Send command via ssh script

Author
Mbrassesco
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/02/04 12:48:03
  • Status: offline
2014/03/19 06:09:30 (permalink)
0

Send command via ssh script

Someone knows how to run an ssh command script to the device? I need to execute that script if and interface get down or something like that, the trigger is a monitoring software.

Tks!
#1
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
RE: Send command via ssh script 2014/03/19 07:23:23 (permalink)
0
I would use expect personally.

It' s simple to script and can easily be used for triggers and incorporated into anything like nagios or syslog-ng



#!/usr/bin/expect
set timeout 60
spawn ssh ken@1.1.1.1
expect " Password: "
send " mystrongpassword\r"
expect " MASW1"
send " \r"
expect “MASW1”
send “copy running startup”
expect “MASW"

[I/]

You can call script locally if you had a cisco router or juniper SRX ( too bad fortinet doesn' t have a shell or tcl scripting :)


< Message edited by emnoc -- 3/19/2014 7:25:09 AM >

PCNSE 
NSE 
StrongSwan  
#2
Mbrassesco
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/02/04 12:48:03
  • Status: offline
RE: Send command via ssh script 2014/03/19 07:56:51 (permalink)
0
I use plink and works good for me. Tks for your answer!
#3
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
RE: Send command via ssh script 2014/03/19 09:01:25 (permalink)
0


Yes plink is the windows equal to expect.


PCNSE 
NSE 
StrongSwan  
#4
jtfinley
Gold Member
  • Total Posts : 189
  • Scores: 0
  • Reward points: 0
  • Joined: 2008/08/11 13:07:10
  • Status: offline
RE: Send command via ssh script 2014/07/08 19:06:54 (permalink)
0

You can inject a text file into SSH using CRON like such below.

Example, on a *nix type system:


ssh xxx.xxx.xxx.xxx -p 22 < ~/scripts/script1.txt

script1.txt

diag user device clear
exec wireless-controller reset-wtp all
y
#5
Sean_Toomey_FTNT
Gold Member
  • Total Posts : 124
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/07/30 12:57:01
  • Location: Indianapolis Area
  • Status: offline
RE: Send command via ssh script 2014/08/05 05:59:08 (permalink)
0
too bad fortinet doesn' t have a shell or tcl scripting :)


I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device.

Before working with Fortinet gear (and following, the company itself), I worked for several years with Cisco ASA and CheckPoint. And part of me loved that I could go into expert mode on CheckPoint and run whatever scripts I wanted and have root level access to the OS, such as it is..

But the truth is that by removing that access from FortiGate and relegating them to debug versions, it makes the device much more stable and secure.


To add some substantive content to this discussion, there are many tools out there to automate SSH sessions.

You can also do this with FortiManager based on a schedule, or using API if triggered by an external monitoring system. If using FMGR you can use CLI scripts or TCL scripting and either add to the config DB for next policy push, or have it go directly to the device CLI.

One last thing is you mentioned running a script if a port fails - if you mean a WAN port, the " virtual-wan-link" functionality in FortiOS will likely do what you want it to, which is to healthcheck a WAN link and automatically fail over if needed.

Cheers!
< Message edited by Sean_Toomey_FTNT -- 8/5/2014 9:00:12 AM >

--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
#6
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
RE: Send command via ssh script 2014/08/05 08:35:55 (permalink)
0
I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device.


Strange that juniper doesn' t see that as a risk. care to enlighten us what risk are involved? or how much more is it than WebGUI access?

Before you answer, most juniper devices offers access is via a limited shell. Other mfg' er also have shell access in there network gear

F5
cisco (IOS-XR/ IOS-XE )
Force10
Radware
A10networks
etc...


PCNSE 
NSE 
StrongSwan  
#7
Sean_Toomey_FTNT
Gold Member
  • Total Posts : 124
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/07/30 12:57:01
  • Location: Indianapolis Area
  • Status: offline
RE: Send command via ssh script 2014/08/05 19:18:49 (permalink)
0
It was an executive decision, the way I heard it.

There are just some things that are inherently risky. SNMP write is inherently risky but more than a few firewalls let you use it. We don' t.

Exposing a shell, access to the underlying filesystem structure, or the ability to store and run scripts on a firewall is convenient, but opens the door to abuse and exploitation. We choose to err on the side of caution. Some of our competitors do not. We' d rather have a box that isn' t pwned. :)

Cheers!

--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
#8
Istvan Takacs_FTNT
Silver Member
  • Total Posts : 118
  • Scores: 15
  • Reward points: 0
  • Joined: 2014/08/05 16:14:08
  • Location: Nowhere, OK
  • Status: offline
RE: Send command via ssh script 2014/08/10 23:40:00 (permalink)
0
DLP # show sys int
config system interface
...........
edit " port4"
set vdom " root"
set mode dhcp
set type physical
set snmp-index 4
next
...........

mylittlepony $ ssh admin@172.16.233.100 << EOF
> config sys int
> edit port4
> set mode static
> set ip 1.1.1.1/24
> next
> end
> exit
>
> Pseudo-terminal will not be allocated because stdin is not a terminal.
DLP #
DLP (interface) #
DLP (port4) #
DLP (port4) #
DLP (port4) #
DLP (interface) #
DLP # mylittlepony $

mylittlepony $ ssh admin@172.16.233.100
DLP # show sys int
config system interface
...........
edit " port4"
set vdom " root"
set ip 1.1.1.1 255.255.255.0
set type physical
set snmp-index 4
next
...........

From here it' s only a matter of putting your command into a script and execute it.
< Message edited by Istvan Takacs -- 8/10/2014 11:41:52 PM >
#9
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
RE: Send command via ssh script 2014/08/11 00:28:38 (permalink)
0
If your doing alot of configurations you can also use the batch mode;




NMS:
NMS:ssh -p 1033 admin@10.10.80.1 < file
Pseudo-terminal will not be allocated because stdin is not a terminal.
admin@10.10.80.1' s password:


SOC60D # SOC60D #
SOC60D (interface) #
SOC60D (internal1) #
SOC60D (internal1) #
SOC60D (interface) #
SOC60D (internal2) #
SOC60D (internal2) #
SOC60D (interface) #
SOC60D # SOC60D # SOC60D #
Exit and run batch commands...
NMS:


cat file
execute batch start

config sys int
edit internal1
set alias internal1-interface
next
edit internal2
set alias internal2-interface
next
end


execute batch end





Just follow with a execute batch start and end in your script file
< Message edited by emnoc -- 8/11/2014 12:29:19 AM >

PCNSE 
NSE 
StrongSwan  
#10
Jump to:
© 2020 APG vNext Commercial Version 5.5