{"id":1888,"date":"2013-11-07T10:47:05","date_gmt":"2013-11-07T10:47:05","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1888"},"modified":"2013-11-11T19:58:05","modified_gmt":"2013-11-11T19:58:05","slug":"simple-bash-script-interactive-to-backup-netscreen-isg-ssg-firewall","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1888","title":{"rendered":"Simple Bash Script to Backup Netscreen ISG \/ SSG Firewall"},"content":{"rendered":"

This script is a simple, interactive way to backup and date-stamp your juniper Netscreen ISG\/SSG (ScreenOS) firewall configurations. The script copies the configurations from the firewall using scp. Configurations older than one day ( -mtime +1) are archived off to a bz2 compressed file.\u00a0 Archives older than 60 days ( -mtime +60 ) are removed from the disk.<\/p>\n

The usage is: nsb.sh<\/span> [ip address \/ hostname of Netscreen<\/span>]<\/strong>.\u00a0 (VIEW SCRIPT<\/strong><\/a>)<\/p>\n

<\/p>\n

THE SCRIPT<\/span>:<\/strong><\/p>\n

#!\/bin\/bash
\nDATE=`date +%Y%m%d-%H%M%S`
\nDST=\/home\/amatthew\/netscreen\/backup\/
\nDEBUG=1<\/p>\n

getconfig()
\n{
\nif [[ $DEBUG -eq 1 ]]
\nthen
\necho scp netscreen@\"$1\":ns_sys_config ${DST}netscreen-$1\"-\"$DATE.conf
\nscp netscreen@\"$1\":ns_sys_config ${DST}netscreen-$1\"-\"$DATE.conf
\necho netscreen-$1\"-\"$DATE.conf saved to $DST
\nelse
\nscp -q -i $KEY netscreen@\"$1\":ns_sys_config ${DST}\/netscreen-$1\"-\"$DATE.conf
\nfi
\nfind $DST -type f -mtime +1 -name \"*.conf\" -exec bzip2 {} \\;
\nfind $DST -type f -mtime +60 -name \"*.bz2\" -exec rm -f {} \\;
\n}<\/p>\n

if [ \"$1\" == \"\" ]
\nthen
\necho \"usage $0 [ip address] \"
\nexit 1
\nelse
\ngetconfig $1
\nfi
\nexit 0<\/code><\/p>\n

USAGE:<\/strong> Example:<\/p>\n

[dmatthews@mylinux ~]$ .\/nsb.sh 10.10.15.92<\/strong>
\nscp netscreen@10.10.15.92:ns_sys_config \/home\/dmatthews\/netscreen\/backup\/netscreen-10.10.15.92-20131107-160742.conf
\nnetscreen@10.10.15.92's password:
\nns_sys_config 100% 177KB 59.2KB\/s 00:03
\nnetscreen-10.10.15.92-20131107-160742.conf saved to \/home\/dmatthews\/netscreen\/backup\/<\/code><\/p>\n

[dmatthews@mylinux ~]$ .\/nsb.sh 10.10.15.93<\/strong>
\nscp netscreen@10.10.15.93:ns_sys_config \/home\/dmatthews\/netscreen\/backup\/netscreen-10.10.15.93-20131107-160757.conf
\nnetscreen@10.10.15.93's password:
\nns_sys_config 100% 177KB 59.1KB\/s 00:03
\nnetscreen-10.10.15.93-20131107-160757.conf saved to \/home\/dmatthews\/netscreen\/backup\/
\n[dmatthews@mylinux ~]$
\n[dmatthews@mylinux ~]$ ls -la netscreen\/backup\/<\/strong>
\ntotal 728
\ndrwxr-xr-x. 2 dmatthews mcc 4096 Nov 7 16:08 .
\ndrwxr-xr-x. 3 dmatthews mcc 4096 Nov 5 10:28 ..
\n-rw-r--r--. 1 dmatthews mcc 181720 Nov 7 16:02 netscreen-10.10.15.92-20131107-160214.conf
\n-rw-r--r--. 1 dmatthews mcc 181720 Nov 7 16:07 netscreen-10.10.15.92-20131107-160742.conf
\n-rw-r--r--. 1 dmatthews mcc 181685 Nov 7 16:02 netscreen-10.10.15.93-20131107-160230.conf
\n-rw-r--r--. 1 dmatthews mcc 181685 Nov 7 16:08 netscreen-10.10.15.93-20131107-160757.conf
\n<\/code>
\nIt is possible to use PKI to use SSL so that password authentication is not required (and thereby allowing the script to run without intervention) but if you are planning to backup clear-text configurations, it may be advisable to use this interactive version (contact me for PKI version of this script).<\/p>\n

PREPARATION:<\/strong><\/span><\/p>\n

1. Generate DSA Key Pair:<\/strong><\/p>\n

[dmatthews@mylinux ~]$ ssh-keygen -t dsa
\nGenerating public\/private dsa key pair.
\nEnter file in which to save the key (\/home\/dmatthews\/.ssh\/id_dsa):
\nEnter passphrase (empty for no passphrase):
\nEnter same passphrase again:
\nYour identification has been saved in \/home\/dmatthews\/.ssh\/id_dsa.
\nYour public key has been saved in \/home\/dmatthews\/.ssh\/id_dsa.pub.
\nThe key fingerprint is:
\n75:84:cd:56:d1:40:f7:fa:93:67:d2:0e:ba:d5:20:3f dmatthews@mylinux.mydomain.com
\nThe key’s randomart image is:
\n+–[ DSA 1024]—-+
\n| +.o=+.|
\n| ..+ .o|
\n| … .|
\n| . . . |
\n| S . o |
\n| o =.|
\n| Eo*|
\n| o *o|
\n| o. .|
\n+—————–+
\n[dmatthews@mylinux ~]$ cd \/home\/dmatthews\/.ssh\/
\n[dmatthews@mylinux .ssh]$ ls
\nid_dsa id_dsa.pub id_rsa id_rsa.pub known_hosts
\n[dmatthews@mylinux .ssh]$<\/p>\n

