Removing Passwords from a Router Configuration File

Problem

You want to remove sensitive information from a router configuration file.

Solution

The following Perl script removes sensitive information like passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router's configuration as its only command-line argument.

Here's some sample output:

Freebsd% strip.pl Router1-confg

version 12.2
service password-encryption
!
hostname Router1
!
aaa new-model
aaa authentication login default local
enable secret 
enable password 
!
username ijbrown password 
username kdooley password 
!
!Lines removed for brevity
!
!
snmp-server community  RO
snmp-server community  RW
!
line con 0
 password 
line aux 0
 password 
line vty 0 4
 password 
 end
Freebsd%

The Perl code follows in Example 3-1.

Example 3-1. strip.pl

#!/usr/local/bin/perl 
#
# strip.pl -- a script to remove sensitive information 
# from a router configuration file.
#
#
my $configf;
undef $/;
#
$configf = shift(@ARGV);
if (open (CNFG, $configf ) ){
 $config=; 
 close (CNFG);
 $config =~ s/password .*/password /gi;
 $config =~ s/secret .*/secret /gi;
 $config =~ s/community [^ ]+/community /gi;
 print $config;
} else { 
 print STDERR "Failed to open config file "$configf"
";
 }

Discussion

This script strips sensitive information from router configuration files. You can safely store or forward the resulting "stripped" configuration files to others, including vendors, partners, or colleagues. Recipe 3.5 shows how trivial the default password-encryption method is, which highlights why stripping a configuration file like this is so important.

This script should require no modifications to work in most environments. Because the script sends its output to the screen, if you want to save a copy of the "stripped" configuration file, you will have to direct the standard output into a file:

Freebsd% strip.pl Router1-confg > /Router1-stripped

This example runs the script and sends the output to a file called Router1-stripped that is located in the directory /. Of course, you can direct the output of the script to any file you wish.

In earlier recipes, we mentioned that the enable secret password was encrypted using a strong method, MD5, which is extremely difficult to crack. However, there are brute force attacks in which an attacker systematically encrypts likely sequences of letters, numbers and characters in an attempt to find an encrypted match. Although these types of attacks are time consuming, there are a number of freely available software packages that offer efficient password cracking capabilities. In short, it is better to be safe than sorry.

You can easily modify the script to strip other sensitive configuration commands (such as TACACS keys, routing keys, etc.) simply by adding more substitution lines. For instance, to strip TACACS keys, add the following line of code near the other lines that begin with $config =~:

$config =~ s/tacacs-server key .*/tacacs-server key /gi;

 

See Also

Recipe 3.2; Recipe 3.3; Recipe 3.5

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net