Entering enable mode using JSch
Does anybody have any example code on how to enter enable mode when using JSch? I already have the script working for 95% of my devices, so i don’t want to have to switch to expect. The channel mode is currently exec, which i think is the issue. It’s trying to execute `enable\n${enable_pass}\n${cmd}` all at once and the device is choking on it. Would rather not have to switch to shell mode, but if there’s no way to do it without shell mode, i guess i’ll have to take a stab at it.Solved190Views13likes3CommentsRunning a Perl script on an AIX box over SSH?
Hi, We have an old monitoring system that we’re trying to decommission and move everything into LM. The current system connects to an AIX server using an SSH Key, and then runs a perl script that’s located in a particular folder. It then takes the output from that script and determines if there’s an alert condition to tell someone about. I need to move this same functionality into LM. I’m assuming the SSH access part shouldn’t be a big deal. I can either manually setup a username/password or I found into on putting a key in LM somewhere and using that. Once LM can connect to the server, can it launch a script file that’s located on the server? I’m not sure if I need to recreate the script inside of LM, or if it can just tell the server to execute the script it already has. If the script runs remotely, can LM then parse the returned data to determine if something is an error or not? If anyone has any tutorials or anything on how I can start working on this, let me know. I don’t know anything about scripting and LM and so far, don’t really know where to start. Thanks!Solved95Views15likes1Commentmodernize WebSSH client
One of our customers could not connect via the WebSSH client to a newly setup switch using modern SSH algorithms. I personally only rarely use that feature, but I tested it and traced the issue to: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 server ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 I added diffie-hellman-group14-sha1 to the switch KEX list, but would prefer to keep only modern algorithms active. Any chance we can get that client updated to negotiate newer algorithms? Security teams are more and more tight on what is allowed to operate within enterprise networks (for good reason). Thanks, Mark34Views4likes0CommentsSSH key for remote session in LogicMonitor
Info: Groovy script is the basefor the environment and certainly the target/end device must be a linux-based, be it a distro of Linux server/desktop or an appliance with linux-kernel firmware (err...it's basically almost every device then: firewalls, switches, IDS/IPS, LB, Apple devices, Android devices, etc....it seems all gadgets on the planet using linuxkernel) It is a request someyears ago (seems so long though, which actually is +2 years) by a LogicMonitor's Customer: /topic/524-ssh-key-based-auth-for-groovy-scripts-datasources/ Obviously, this is not an official datasourcecrafted by the amazing Monitoring Engineering team of LogicMonitor, but patting my own back, it suffices to say that it serves the purpose fora better security connecting remotely which has been a common best-practice by anyone whoenjoystext-basedcommand line remote session. SSH Key is used over the option of sending password due to the apparent reason of information security, although one might argue that the ssh password will be only between a LogicMonitor collector and the endpoint, within a supposed-to-be internal network. Yet asecurity best practice may dictate such usage regardless of the network. Before progressing further, however, there is a catch in using ssh key, which is the necessity for a deployment of public key to each target device. Simply put, every time SSH Keys are used for remote session between two devices, there will be private key and public key used for authentication process, hence no password needed. These keys are to be put in the devices, private key in the source device where the remote session is originated and public key in the endpoint. Private key is not for a share whilst public key is for any device that the source will need to connect, should the ssh key be used. The only hassle, even if it is considered to be one, is to load that public key on each target device (if there are many). From the security standpoint, that is totally not an issue and rather a compulsory instead. (As a comparison, by using ssh user and password, the process would be similar too, that is to create user and password in each target device). This practice is really not an ancient stuff and almost every cloud provider,AWS being the one, has that feature recommended (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). In LogicMonitor case where I did the test, it is between a collector server/deviceand a monitored device (both happen to be Ubuntu 16 although Windows can be used for the collectoras well and on the other hand, definitely it can not be used for Windows target device, for the obviousreason). For my simple test, it