Home
Paul's_Page
UK_NetDirect
PhotoAlbum:
Phoebe 1,
2, 3,
4
Francie 1, 2
Pets 1, 2
Family 1, 2,
3
Special Occasions
Photo Art
Pre-USAF
Devner
Panama 1, 2,
3, 4-misc
Korea & misc
Germany & misc
Soham & misc
Daws_
Hill:
Page 1, 2,
3,
& misc
Leave '96 Mom
UK
Panama '98: 1, 2,
3
Colorado_ Springs:
Leave '98
Springs 1, 2,
3, 4
& misc
Francie's Birth
Rodriguez'
Holiday
Colorado_Homes
PCI_Systems
Online_Documents:
Catalogs
'n Manuals
Howto's
Linux
Microsoft
Security
Mirrored_Sites:
Hardening
Port
Reference
Reghacks
| | At my place of employment, we have a WAN connecting several remote
locations. These remote locations have Cisco routers connected via ISDN,
or in some instances, Centrex data circuits, to provide Internet and WAN
connectivity. Cisco router products allow using TFTP (“Trivial File
Transfer Protocol”) on a network server to read and write
configuration files. Whenever a router configuration is changed, it is
important to save the configuration file on the Linux server so that a
backup is maintained. Please note that Red Hat disables the TFTP service by default,
because it can be a real security hole if not configured properly. The
TFTP daemon allows anyone to read and write files without performing
authentication. The way I personally set things up is to create a
``/tftpboot/'' directory, owned
by root, and then modify the existing configuration line in the
``/etc/inetd.conf'' file to
specify the file location: tftpd dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot |
![Note](../../images/note.gif) | Note: Adding the ``/tftpboot'' path at the end of
the above line specifically indicates where the TFTP daemon is allowed to
access files. Although you can actually leave this part out and allow
TFTP to access files anywhere on your system, as TFTP is considered
somewhat of a security risk, this would probably be a very bad
idea. |
Once you have enabled the TFTP service, don't forget to type: The above command restarts the INETD daemon to recognize whatever
changes you have made to the inetd.conf file. Creating a backup of a router configuration file involves a 3-step
process: setting permissions on an existing file (or creating a new one)
to allow writes, writing the backup file, and then resetting permissions
to restrict access to the file. An example router backup session
follows: mail:~# cd /tftpboot
mail:/tftpboot# chmod a+w xyzrouter-confg
chmod: xyzrouter-confg: No such file or directory
mail:/tftpboot# touch xyzrouter-confg
mail:/tftpboot# chmod a+w loyola-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# write network
Remote host []? 123.12.41.41
Name of configuration file to write [xyzrouter-confg]?
Write file xyzrouter-confg on host 123.12.41.41? [confirm]
Building configuration...
Writing xyzrouter-confg !! [OK]
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit |
In case of router failure (caused, for example, by a power surge
during a lightning storm), these backup files can be helpful to reload the
router configuration. Again, restoring from a configuration file involves
a 3-step process: setting permissions on the existing file, loading the
file, and then resetting permissions to restrict access to the file. An
example router restoration session follows. mail:~# cd /tftpboot
mail:/tftpboot# chmod a+r xyzrouter-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config network
Host or network configuration file [host]?
Address of remote host [255.255.255.255]? 123.12.41.41
Name of configuration file [xyzrouter-confg]?
Configure using loyola-confg from 123.12.41.41? [confirm]
Loading xyzrouter-confg from 123.12.41.41 (via BRI0): !
[OK - 1265/32723 bytes]
xyzrouter# write
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit |
|