2. Change permissions of .ssh directory:<\/strong><\/p>\n

[dmatthews@mylinux .ssh]$ chmod 755 ~\/.ssh
\n[dmatthews@mylinux .ssh]$<\/p>\n

3. Copy Public Key to the machine that you wish to login to<\/strong> (or for Netscreen firewalls create an Admin user and copy the public key – see further below):<\/em><\/p>\n

Copy the contents of ~\/.ssh\/id_dsa.pub into the file ~\/.ssh\/authorized_keys on the machine to which you want to connect. If the file ~\/.ssh\/authorized_keys exist, append the contents of the file ~\/.ssh\/id_dsa.pub to the file ~\/.ssh\/authorized_keys on the other machine.<\/p>\n

[dmatthews@mylinux .ssh]$ cat id_dsa.pub
\nssh-dss AAAAB3NzaC1kc3MAAACBAO3fxI\/yCK0xDVKDU0zkzKA\/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR\/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S\/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf\/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM\/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT\/idVNbw\/H\/DYrv649g= dmatthews@mylinux.mydomain.com
\n[dmatthews@mylinux .ssh]$<\/p>\n

4. Change Permissions of Authorised Keys file:<\/strong>
\nchmod 600 ~\/.ssh\/authorized_keys<\/p>\n

ON NETSCREEN (ScreenOS\u00a0 – ISG\/SSG):<\/strong><\/span>
\nCreate [USER] user on Netscreen with Read only permissions from web:conf> admin> admins> new
\nAdd [USER] user public key to Netscreen from web:conf> admin> admins> configure-“ssh pka”> add<\/p>\n

NOTE:<\/strong> alternatively you can place the public key on a tftp server and import the key and bibnd it to the user via the CLI:<\/p>\n

For SSHv1:<\/strong>
\nexec ssh tftp pka-rsa<\/strong> [ username name ] file-name name_str ip-addr tftp_ip_addr
\nFor SSHv2:<\/strong>
\nexec ssh tftp pka-dsa<\/strong> [ user-name name ] file-name name_str ip-addr tftp_ip_addr<\/p>\n

The username or user-name options are only available to the root admin, so that only the root admin can bind an RSA key to another admin. When you\u2014as the root admin or as a read\/write admin\u2014enter the command without a user name, the NetScreen device binds the key to your own admin account; that is, it binds the key to the admin that enters the command.<\/em><\/p>\n

NOTE:<\/strong> If you receive an “Invalid Key Encoding” message when pasting in via the WebUI\u00a0 it may be because the key blob is incorrectly entered:<\/p>\n

ssh-dss AAAAB3NzaC1kc3MAAACBAO3fxI\/yCK0xDVKDU0zkzKA\/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR\/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S\/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf\/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM\/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT\/idVNbw\/H\/DYrv649g= dmatthews@mylinux.mydomain.com<\/p>\n

Only paste in:<\/p>\n

AAAAB3NzaC1kc3MAAACBAO3fxI\/yCK0xDVKDU0zkzKA\/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR\/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S\/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf\/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM\/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT\/idVNbw\/H\/DYrv649g=<\/p>\n

Validate scp and ssh configuration via the CLI:<\/strong><\/p>\n

Netscreen-> get config | inc “set scp”
\nset scp enable
\nNetscreen-> get config | inc “set ssh”
\nset ssh version v2
\nset ssh enable
\nset ssh pka-dsa user-name dmatthews pka-key-id 1823D75D5BCD3B356051<\/p>\n

Netscreen-> set ssh ?
\nenable\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable SSH
\nhost-identity\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 bind host identity cert
\npka-dsa\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Bind a PKA DSA key\/cert to an admin user
\nversion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 active ssh version
\nNetscreen-> get config | inc pka-dsa
\nset ssh pka-dsa user-name dmatthews pka-key-id 1823D75D5BCD3B356051
\nNetscreen-><\/p>\n

Netscreen-> get scp
\nSCP is enabled
\nSCP is ready<\/p>\n

Netscreen-> get ssh
\nSSH V2 is active
\nSSH is enabled
\nSSH is ready for connections
\nMaximum sessions: 24
\nActive sessions: 1<\/p>\n

Admin\u00a0\u00a0\u00a0\u00a0\u00a0 Ip Addr\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Vsys\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Auth Method\u00a0 Service
\n———- ————— ———- ———— ——–
\nnetscreen\u00a0 129.0.52.74\u00a0\u00a0\u00a0\u00a0 Root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 password\u00a0\u00a0\u00a0\u00a0 console<\/p>\n","protected":false},"excerpt":{"rendered":"

This script is a simple, interactive way to backup and date-stamp your juniper Netscreen ISG\/SSG (ScreenOS) firewall configurations. The script copies the configurations from the firewall using scp. Configurations older than one day ( -mtime +1) are archived off to a bz2 compressed file.\u00a0 Archives older than 60 days ( -mtime +60 ) are removed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[63,84,18,13],"tags":[34,4],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1888"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1888"}],"version-history":[{"count":22,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1888\/revisions"}],"predecessor-version":[{"id":1910,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1888\/revisions\/1910"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1888"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}