Simple Bash Script to Backup Netscreen ISG / SSG Firewall

This script is a simple, interactive way to backup and date-stamp your juniper Netscreen ISG/SSG (ScreenOS) firewall configurations. The script copies the configurations from the firewall using scp. Configurations older than one day ( -mtime +1) are archived off to a bz2 compressed file.  Archives older than 60 days ( -mtime +60 ) are removed from the disk.

The usage is: nsb.sh [ip address / hostname of Netscreen].  (VIEW SCRIPT)

THE SCRIPT:

#!/bin/bash
DATE=`date +%Y%m%d-%H%M%S`
DST=/home/amatthew/netscreen/backup/
DEBUG=1

getconfig()
{
if [[ $DEBUG -eq 1 ]]
then
echo scp netscreen@”$1″:ns_sys_config ${DST}netscreen-$1″-“$DATE.conf
scp netscreen@”$1″:ns_sys_config ${DST}netscreen-$1”-“$DATE.conf
echo netscreen-$1”-“$DATE.conf saved to $DST
else
scp -q -i $KEY netscreen@”$1″:ns_sys_config ${DST}/netscreen-$1”-“$DATE.conf
fi
find $DST -type f -mtime +1 -name “*.conf” -exec bzip2 {} \;
find $DST -type f -mtime +60 -name “*.bz2” -exec rm -f {} \;
}

if [ "$1" == "" ]
then
echo "usage $0 [ip address] "
exit 1
else
getconfig $1
fi
exit 0

USAGE: Example:

[dmatthews@mylinux ~]$ ./nsb.sh 10.10.15.92
scp netscreen@10.10.15.92:ns_sys_config /home/dmatthews/netscreen/backup/netscreen-10.10.15.92-20131107-160742.conf
netscreen@10.10.15.92's password:
ns_sys_config 100% 177KB 59.2KB/s 00:03
netscreen-10.10.15.92-20131107-160742.conf saved to /home/dmatthews/netscreen/backup/

[dmatthews@mylinux ~]$ ./nsb.sh 10.10.15.93
scp netscreen@10.10.15.93:ns_sys_config /home/dmatthews/netscreen/backup/netscreen-10.10.15.93-20131107-160757.conf
netscreen@10.10.15.93's password:
ns_sys_config 100% 177KB 59.1KB/s 00:03
netscreen-10.10.15.93-20131107-160757.conf saved to /home/dmatthews/netscreen/backup/
[dmatthews@mylinux ~]$
[dmatthews@mylinux ~]$ ls -la netscreen/backup/
total 728
drwxr-xr-x. 2 dmatthews mcc 4096 Nov 7 16:08 .
drwxr-xr-x. 3 dmatthews mcc 4096 Nov 5 10:28 ..
-rw-r--r--. 1 dmatthews mcc 181720 Nov 7 16:02 netscreen-10.10.15.92-20131107-160214.conf
-rw-r--r--. 1 dmatthews mcc 181720 Nov 7 16:07 netscreen-10.10.15.92-20131107-160742.conf
-rw-r--r--. 1 dmatthews mcc 181685 Nov 7 16:02 netscreen-10.10.15.93-20131107-160230.conf
-rw-r--r--. 1 dmatthews mcc 181685 Nov 7 16:08 netscreen-10.10.15.93-20131107-160757.conf

It is possible to use PKI to use SSL so that password authentication is not required (and thereby allowing the script to run without intervention) but if you are planning to backup clear-text configurations, it may be advisable to use this interactive version (contact me for PKI version of this script).

PREPARATION:

1. Generate DSA Key Pair:

[dmatthews@mylinux ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/dmatthews/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/dmatthews/.ssh/id_dsa.
Your public key has been saved in /home/dmatthews/.ssh/id_dsa.pub.
The key fingerprint is:
75:84:cd:56:d1:40:f7:fa:93:67:d2:0e:ba:d5:20:3f dmatthews@mylinux.mydomain.com
The key’s randomart image is:
+–[ DSA 1024]—-+
| +.o=+.|
| ..+ .o|
| … .|
| . . . |
| S . o |
| o =.|
| Eo*|
| o *o|
| o. .|
+—————–+
[dmatthews@mylinux ~]$ cd /home/dmatthews/.ssh/
[dmatthews@mylinux .ssh]$ ls
id_dsa id_dsa.pub id_rsa id_rsa.pub known_hosts
[dmatthews@mylinux .ssh]$

2. Change permissions of .ssh directory:

[dmatthews@mylinux .ssh]$ chmod 755 ~/.ssh
[dmatthews@mylinux .ssh]$

3. Copy Public Key to the machine that you wish to login to (or for Netscreen firewalls create an Admin user and copy the public key – see further below):

Copy the contents of ~/.ssh/id_dsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on the other machine.

