Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3955
Views
0
Helpful
17
Replies

Scripting retrieval of the config file

Nicolas Melay
Level 1
Level 1

‎02-11-2008 10:52 PM

Just in case someone else needs it, this works for me on AsyncOS 5.5:

wget --no-check-certificate -O config.xml "https://your.ironport.box/login?username=admin&password=your_password&action:Login=Login&referrer=https
%3A%2F%2Fyour.ironport.box%2Fsystem_administration%2Fconfiguration_file?acti
on=Save%26operation=download"

Labels:
0 Helpful
17 Replies 17

Nicolas Melay
Level 1
Level 1

‎02-11-2008 10:56 PM

Couldn't get it through SSH by the way.

ssh admin@my.ironport.box showconfig returns The command "showconfig" does not take any arguments!

0 Helpful

jloehler_ironport
Level 1
Level 1

‎02-12-2008 09:22 AM

Have you ever tried mailconfig via ssh?
That's easy and works fine in most environments.

0 Helpful

Nicolas Melay
Level 1
Level 1

‎02-12-2008 02:01 PM

Right. Contrary to showconfig, mailconfig works all right with SSH, but that's not a very straightforward way to retrieve the config file.

I just saw that the following works however :

echo -e "showconfig\ny" | ssh admin@my.ironport.box | sed -n "/\?xml/,/\/config/p"

0 Helpful

si_ironport
Level 1
Level 1

‎02-12-2008 08:10 PM

Heres a quick perl script i use to perform config backups (with passwords):


#!/usr/bin/perl
#
# 2006041000    Simon Howard     Quick script to backup Ironport configurations
#

@ironports = ("ironport1.example.net","ironport2.example.net","ironport3.example.net");

foreach(@ironports) {
        my $host = $_;
        my $backupdir = "/var/spool/archive/$host";
        my $detail = `ssh $_ \"saveconfig 1\"`;
        my @detailsplit = split /\n/,$detail;
        $_ = $detailsplit[0];
        if (/^The file (.*) has been saved in the$/) {
                my $ret = system("scp $host:/configuration/$1 $backupdir");
                if ($ret != 0) {
                     print "Error: backing $host config file '$1' to $backupdir $?";
                } else {
                     print "Success: backing up $host config file '$1' to $backupdir";
                }
        }

   # remove any configs older than 60 days
  `find $backupdir -mtime +60 -exec rm -rf {} \\;`;
}

print "Ironport config backup complete";

0 Helpful

Rayman_Jr
Level 1
Level 1

‎02-13-2008 12:26 PM

It's always good to have backup config, but unfortunately 'loadconfig' is not supported in central management environment (cluster mode).

For cluster environments config backups are just a archive to see old settings, those can't be used for disaster recovery

0 Helpful

meyd45_ironport
Level 1
Level 1

‎05-08-2008 11:08 AM

Complain (loudly) to you SE and Customer Support about the lack of loadconfig/saveconfig for clusters.

The lack of this feature means that anything other than small changes is overly time consuming. Adhering to Change Control procedures is also made more painful because there is no quick roll-back.

0 Helpful

buttbutt_ironport
Level 1
Level 1

‎10-01-2008 06:54 PM

How do you delete the old configs? rm isn't allowed and I was told by my se that it won't automatically clear out old copies. Was hoping to find some equivalent so after the scp I could just delete the appliance copies.

0 Helpful

meyd45_ironport
Level 1
Level 1

‎10-01-2008 10:03 PM

You can login via ftp and use the delete command.

0 Helpful

martinc8306
Level 1
Level 1

‎10-02-2008 02:46 PM

This can also be achieved using expect scripts as per below

#!/usr/bin/expect -f
set password [lrange $argv 0 0]
set ipaddr [lrange $argv 1 1]
set scriptname [lrange $argv 2 2]
set arg1 [lrange $argv 3 3]
#set timeout -1
spawn ssh -p 22 expect@$ipaddr $scriptname $arg1
match_max 100000
expect "*?assword:*"
send -- "$password\r"
# send blank line (\r)
#send -- "\r"
expect eof


Put the above into a expect script and run a daily or weekly cron

/usr/bin/expect /tmp/ironlogin.exp password host mailconfig emailaddress

0 Helpful

Donald Nash
Level 3
Level 3

‎10-03-2008 05:25 PM 

You can login via ftp and use the delete command.

And by doing so expose your admin password over the network, since FTP uses plaintext authentication. It really annoys me that this is the only way to delete files. I understand that they want to keep you from hurting yourself, but there must be some way to make this work via SSH.

Not griping at you, meyd45, just at the situation.

0 Helpful

Eisenhafen
Level 1
Level 1

‎03-19-2009 01:55 PM 

Complain (loudly) to you SE and Customer Support about the lack of loadconfig/saveconfig for clusters. 

The lack of this feature means that anything other than small changes is overly time consuming. Adhering to Change Control procedures is also made more painful because there is no quick roll-back.


Hi, has anyone ever made a script able to backup a cluster config? Meaning remove one machine from the cluster and backup that config and join the cluster again - automated.

I would be be very thankful for such information. We just had the case, that both cluster members died at the same time and we were left with nothing to restore quickly.

0 Helpful

dkoopman_ironport
Level 1
Level 1

‎07-19-2009 12:17 AM

Here's something I put together:

#!/usr/bin/expect

set timeout 30

spawn ssh USERNAME@HOSTNAME
expect_after eof { exit 0 }

## interact with SSH
expect {
  "yes/no" { send "yes\r" }
  -re ".assword:" { send "PASSWORD\r" }
}

expect "> " { send "showconfig\r" }
expect "> " { send "Y\r" }
expect "Press Any Key For More" { send "\r" }
set timeout 2
while 1 {
  expect {
      "Press Any Key For More" { send "\r" }
      timeout break
  }
}

expect "> " { send "exit\r" }


Because running a cluster, the config backups cannot be restored. This is due to a bug , they had to remove the cluster config file restore feature.

It's still useful, though. Imagine you made a change, and it messed things up, and you weren't totally sure what changed. You could diff the last known good config with the broken config, and tell what changed.

At our shop, we have the IronPort system log going to syslog, and we use Swatch to watch it and it kicks off a fetch of the configuration, after it changes. Like this:
1. User makes a change and commits
2. IronPort syslogs the change
3. Syslog writes the log entry that it changed to the log file
4. Swatch sees the log file entry, and feeds the line to another program that fetches the cluster configuration and stores it.

0 Helpful

dkoopman_ironport
Level 1
Level 1

‎07-19-2009 12:20 AM

Anybody have an updated WGET command that works with 6.5.2-101?

0 Helpful

Andrew Wurster
Level 1
Level 1

‎07-21-2009 06:24 PM

I don't use wget so can't test it out unfortunately. be careful with WGET though - I've seen a lot of customers and other random folks hit a software defect in AsyncOS or even their own script and essentially DoS the box. Be careful whatever you do!

Remember that the "configuration" backup file is NOT a flat file but rather a manually generated thing collecting from different system files.

So using this mentality, you have to A) login and generate it and then B) copy the file off the box. (Unless ofcourse you are using 'showconfig' which does so and streams it to stdout for you).

One such tool that will simplify this and cut a few lines (and security risks) out of your expect and other shell scripts are ssh-keys. Check em out!

Here's a KB I wrote a ways back to show some of my own preferred methods:
http://tinyurl.com/rodtu

YMMV

Andrew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents