I am new to scripting, so please forgive this question. Having done extensive research am not able to find a suitable solution.
Currently I have a Python script which is required to SSH from CentOS into Cisco (and other) firewall appliances. Once logged in, certain actions are carried out.
Currently, we are storing our username and password in a plaintext file and calling that file when the Python script requires it.
However, if the CentOS server is compromised, the attacker now has access to the plaintext credentials to the firewall and would be able to get the IP address from the Python script.
I have looked at using SSH-Agent as a means of bypassing passwords, however, if the CentOS server is compromised won't the attacker still be able to access the firewall through the Python script?
Really, I am looking for a way to protect the firewall from unauthorized access, should the CentOS server be compromised. I have also considered using obfuscation but doesn't seem suitable. Wondering what options I have here.
Sorry for my bad english.
Related
How do i setup a local server such that whenever someone telnets in to the server at the specified port number , a python command line must be displayed at the specified location on the remote machine so that i can remotely run my python modules.
I'm new to Python. So Please enlighten me whether this is possible. If so How?
It is more a question about how to invoke a program when someone connects to a telnet server. The program could be written in any language (including, but not restricted to python). The answer depends on the operating system of the remote server. You also have to differentiate if you want to have this behavior for all users that log in, or only to some users.
WMI might be the answer you want. And Here is a good tutorial.
I have a situation, I want to copy some files from host system (which is win7) to guest system (vm-ware image of winXP). For that I have created a python script, but my script only copies files and fails whenever host system's credentials are changed (particularly Password). I'm using "Remember me" option when dialog for credentials is prompted.
But I was wondering is there any particular way to login to host system without prompted for credentials. As I'm running vmware inside host which means I already have logged into it, so why it is necessary for password?
If that don't do, say because of any security reasons or any thing, is there any other way to login from python script to host system.
Also, I want to improve my script little bit, currently I'm using my host system's IP-Address to have access to those particular folders. So is there any alternative way other than IP-address because my machine's IP address also changes randomly anytime (I'm stunned when this happens. I don't know the reason. Please help me to make this constant). Can I use computer's Name instead of IP?
I want to do everything automatically so don't want to use 'Shared Folder' option.
Any answer or help will be appreciated.
Thanks in advance.
So I've recently stumbled upon python fabric api and have been really happy with how it can help me with day-to-day sysadmin tasks. I would like to start using it at work but it is a very security-conscious environment. I was wondering how fabric handles the ssh password you provide to it while it runs it's tasks? I'm assuming it plonks it in memory somewhere and pulls it out when required to login to the next host in env.hosts? How does it protect this password while in memory?
I can see I'm going to be asked lots of questions along these lines so I'm looking for a nice way to explain to security-minded type of people that fabric is nice and friendly and doesn't pose a risk or at least no more of a risk than anything else we already have :)
I looked briefly through the source #dm03514 referenced and I believe you are correct in that if and when fabric needs to prompt interactively for a password, it will read it into memory and store it for the duration of the fabric python process. The way to address your concern is not with fabric itself but with ensuring your ssh infrastructure is using keys instead of passphrases and ssh agent forwarding where appropriate. Use enrypted ssh keys and ssh-agent to unlock them and fabric will be able to utilize that same mechanism and thus avoid ssh passwords getting involved at all. For sudo passwords, you'll either have to allow passwordless sudo or accept the risk of fabric having the sudo password in memory while it is working.
I'm writing a Python script to access all computers on the network, log in to them and read some log files. I don't want to use something as low-level as socket, but I can if I must. I realize that my problem is similar to this question, but not the same.
Are there any modules for accessing external Windows machines?
Has anyone done anything like this before?
I'm specifically looking to log into Windows 7 machines, not unix.
Let's also assume that each computer I want to log into has Remote Desktop installed and enabled. I'm also not worried about network security or encryption because these files are not confidential. Windows machines don't have SSH installed on the by default do they?
There has to be something on the other side for you to talk to. This limits you to either setting up a "server" on each machine, installing a real server (i.e. sshd), building a "server" yourself and installing it, or using a built in and active feature of the OS.
Based upon this, what kind of system do you want to set up on these machines? What does it need to do? Just read the contents of a prespecified file list? Will that list change?
One solution is to turn on telnet, and use paramiko or twisted to
talk across it. This isn't very secure of course
Next up, set up a samba share, and access the folder remotely. This
is also insecure, though less so than telnet
You could find a ssh daemon port and run that, if you are so inclined
Psexec from sysinternals might work
Use twisted to build a server app with the features you need
Use ncat to listen on a port and spawn a cmd prompt
Be aware that most of the solutions for accessing windows remotely are... poor. The best solution is probably to roll your own, but that is hard work and you will probably make mistakes.
Also, Windows 7 is not exactly multi-user friendly. Individual processes can run as separate users, but the OS does not support having multiple users logged in at the same time. Someone is going to be the "user" and everyone else is just a process with a different credential set.
This is more an artificial limitation on M$'s part than anything technical. To see this in action, try to log in with RDP while a user is logged in locally. Fun times.
Per your edit, the easiest thing to do is just set up a samba share on the box.
After this share is set up:
with open(r'\\myCompNameOrIP\C\windows\logs\logfile.txt','rb') as logfile:
loglines = logfile.readlines()
Or you can use the gencat sample found here. Just give it r'\\myCompNameOrIP\C\windows\logs\*.txt' as the search path and watch the magic.
From Ubuntu I use samba:
In Bash:
gvfs-mount smb://them/folder
Here I give name, domain and password
Then in python:
folder = '/home/me/.gvfs/folder on them'
using the os module I read folders and files inside.
I am working in a small business environment.
Why not have each of the computers send the log file to the central computer?
I would like to be able to use a Python script that I wrote to search files to login to an Ubuntu server that's password protected (which I have credentials ), and search files on that server.. Is there a straight forward way to accomplish this?
To login and run remote terminal commands through python, you should use either paramiko or pexpect. Pexpect is not touched very much by noah these days... I'm starting to wonder whether he is abandoning it.
The other way is to sftp the files from the remote server to your local machine... paramiko is useful for that as well.