[dmatthews@mylinux .ssh]$ cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAO3fxI/yCK0xDVKDU0zkzKA/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT/idVNbw/H/DYrv649g= dmatthews@mylinux.mydomain.com
[dmatthews@mylinux .ssh]$

4. Change Permissions of Authorised Keys file:
chmod 600 ~/.ssh/authorized_keys

ON NETSCREEN (ScreenOS  – ISG/SSG):
Create [USER] user on Netscreen with Read only permissions from web:conf> admin> admins> new
Add [USER] user public key to Netscreen from web:conf> admin> admins> configure-“ssh pka”> add

NOTE: alternatively you can place the public key on a tftp server and import the key and bibnd it to the user via the CLI:

For SSHv1:
exec ssh tftp pka-rsa [ username name ] file-name name_str ip-addr tftp_ip_addr
For SSHv2:
exec ssh tftp pka-dsa [ user-name name ] file-name name_str ip-addr tftp_ip_addr

The username or user-name options are only available to the root admin, so that only the root admin can bind an RSA key to another admin. When you—as the root admin or as a read/write admin—enter the command without a user name, the NetScreen device binds the key to your own admin account; that is, it binds the key to the admin that enters the command.

NOTE: If you receive an “Invalid Key Encoding” message when pasting in via the WebUI  it may be because the key blob is incorrectly entered:

ssh-dss AAAAB3NzaC1kc3MAAACBAO3fxI/yCK0xDVKDU0zkzKA/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT/idVNbw/H/DYrv649g= dmatthews@mylinux.mydomain.com

Only paste in:

AAAAB3NzaC1kc3MAAACBAO3fxI/yCK0xDVKDU0zkzKA/tJAS4GS1tBaqitog7Joum8sl0ew73t7ydlwTXXmulVtiEt4zSHLS3z9WNvon24QOTy2ceivlZXgITNJa6OTAzZLbGsm8AYObGbScQWi5nkNxQtMAlAlMU1GcRBj4UAR3yZwVBQJxX3SmJJlWgYEXAAAAFQDQB0Fp3SR/lF5ocdXJunErXU7hAwAAAIEAhY4aDkDwmOV3pT8WPY0EDB9d29u2oclvsyyUU2CluiNYHsC8prIN3yboph3CFeOSfXVh9JwhcGkPjmKp8wAfL91oT523EspXQAyamUFIvv5q5lT67GakO6Y6qBMm1+aVth2E8mLu5Mq7Ir+S/Td68XtB9cERg4U3DnwwZhXKs9wAAACAfm0Lv10LQbyKCYdXMCgJlNg5x209Wvf/HpLiqHXpTwEK1fLoyPmKl6dzA2byDGpJNDumuzJM/Ym3li1gfkKz7fjeB9qMCVreXj+x2zvjRRch7fq5plfO2k1fNT6ZCYJxjMnFd1MaN5nIN9kvMA24UHmTT/idVNbw/H/DYrv649g=

Validate scp and ssh configuration via the CLI:

Netscreen-> get config | inc “set scp”
set scp enable
Netscreen-> get config | inc “set ssh”
set ssh version v2
set ssh enable
set ssh pka-dsa user-name dmatthews pka-key-id 1823D75D5BCD3B356051

Netscreen-> set ssh ?
enable               enable SSH
host-identity        bind host identity cert
pka-dsa              Bind a PKA DSA key/cert to an admin user
version              active ssh version
Netscreen-> get config | inc pka-dsa
set ssh pka-dsa user-name dmatthews pka-key-id 1823D75D5BCD3B356051
Netscreen->

Netscreen-> get scp
SCP is enabled
SCP is ready

Netscreen-> get ssh
SSH V2 is active
SSH is enabled
SSH is ready for connections
Maximum sessions: 24
Active sessions: 1

Admin      Ip Addr         Vsys       Auth Method  Service
———- ————— ———- ———— ——–
netscreen  129.0.52.74     Root       password     console

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.