValue on -Confirm
Add-NaSnmpTrapHost -Host 10.10.10.26 -Confirm
Remove-NaSnmpCommunity -Community public
Set-NaSnmpLocation -Location “Roswell NM”
Set-NaSnmpContact -Contact “The Borg”

6) Setup syslog. Edit these parameters to point to your syslog server. Note that you must have a tab space between syslog IP address and the facility you want to syslog. The gap below is a tab not a spacebar.

Write-NaFile -Path /vol/vol0/etc/syslog.conf -AppendLine “*.* @10.10.10.100”