Monitoring a firewall using ssh (was: Is this possible in Perl?)

dru145 has asked for the wisdom of the Perl Monks concerning the following question:

Hey Monks,

I am fairly new to Perl, with not very much programming experience. Well, basically here is my situation. We have two firewalls both running Checkpoint Firewall-1. One is the primary in production and the other is on the network, but acting as a hot standby. Right now, if the primary fails, then we have to reconfigure the secondary manually with the primary's ip's and bring it up. I would like to automate this process. Here is what I would like to automate:

1.) Have the secondary firewall periodically ping the primary to see if it is up. Even better have the secondary firewall ssh (since it is a firewall, I don't want to use telnet) to the primary and test to see if the firewall daemon is running.

2.) If the firewall daemon is not running, then have the secondary run a: ifconfig -a down on the primary and run a script on itself that will bring up its interfaces with the ip's of the primaries and install the latest rulebase.

I know there are some products that will do this and much more, but right now there is no money in our budget for it, so I figured I would try to write a script to do this automatically.

Can this be done in Perl? Can somebody with a little Perl experience, but a lot of determination do it Which modules should I use?

Thanks in advance for any help. If I come up with something that works, I will post it here.

-Dru

Edit 2001-05-30 by mirod: changed the title

Comment on Monitoring a firewall using ssh (was: Is this possible in Perl?)

Replies are listed 'Best First'.
Re: Is this possible in Perl? by petdance (Parson) on May 29, 2001 at 23:29 UTC
Check the CPAN. There are modules for Telnet and SSH, and you can easily run things with regularity using cron or a Windows-based equivalent. xoxo, Andy %_=split/;/,".;;n;u;e;ot;t;her;c; ". # Andy Lester 'Perl ;@; a;a;j;m;er;y;t;p;n;d;s;o;'. # http://petdance.com "hack";print map delete$_{$_},split//,q< andy@petdance.com >	[reply]
(Ovid) Re: Is this possible in Perl? by Ovid (Cardinal) on May 30, 2001 at 03:40 UTC
dru145 wrote: Even better have the secondary firewall ssh (since it is a firewall, I don't want to use telnet) to the primary and test to see if the firewall daemon is running. This doesn't answer your question, but I would be concerned about even allowing SSH to run on a firewall. Maximum security can be gained by ensuring that a person must be physically present at the firewall to do anything with it. Any time a remote connection is allowed, security is weakened. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: (Ovid) Re: Is this possible in Perl? by Beatnik (Parson) on May 31, 2001 at 11:47 UTC
Ofcourse you can configure your ruleset, so SSH connections are only allowed from a certain (local) IP, which kinda minimizes the chances once again :) As a personal touch: my firewall box is in my basement, I don't like spending time there alot :) Greetz Beatnik ... Quidquid perl dictum sit, altum viditur.	[reply]
Re: Is this possible in Perl? by malloc (Pilgrim) on May 30, 2001 at 00:24 UTC
well, part one should be easy with the aforementioned modules, and for part two you would just have to change the relevant files (/etc/hostname.hmeX, /etc/hosts, /etc/netmasks on solaris; /etc/sysconfig/network, /etc/resolv.conf, /etc/sysconfig/network-scripts/ifcfg-ethX for linux) and restart the network, this can be done in very few lines using perl -i to edit these files and restart the network. `#!perl -i @ARGV = ("/etc/hosts"); while(<>){ s/OLDIP/NEWIP; # change the ip s/OLDHOSTNAME/NEWHOSTNAME; # change the hostname print; } # repeat a while loop like this for all of the network files.` [download] Hope this helps. -malloc	[reply] [d/l]
Re: Re: Is this possible in Perl? by Vynce (Friar) on May 30, 2001 at 01:07 UTC
you're missing some slashes there. `s/OLDIP/NEWIP/; s/OLDHOSTNAME/NEWHOSTNAME/;` [download] mmm, untested perl code...	[reply] [d/l]
Re: Is this possible in Perl? by Anonymous Monk on May 29, 2001 at 23:32 UTC
I don't know this particular product, but I think you will never find the "firewall daemon running" because firewall is a function of the kernel, which will be configured by the daemon.	[reply]
Re: Re: Monitoring a firewall using ssh by Beatnik (Parson) on May 31, 2001 at 11:38 UTC
It's pretty normal you don't know it, since it's kinda expensive :) Just assume you can check if it's running by checking the process table. As a sidenote, Net::SSH::Perl is probably what you need. Net::SSH doesn't have all the gimmicks. Greetz Beatnik ... Quidquid perl dictum sit, altum viditur.	[reply]
Re: Is this possible in Perl? by asiufy (Monk) on May 30, 2001 at 02:47 UTC
Not entirely Perl-related (or -based), but still worth reading though, as it does exactly what you want (and more): Linux Virtual Server Project	[reply]
Re: Monitoring a firewall using ssh (was: Is this possible in Perl?) by dru145 (Friar) on May 31, 2001 at 01:37 UTC
I was able to get the SSH module working and I could connect to my other machine and check to see if Firewall daemon was running. The while loop that was in the README example worked correctly, but I would like to throw in a if..else statement, but I can't get it working. Also, can somebody explain to me what the READER and WRITER functions do in this module? I'm pleased that I got this far without having to post. I'm trying to holdout until I absoultely don't have a clue. I appreciate the help. -Dru `#!/usr/bin/perl use Net::SSH qw(sshopen2); use strict; my $user = "jdrury"; my $host = "192.168.2.3"; my $cmd = "ps -ef \| grep -v grep \|grep fwd"; sshopen2("$user\@$host", READER, WRITER, $cmd) \|\| die "ssh: +$!"; # Example from README # # while (<READER>) { # chomp(); # print "$_\n"; # } if ($cmd) { print "FWD is running\n"; } else { print "FWD is not running!!\n"; } close(READER); close(WRITER);` [download]	[reply] [d/l]