Gunni M

New links, new version and additions

2009-09-09T13:52:00.000-07:00

Alright, so it seems inetpro.org is down atm and i'm not even sure they still have my scripts hosted so here are new links, new version and additions to my python network management scripts. I'm now using the excellent pexpect in most of them which you can grab from here:

http://sourceforge.net/projects/pexpect/

rix.is ip filter:

Edit the list from rix.is for an ASA object-group

http://dl.getdropbox.com/u/66544/scripts/edit-rix-ipv4-is.py

Send the edited list to the ASA

http://dl.getdropbox.com/u/66544/scripts/update-ASA.py

Icelandic whitelisting, much fun ;) the script that started the blog, still brilliant :D

Configuration Downloader:

http://dl.getdropbox.com/u/66544/scripts/dl-config.py

In addition to the dl-config.py script you will need a settings file declaring the tftp host (ASA/PIX don't support scp afaik) and some other variables mentioned in the dl-config.py file itself.

You will need a new-line delimited device list flat file (hostnames/ip addresses, passed as arguments to ssh) and optionally a telnet device list.

You should use the following lines in your/etc/ssh/ssh_config file if you often add devices and don't want to manually accept the host_keys for each one before running the script:

Host *

StrictHostKeyChecking no

I use this instead of alternatives such as rancid (i'm the only networking guy at my IT firm anyway so i use this for backups and with dropbox running on the *nix boxes receiving the configurations i get archives and availability.

http://wiki.getdropbox.com/TipsAndTricks/TextBasedLinuxInstall <- Highly recommmended

Device Commander:

http://dl.getdropbox.com/u/66544/scripts/device-commander.py

Requirements are mostly the same as for dl-config.py (settings file, device-list and preferably edit your /etc/ssh/ssh_config file)

This guys awesome, I use it at one site like a poor mans WLAN-Controller :D

just make sure to test the command list out on one device first before you run it against a batch.. and remember "reload in" is your friend! with the inbuilt expect feature of the command sender you can answer questions from commands such as reload in and copy.

Named master/slave scripted domain additions:

http://dl.getdropbox.com/u/66544/scripts/domain%20additions%20-%20removals.7z

This ones the oldest of my scripts and it shows, it's still using TCL expect and i hardly believe it works.. :)

pexpect rocks?

2009-05-16T17:17:00.000-07:00

So i wrote a simple configuration nabbing script a while ago, using expect and python initially, i rewrote it the other day with pexpect, a python native version of expect. very nice, highly recommended.

http://inetpro.org/pastebin/1461/

ofc you'd preferably want to copy your configurations over the internet with scp but the uber secure ASA/PIX platform doesn't support that afaik..

Python+Expect named.conf additions/removals

2009-03-16T12:13:00.000-07:00

So i was getting tired of manually ssh'ing to the trio of name servers my company runs whenever we needed to add a new domain. I set out to script the process and ended up with this:

Both expect scripts take a single argument, the domain to be added, be sure to modify the host part of the spawn ssh lines to fit your needs.

The expect script run on the master for domain additions

http://internetworkpro.org/pastebin/1213/

The Python script run by the expect script on the master:

http://internetworkpro.org/pastebin/1218/

The Python script run by the expect script on the slaves:

http://internetworkpro.org/pastebin/1217/

The expect script run on the master for domain deletions

http://internetworkpro.org/pastebin/1214/

The Python script run by the expect script on all servers:

http://internetworkpro.org/pastebin/1215/

The expect scripts assume you use public key authentication with ssh.

These are some of my first attempts at python scripting and i'm not a seasoned expect/tcl guy either so if these can't be of any help to anyone maybe i'll receive some constructive criticism instead that can help me!

Blocking non-icelandic traffic

2009-02-12T06:41:00.001-08:00

Since IOS 12.4(20)T the object-group network command has been introduced outside of the ASA family.

And since rix.is holds out a list of icelandic subnets i got the idea to open access to various services only to icelanders :)

The idea isn't new but i hope the scripts i created with the help of my dear friend Jón Rúnar will help someone out there.

What we have is very basic stuff, we have a shell script run by cron on a CentOS box that executes wget to grab the list from RIX, a python script to edit the text file so that an ASA/Cisco IOS can use the list, and then an expect script to update the list on the device.

bash script

http://www.internetworkpro.org/pastebin/1066/

here we have two branches depending on your platform:

edit the subnet list from RIX for ASA input

http://www.internetworkpro.org/pastebin/1067/

expect script for ASA

http://www.internetworkpro.org/pastebin/1071/

edit the subnet list from RIX for Cisco IOS input

http://www.internetworkpro.org/pastebin/1069/

expect script for Cisco IOS

http://www.internetworkpro.org/pastebin/1070/

I'll explain the scripts and such better in a later edit :)