For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

soh13_111731's avatar
soh13_111731
Icon for Nimbostratus rankNimbostratus
Dec 17, 2007

GTM Backups to external server

I am new to this forum so please be gentle. I was wondering if anyone has a script that I could use/modify that would allow me to pull the ucs files off of the GTM servers and store on our external ut...
management
monitoring
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 18, 2007
Hi,

 

 

Attached is the UCS backup and export script I was testing. It has some added functionality you wouldn't need on a GTM, but it should work as it is.

 

 

It runs on the BIG-IP and creates a UCS archive in the /var/local/ucs directory with the format: HOSTNAME_VERSION_DATE.ucs. It was written for a customer who was using ASM on some of their units. So it checks to see if another script which exports the ASM security policies to a separate tar archive is present on the unit. If it is, the policy export script is run. If it isn't present, then the UCS backup script just creates a UCS archive and attempts to SCP it to a remote server.

 

 

Here are the configuration requirements:

 

 

 

!/usr/bin/perl

 

 

BIG-IP configuration save and export

 

 

v1.0.5 - 06 Aug 2007

 

 

Objectives:

 

- Create a configuration backup of the BIG-IP to a UCS file

 

- Create a backup of the active ASM security policies if the unit has ASM enabled

 

- Copy the backup files to a remote host via SCP

 

 

Tested on BIG-IP and BIG-IP ASM versions: 9.2.4, 9.4.1

 

 

Configuration requirements:

 

 

1. SSH public key authentication must be configured so that the SCP user (defined by SCP_USER in this script)

 

can SSH/SCP from this BIG-IP to a remote SSHD server without password prompts.

 

By default, this script uses the existing root SSH private/public key pair from /var/ssh/root/

 

"identity" (private key) and "identity.pub" (public).

 

To configure password-less authentication, append the client "identity.pub" key from the BIG-IP

 

to the authorized_hosts file in the SCP server's SCP user home directory

 

~/.ssh/authorized_hosts

 

 

You could also generate your own key using the following steps:

 

a. On the BIG-IP, generate a new public and private key pair:

 

ssh-keygen -t rsa -b 2048 -C `hostname` -f ~/.ssh/`hostname`

 

(Do not enter a passphrase)

 

 

b. On the BIG-IP, change the permissions on the keys to root read/write access only:

 

chmod 600 ~/.ssh/`hostname`*

 

 

c. Copy the ~/.ssh/`hostname`.pub public key from the BIG-IP to the SCP server and

 

append the key to the ~/.ssh/authorized_keys file:

 

cat ~/.ssh/`hostname`.pub | ssh SCP_SERVER 'cat >> ~/.ssh/authorized_keys'

 

 

d. Verify public key authorization is configured so that you aren't prompted for a password:

 

ssh -i /path/to/ssh.key SCP_USERNAME@SCP_HOST

 

 

2. For units with ASM licensed, a copy of the all_policy_export.pl script should be saved

 

and configured in this script as:

 

ALL_POLICY_EXPORT_SCRIPT => '/path/to/all_policy_export.pl'

 

 

Aaron Hooley - (hooley at gmail dot com)

 

 

 

 

 

The ASM policy export script is in the codeshare (Click here).

 

 

I tested this quite a bit, but I'm no Perl expert. Let me know if you try it and run into any issues or have suggestions.

 

 

Thanks,

 

Aaron