is just to monitor a log file size which is asyslog. One thing worth noting is, remote session type of monitoring will certainly consume more resource of collector, as a matter of fact, every datasource using script will do. Besides, using this method, the processing time seems to increase by a little bit, compared with user/password,but I have not done any thorough observations though (not only that I do not intend to, since this is just a test, nor have I the environment huge enough to do a high load-test). Security and processing speed, they do not go in parallel for sure, especially considering the recent havoc by a processor company caused a nightmare for information security worldwide, bypassing security measure for the sake of increasing a speed of data processing. So here is the script which is basically running a command to throw output of a data from a file named 'dusyslog' in the remote device and a datapoint will capture it (datapoint name: size): import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.util.Properties; import com.jcraft.jsch.Channel; import com.jcraft.jsch.ChannelExec; import com.jcraft.jsch.JSch; import com.jcraft.jsch.Session; try{ String command = "cat dusyslog"; String host = hostProps.get("system.hostname"); String user = hostProps.get("ssh.user"); String key = hostProps.get("ssh.key"); JSch jsch = new JSch(); jsch.addIdentity(key); jsch.setConfig("StrictHostKeyChecking", "no"); Session session=jsch.getSession(user, host, 22); session.connect(); Channel channel = session.openChannel("exec"); channel.setCommand(command); channel.setErrStream(System.err); channel.connect(); InputStream input = channel.getInputStream(); channel.connect(); try{ InputStreamReader inputReader = new InputStreamReader(input); BufferedReader bufferedReader = new BufferedReader(inputReader); String line = null; while((line = bufferedReader.readLine()) != null){ println(line); } bufferedReader.close(); inputReader.close(); }catch(IOException err){ err.printStackTrace(); } channel.disconnect(); session.disconnect(); }catch(Exception err){ err.printStackTrace(); } The first thing you can notice is I am using : jsch.addIdentity(key) for adding the key file into the session for authentication. So what is this file? it is the private key file residing in a secureplace in collector server. You need to make sure the file 'dwelleth in the secret place of the most Highand shall abide under the shadow of the Almighty'.I really mean it that the private key should not be exposed to the world. But of course, I make it sound like a very serious security matter :)/emoticons/smile@2x.png 2x" title=":)" width="20">So just to make sure that file is given limited permission for collector service to access is sufficient. Undoubtedly the script is not built by myself from scratch but I have made some modification so it is safe to be copyrighted by me and you have the 'the right to copy' & enhance it if you need to and providing me a treat of coffee would be highly appreciated. Further to that, this part: key = hostProps.get("ssh.key"); as per normal, is defined at the device property and following is the sample from my test: Linux device: /security/key Windows device: C:\\security\\key Note: you can add an additional security to disguise the location of the file too and that folder "security" is not the original folder where the private key resides. This is for paranoid security practitioners. (But as I usually joke with friends in the IT field, the best data security was during WordStar era, before Windows 3.11 came and before tcp/ip was introduced to home users :)/emoticons/smile@2x.png 2x" title=":)" width="20">). Below are some screenshots from the implementation:497Views1like2CommentsHTTPS Remote Access
I'm currently new to LogicMonitor. I think LM has done a pretty good job on their monitoring tool. I love how we could manage our network devices thru SSH remote access from the management console. Without LM, we would have to VPN to our internal network, and then SSH to the network devices from there. One downside about LM is that we couldn't manage network devices thru HTTPS (GUI). Nowadays, new technologies like firewalls are managed by HTTPS/SSH. I would love to have HTTPS remote access right from the management console. It would be much easier and faster to gain access to the GUI interface. I have tested Auvik monitoring software on the HTTPS, it was nice and smooth. This would be one of the nice feature that LM should provide. Thanks, Pao4Views3likes3CommentsIs there a way to have the remote session relay open a putty session
Hello, i was wondering if someone knows if it is possible to have a way for LM to open up a relay using a program such as putty rather than in the browser. I understand that this may not be possible. It is more of a QoL rather than a necessity. Preferably i would like the local users SSH application(putty, etc) and LM Remote session web to be usable. such as a 2nd button or an option to use either one after pressing the Remote Sessions button.1View1like1Comment