Random configuration analysis
By stretch | Wednesday, August 26, 2009 at 4:16 a.m. UTC
Something funny happened recently. In the course of routine server maintenance, I discovered a bug with the nipper web front-end I had written for convenient configuration file auditing. When a text file is uploaded, it is temporarily written to disk so that the nipper executable can generate a pretty report. Ideally, the uploaded file is deleted even before the report is sent back to the requester. The line of code responsible for this action, however, has been silently failing to delete these files for the last year or so. As a result, I find myself with 2,184 random device configuration files submitted from all over the world.
If you've uploaded any sensitive or unsanitized configs to the parser (shame on you) you needn't worry; the configs are as good as deleted. However, I thought it might be interesting to do a half-assed (anonymous) analysis of what's been uploaded.
First, some statistics:
$ ls | wc -l 2184 $ du -sh . 71M . $ ls -l | head -n 2 total 72008 -rw-r--r-- 1 stretch users 78281 Sep 14 2008 plnipper_20080914145016_PCykyD6m
That's 2,184 raw files (not necessarily valid configs) totaling 71 MB, the earliest of which is from 14 September 2008. After doing a spot-pruning of junk files (including tiny config bits, random terminal scripts, a copy of the cheat sheets zip archive someone was helpful enough to upload for safe keeping, and this), we're down to 2,147 files (65 MB).
So, what interesting numbers can we come up with?
Device types and versions:
$ grep -ire "^version 12.4" . | wc -l 538 $ grep -ire "^version 12.3" . | wc -l 174 $ grep -ire "^version 12.2" . | wc -l 551 $ grep -ire "^version 12.1" . | wc -l 134 $ grep -ire "^version 12.0" . | wc -l 48 $ grep -ire "^version 11" . | wc -l 8 $ grep -ire "#version" . | wc -l 9 $ grep -ire "^PIX Version" . | wc -l 90 $ grep -ire "ASA version" . | wc -l 98
Plain text passwords:
$ grep -ire " password 0 " . | wc -l 178 $ grep -ire "^enable secret [^5]" . | wc -l 58
That's not too bad, but it indicates that the password-encryption service is disabled far more often than I would have thought.
$ grep -ire "^no service password-encryption$" . | wc -l 96
How about obfuscated (yet trivially reversed) passwords?
$ grep -ire " password 7 " . | wc -l 4099
Ouch. Of course some of these passwords have been prudently removed by a responsible human before the config was uploaded, but from reviewing the matched lines in full (versus just the count) I can verify that it is a very small minority.
Hoping these are lab devices:
$ grep -ire " password 0 cisco[0-9]*" . | wc -l 37 $ grep -ire "^enable secret cisco[0-9]*" . | wc -l 8
Legacy passwords only:
$ grep -ire "^no aaa new-model" . | wc -l 503
Well-known SNMP communities:
$ grep -ire "^snmp-server community public " . | wc -l 138 $ grep -ire "^snmp-server community private " . | wc -l 39 $ grep -ire "^snmp-server community public RO$" . | wc -l 27 $ grep -ire "^snmp-server community private RW$" . | wc -l 3
IPv6 (I was really hoping these would be higher):
$ grep -ire "^ipv6 unicast-routing" . | wc -l 22 $ grep -ire " ipv6 address " . | wc -l 138
$ grep -ire "^router rip" . | wc -l 123 $ grep -ire "^router eigrp" . | wc -l 312 $ grep -ire "^router ospf" . | wc -l 401 $ grep -ire "^router isis" . | wc -l 22 $ grep -ire "^router bgp" . | wc -l 202
Telnet and SSH:
$ grep -ire "transport input telnet" . | wc -l 590 $ grep -ire "transport input ssh" . | wc -l 611 $ grep -ire "transport input all" . | wc -l 133
And finally, by far the most shockingly low count:
$ grep -ire "fuck" . | wc -l 1
If anyone has any other suggestions for interesting numbers before I delete archive, be sure to mention them in a comment.
Posted in Random
August 26, 2009 at 4:55 a.m. UTC
You should check to see which 12.2 configs are from routers and which are from switches. I'd like to see how many routers are running an outdated 12.2, without the current 12.2 switch IOS changing the results.
August 26, 2009 at 6:40 a.m. UTC
some interesting lines:
"tacacs-server" vs "radius-server"
"^access-list" vs "^ip access-list"
"no service password-recovery"
thus we will see how wide features from 12.4 are adopted:
August 26, 2009 at 7:21 a.m. UTC
$ grep -ire "fuck" . | wc -l 1
August 26, 2009 at 12:50 p.m. UTC
grep -ire "fuck" . | wc -l
grep -irec "fuck" .
August 26, 2009 at 2:22 p.m. UTC
Great use of an accidental archive of data.
Rather than out and out deleting it, why don't you archive the data in something like an offline password protected zip (or the likes) so that you could go back and run more queries later? Just a thought.
Grant. . . .
P.S. Keep up the great blog.
August 26, 2009 at 3:05 p.m. UTC
@Paul: You can't put c after the e (unless you're grepping for c).
grep -irce "fuck"
or the mnemonic
grep -rice "fuck"
August 26, 2009 at 3:46 p.m. UTC
can you check this command "mac-address-table unicast-flood limit 3 vlan 100 filter 5" i have doubt about the "filter" keyword,can you give an expanation? thank you
August 26, 2009 at 5:48 p.m. UTC
Ouch, some of those statistics are sad.
You may consider adding an option to the script, allowing the submiter to have the config included in anonymous statistics similar to what you already collected. You could then keep a running tally with a stats page. Might be kind of interesting if enough people would agree to that.
August 28, 2009 at 8:18 p.m. UTC
Well, there's an article idea for you.. how to not configure.
Not that I need it or anything.. ahem. :)
August 29, 2009 at 7:20 p.m. UTC
The following would be intresting too:
^ip http server ^ip http secure-server ^ access-class (invert grep) ^no cdp run ^ip dns server ^ip sla responder|^rtr responder ^service internal ^ip ssh version 2
September 27, 2009 at 7:56 a.m. UTC
That's very interesting... Rather than delete the archive, I would suggest running the files through a filter, to, you know... filter out passwords& keys & anonymize any public IPs.
Some more interesting things to look for may occur later.
eg. How many of those bgp device configs had a maxas-limit spec'ed out?
How many use TTL-based security, peer md5 auth.. authentication with their ospf?
How many of those devices use proxy arp? How many have logging left disabled, or enabled to, say a syslog server?
And there's some interesting trending you could do also, maybe...
E.g. Has there been any change over time, in the versions being used, or telnet/ssh protocol?
Were just as many configs (proportionally) at the beginning of the year still using telnet towards the end of 2009? Or was there a trend towards more SSH use?
I would hope that there would be a trend away from use of the earlier versions, but it's tough to tell, unless you can make a scatterplot, based on version numbers and times that configs using those version numbers got entered.
That is, if you still have timestamps for the files