Cisco IOS Checker (SYNful Knock)

Overview:

This set of scripts downloads the IOS image file from a Cisco router and generates an SHA hash of the downloaded image file to compare against a stored and known good value. The script logs to syslog on both successful and failed checks and also sends an email alert with more detailed info on the failure or success.

For the environment the script was written in, an NMS detects a device reboots and triggers a HTTP POST to the server that runs the script (to the included PHP wrapper file) but the BASH script can of course be triggered on the CLI locally. This IOS checker script in this case is started by the Apache user (or similar). One might have to disable the storing of sent items for Mutt under the Apache user by adding "set copy=no" to /usr/share/httpd/.muttrc.

Operational in an estate of thousands of IOS, IOS-XE and ASA devices. IOS-XR and NX-OS are not supported. This script has an exceptions lists of unsupported firmware version, for example IOS-XR, also for the case of very old IOS images for which no known good hash is available, these can also be added to the exceptions list. These images won't be checked and a syslog and email alert are sent as standard.

The server running the scrip needs to run a TFTP daemon unless all your devices support SCP. The script will try to log into the device using SSH (and will try to fall back to Telnet it SSH doesn't work), get the file name of the running firmware, then pull from the server over an SCP transfer. If SCP fails it will log in to the CPE again and try to push from the CPE over TFTP back to the server.

download

Files:

  • firmware-checker.sh - The main BASH script, call it as "./firmware-checker.sh 10.0.0.1 'London Router 1'". This script will log into the router and grab the running firmware image name and path. It then orchestrates the downloading of the firmware file via one of the SCP or TFTP expect scripts.
  • firmware-checker.php - This is a PHP wrapper, an NMS can fire off a HTTP POST to trigger the download by passing the IOS device IP and name/description which is in turn passed to the BASH script, if the BASH script is not being run locally on the NMS server.
  • download-scp.sh - An expect script to download the IOS file using SCP
  • download-tftp.sh - An expect script to download the IOS file use TFTP
  • exceptions.txt - This is a list of firmware which are to be skipped such as those with no known good SHA checksum

 

Operations:

The firmware-checker.sh script will try to connect to the device first via SSH then via Telnet. It will try an SCP pull or failing that a TFTP push from the device to the TFTP server specified in the script (assumed to be local). There is a timeout value (7200 seconds by default) after which the called TFTP or SCP expect script is killed. This needs to be high in the case of very remote devices with poor connections, but not too high as devices can reboot whilst the transfer is in progress and can hang indefinitely.