PDA

View Full Version : Centrally back up upgrade_export Expect script



apachepro
2009-12-30, 18:13
Hi All,
here is the script you may find useful written in Expect - does login by SSH to the firewall, issues upgrade_export, creates md5sum of the created file,
downloads both files , deletes backup file.
It was a quick hack (that just works) not too fancy, no error checking done,
can be optimized and cleaned but not worth time investment.
Cheers and Happy New Year.
Yuri.
Also available as download at http://yurisk.info/backup.tcl


#!/usr/local/bin/expect
#set timeout to suffice for the largest backup file to download
set timeout 3000

#set password to enter the firewall
set password “password”
set username “admin”
#set format for naming files
set timeand_date [clock format [clock seconds] -format %B-%Y-%m-%d]
#open hosts file that contains IPs of the firewalls and read it in a loop
set ff [open "hosts" r]
while {[gets $ff hostName] >= 0} {

puts "Entering $hostName"
spawn ssh -l $username $hostName
expect {
{[Pp]assword:} { send "$password\r" }
"(yes*no)" { send "yes\r"
expect {[Pp]assword:} {
send "$password\r"
}
}}

#increase timeout of SSH session
expect {*#} {
send "TMOUT=900\r" }
expect {*#} {
send "export TMOUT\r"}
#Create backup directory
expect {*#} {
send "mkdir /var/Upgrade_export_backups\r" }
expect {*#} {
send "cd /var/Upgrade_export_backups\r" }
#Issue the upgrade_export command
expect {*#} {
send "\$FWDIR/bin/upgrade_tools/upgrade_export $timeand_date$hostName\r" }
expect {
{ready} {
send "\r" }
{(y/n) [n]} {
send "yes\r" }
}
#Calculate md5sum of the newly created backup file and save it to file
expect {*#} {
send "md5sum $timeand_date$hostName.tgz > $timeand_date$hostName.md5sum\r"}

expect {*#} {
send "exit\r"}
spawn scp $username@$hostName:/var/Upgrade_export_backups/

\{$timeand_date$hostName.md5sum,$timeand_date$host Name.tgz\} .
expect {
{[Pp]assword:} { send "$password\r" }
}
expect {#} {
#send "exit\r"
}

spawn ssh -l $username $hostName
expect {
{[Pp]assword:} { send "$password\r" }
"(yes*no)" { send "yes\r"
expect {[Pp]assword:} {
send "$password\r"
}
}}

#remove created backup file
expect {*#} {
send "cd /var/Upgrade_export_backups\r" }
expect {*#} {
send "rm -f $timeand_date$hostName.tgz\r" }


expect {*#} {
send "exit\r" }


}
close $ff
interact

belvdr
2010-01-05, 15:57
I have tried increasing the TMOUT variable before and it didn't affect the timeout of the shell.

Additionally, there are other scripts floating around in shell script. Why expect?

EDIT: I'd also recommend setting up RSA authentication and leaving the password out of the loop.

apachepro
2010-01-06, 03:04
Hm , strange - I always increase this way TMOUT and it always works (Splat OPenServers and UTM) - may be yon IPSO or other products it differs.
E.g. (default TMOUT is 180 secs)

[Expert@fw-tokyo]# TMOUT=3333
[Expert@fw-tokyo]# export TMOUT
[Expert@fw-tokyo]# /bin/date
Wed Jan 6 07:30:36 GMT+1 2010
[Expert@fw-tokyo]# /bin/date
Wed Jan 6 08:01:43 GMT+1 2010
[Expert@fw-tokyo]#

Moreover Splat manages timeout the same way:
cat /etc/bashrc
export TMOUT=180

Other ways to increase it :
SSH session timeout in Checkpoint NG/NGX | yurisk.info (http://yurisk.info/2008/09/15/ssh-session-timeout-in-checkpoint-ngngx/)


Regarding Expect - saves lots of time debugging , you just mimic interactive session and it works. In bash it takes longer to make it work.

RSA - I dont do it as IMO it adds no security - if someone had access to this management server it would make no difference how
to compromise remote machines - using clear text pass or saved RSA .