HSC
Cabinet de consultants en sécurité informatique depuis 1989 - Spécialisé sur Unix, Windows, TCP/IP et Internet
Mode texte : accès au contenu de la page
Hervé Schauer Consultants
Vous êtes ici : Accueil > Ressources > Brèves > Pancho
Accéder au : Site HSC des formations
Télécharger le catalogue des formations
Recherche :  
English version
   Services   
o Domaines de compétences
o Conseil & Expertise
o Prestations ISO 27001
o Audit & Évaluation
o Tests d'intrusion
o Tests de vulnérabilités (TSAR)
o Analyse Forensique
o Certification ARJEL
o Formations
o E-learning
   Conférences   
o Agenda
o Interventions passées
o Tutoriels
   Ressources   
o Index thématique
o Brèves
o Présentations
o Cours
o Articles
o Outils (téléchargement)
o Veille en vulnérabilité
   Société   
o Hervé Schauer
o Equipe
o Offres d'emploi
o Références
o Historique
o Partenariats
o Associations
   Presse et
 communication
 
 
o Newsletter HSC
o Bulletin juridique HSC
o Revue de presse
o Communiqués de presse
o Publications
   Contacts   
o Coordonnées
o Requêtes particulières
o Accès à nos locaux
o Hôtels proches de nos locaux
|>|Pancho  

par Nicolas Jombart (07/06/2002)



Configuring network devices using pancho

-= Background =-

When you have some devices like routers and need to change their configuration
more than one time a year, you can use the CLI, but a better way to do this is
often to use TFTP.

You only need a host with a TFTP server. You can then edit devices configuration
on your local system with your favorite text editor, copy it to your tftproot/
and finally send it to the device, using TFTP.

Your work may look like this:

$ vim conf.txt
$ cp conf.txt /var/tftproot
$ chmod a+w /var/tftproot
$ telnet silver
Trying 192.168.1.1...
Connected to silver.
Escape character is '^]'.


User Access Verification

Password: 
silver>ena
Password: 
silver#
silver#copy tftp running-config
Host or network configuration file [host]? 
Address of remote host [255.255.255.255]? 192.168.1.2
Name of configuration file [silver-confg]? conf.txt              
Configure using conf.txt from 192.168.1.2? [confirm]
Loading conf.txt from 192.168.1.2 (via Ethernet2): !!!!!!!!!!!!
[OK - 59116/131027 bytes]


At this point, the file you sent will be merged with the running-config (see
below). 

The "copy tftp running-config" command can also be executed via a SNMP request.
If you have enabled the SNMP server with a Read-Write access, you can use a
command like this on  your local system: 

$ snmpset -c rw-string 192.168.1.1 .1.3.6.1.4.1.9.2.1.53.192.168.1.2 \
          octetstring router-confg 

(Note: check the correct OID that fits your IOS version).

Now, we introduce a powerful tool called Pancho, that can do this job and much
more!

-= Requirements =-

The first thing you need is to set up a TFTP server on an administration host,
i.e. a host dedicated to administration of your devices. You will configure your
devices so that only this host can SSH (you don't use telnet anymore, right?) or
send SNMP requests to them. 

Once the TFTP server is ok, the next thing to do is to configure the SNMP server
on your devices. Your configuration may look like:

!
access-list 1330 permit 192.168.1.2
access-list 1330 deny   any log
access-list 1340 permit 192.168.1.2
access-list 1340 deny   any log
snmp-server community YourROstring RO 1330
snmp-server community YourRWstring RW 1340
!

With this configuration , you enable Read-Only and Read-Write access to the
device, only from 192.168.1.2. For more security, you can set up an ACL on the
appropriate interface to permit only 161/UDP port from 192.168.1.2 to the
device.

In addition, you can (should...) restrict TFTP servers that can be used with
SNMP, using (once again) an access-list : 

indica(config)#snmp-server tftp-server-list ?
  <1-99>  IP standard access list

Using a CVS server to maintain history of your configurations is also a good
idea. This is what we do in the following examples.

-= Using pancho =-

You can download pancho at http://www.pancho.org/. You also 
need to have Net::SNMP, Config::IniFiles and Parallel::ForkManager.

Let's have a look at common pancho options:

--file <filename>             The name of the file you want to send
--host <hostname>             The remote device
--server <ip/fqdn/hostname>   The TFTP server (may be another host)
--string <snmp community>     The RW community string
--path <path within tftproot> The path of the TFTP root

and actions:

--upload                      Upload a file to the device and merge with
                              the running-config
--download                    Download from a remote device
--commit                      Perform a "write memory" on the device

Full configuration is available by typing perldoc `which pancho`

Just two short examples:

1. You want to download the running-config for backup purposes:

$ touch /var/tftproot/shiva.conf
$ chmod a+w /var/tftproot/shiva.conf
$ pancho --host 192.168.1.1 --server 192.168.1.2 \
         --string YourRWstring --download --file shiva.conf

2. You keep in a file maintained by CVS the configuration of your router and you
   need to modify ACLs on it:

$ cd ~/cvs/router-confs/
$ vi shiva.conf
(... work ...)
$ cvs commit
$ cp shiva.conf /var/tftproot
$ pancho --file shiva.conf --host 192.168.1.1 --server 192.168.1.2 \
         --string YourRWstring --path /var/tftproot --upload
$ rm /var/tftproot/shiva.conf
$ pancho --host 192.168.1.1 --commit

-= What to upload =-

You can keep your devices configurations in a CVS repository. However, it can be
more useful to upload only some parts of the configuration, like access-lists,
interface configuration, banners and so on.

The reason behind this is that you'll have to use "no" commands (no access-list,
no snmp-server, etc.) and reduce the efficiency of the configuration merge at
upload.

Warning: If you upload a file like the following, the router will not filter
anything between the moment of the "no access-lists xxx" line interpretation and
the first "access-list xxx ..." line encountered : 

!
no access-list 101
access-list 101 permit ...
(...)
access-list 101 deny ip any any log
!

But this time window is very slim.

-= And much more ... =-

You may have noticed that you can easily write scripts on your own that can
automate the job. In addition, remember that you can perform actions on a group
of devices at the same time, setting up default values like TFTP server,
community strings, etc. in the script itself.

type perldoc `which pancho` for more info on these options.

With some more work, you can do really interesting things, like
checking periodically running configuration to look for password, ACL,
etc. changes, like AIDE can do on a Unix filesystem. Just have a look at
http://www.pancho.org/archives/contrib/ for a quick and dirty example.


	--Nicolas Jombart <ecu@hsc.fr>

$Date: 2006/11/21 13:55:11 $



Dernière modification le 21 novembre 2006 à 16:23:17 CET - webmaster@hsc.fr
Mentions légales - Informations sur ce serveur - © 1989-2013 Hervé Schauer Consultants