Send command via ssh script

Mbrassesco · ‎03-19-2014

Someone knows how to run an ssh command script to the device? I need to execute that script if and interface get down or something like that, the trigger is a monitoring software. Tks!

emnoc · ‎03-19-2014

I would use expect personally. It' s simple to script and can easily be used for triggers and incorporated into anything like nagios or syslog-ng #!/usr/bin/expect set timeout 60 spawn ssh ken@1.1.1.1 expect " Password: " send " mystrongpassword\r" expect " MASW1" send " \r" expect â€œMASW1â€ send â€œcopy running startupâ€ expect â€œMASW" [I/] You can call script locally if you had a cisco router or juniper SRX ( too bad fortinet doesn' t have a shell or tcl scripting :)

PCNSE

NSE

StrongSwan

Sean_Toomey_FTNT · ‎08-05-2014

too bad fortinet doesn' t have a shell or tcl scripting :)

I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device. Before working with Fortinet gear (and following, the company itself), I worked for several years with Cisco ASA and CheckPoint. And part of me loved that I could go into expert mode on CheckPoint and run whatever scripts I wanted and have root level access to the OS, such as it is.. But the truth is that by removing that access from FortiGate and relegating them to debug versions, it makes the device much more stable and secure. To add some substantive content to this discussion, there are many tools out there to automate SSH sessions. You can also do this with FortiManager based on a schedule, or using API if triggered by an external monitoring system. If using FMGR you can use CLI scripts or TCL scripting and either add to the config DB for next policy push, or have it go directly to the device CLI. One last thing is you mentioned running a script if a port fails - if you mean a WAN port, the " virtual-wan-link" functionality in FortiOS will likely do what you want it to, which is to healthcheck a WAN link and automatically fail over if needed. Cheers!

-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINETâ€” High Performance Network Security

Mbrassesco · ‎03-19-2014

I use plink and works good for me. Tks for your answer!

emnoc · ‎03-19-2014

Yes plink is the windows equal to expect.

PCNSE

NSE

StrongSwan

jtfinley · ‎07-08-2014

You can inject a text file into SSH using CRON like such below. Example, on a *nix type system: ssh xxx.xxx.xxx.xxx -p 22 < ~/scripts/script1.txt script1.txt diag user device clear exec wireless-controller reset-wtp all y

emnoc · ‎08-05-2014

I can tell you that one is never happening directly on the box as it represents a real and present risk to security on a hardened security device.

Strange that juniper doesn' t see that as a risk. care to enlighten us what risk are involved? or how much more is it than WebGUI access? Before you answer, most juniper devices offers access is via a limited shell. Other mfg' er also have shell access in there network gear F5 cisco (IOS-XR/ IOS-XE ) Force10 Radware A10networks etc...

PCNSE

NSE

StrongSwan

Sean_Toomey_FTNT · ‎08-05-2014

It was an executive decision, the way I heard it. There are just some things that are inherently risky. SNMP write is inherently risky but more than a few firewalls let you use it. We don' t. Exposing a shell, access to the underlying filesystem structure, or the ability to store and run scripts on a firewall is convenient, but opens the door to abuse and exploitation. We choose to err on the side of caution. Some of our competitors do not. We' d rather have a box that isn' t pwned. :) Cheers!

-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINETâ€” High Performance Network Security

Istvan_Takacs_FTNT · ‎08-10-2014

DLP # show sys int config system interface ........... edit " port4" set vdom " root" set mode dhcp set type physical set snmp-index 4 next ........... mylittlepony $ ssh admin@172.16.233.100 << EOF > config sys int > edit port4 > set mode static > set ip 1.1.1.1/24 > next > end > exit > > Pseudo-terminal will not be allocated because stdin is not a terminal. DLP # DLP (interface) # DLP (port4) # DLP (port4) # DLP (port4) # DLP (interface) # DLP # mylittlepony $ mylittlepony $ ssh admin@172.16.233.100 DLP # show sys int config system interface ........... edit " port4" set vdom " root" set ip 1.1.1.1 255.255.255.0 set type physical set snmp-index 4 next ........... From here it' s only a matter of putting your command into a script and execute it.

emnoc · ‎08-11-2014

If your doing alot of configurations you can also use the batch mode; NMS: NMS:ssh -p 1033 admin@10.10.80.1 < file Pseudo-terminal will not be allocated because stdin is not a terminal. admin@10.10.80.1' s password: SOC60D # SOC60D # SOC60D (interface) # SOC60D (internal1) # SOC60D (internal1) # SOC60D (interface) # SOC60D (internal2) # SOC60D (internal2) # SOC60D (interface) # SOC60D # SOC60D # SOC60D # Exit and run batch commands... NMS: cat file execute batch start config sys int edit internal1 set alias internal1-interface next edit internal2 set alias internal2-interface next end execute batch end Just follow with a execute batch start and end in your script file

PCNSE

NSE

StrongSwan

Send command via ssh script

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website