Running network device backups with RANCID on FreeBSD

A useful utility for backing-up network devices configuration i have recently stumbled upon is RANCID, (Really Awesome New Cisco confIg Differ) which allows for backup automation. It also allows for keeping a history of changes done to devices' configuration, using either CVS or SVN, also all changes can be automatically submitted to a mailing list.

Here's how I have installed/configured on a FreeBSD box:

[root@box]# portinstall rancid
[root@box]# nano /usr/local/etc/rancid/rancid.conf

Example config:
-------------

TERM=network;export TERM
umask 027
TMPDIR=/tmp; export TMPDIR
BASEDIR=/backup/network; export BASEDIR
PATH=/usr/local/libexec/rancid/:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/bin; export PATH
CVSROOT=$BASEDIR/CVS; export CVSROOT
LOGDIR=$BASEDIR/logs; export LOGDIR
OLDTIME=4; export OLDTIME
LIST_OF_GROUPS="mydevices"

-------------

[root@box]# mkdir -p /backups/network
[root@box]# chown rancid:rancid /backups/network
[root@box]# su - rancid
[rancid@box]$ /usr/local/bin/rancid-cvs
[rancid@box]$ nano /backup/network/mydevices/router.db
#router:type:state:comment
switch01.mydomain.com:cisco:up
switch02.mydomain.com:cisco:up
switch03.mydomain.com:cisco:up
switch04.mydomain.com:hp:down:out of service
--------------
[rancid@box]$ nano /home/rancid/.cloginrc
add method * telnet ssh
add noenable switch05.mydomain.com
add password switch01.mydomain.com kFO3i2bJ60 w3oybRioS2
add password switch02.mydomain.com kFO3i2bJ60 w3oybRioS2
add password switch03.mydomain.com kFO3i2bJ60 w3oybRioS2
add password switch04.mydomain.com kFO3i2bJ60 w3oybRioS2
add password switch05.mydomain.com kFO3i2bJ60 w3oybRioS2
add user *.mydomain.com alien
add user switch05.mydomain.com admin

[root@box]#  chmod 600 /home/rancid/.cloginrc

-------------
How to check before scheduling & running backups:

[rancid@box]$ /usr/local/libexec/rancid/clogin switch01.mydomain.com
switch01.mydomain.com
spawn telnet switch01.mydomain.com
Trying 192.168.10.53...
Connected to switch01.mydomain.com.
Escape character is '^]'.


User Access Verification

Username: Kerberos:     No default realm defined for Kerberos!
remsys
Password:

switch01>enable
Password:
switch01#

---------------
This is it, rancid has logged in to switch01.mydomain.com and left you at the switch's console.

To start backups manually run:
[rancid@box]$ /usr/local/bin/rancid-run

Also, add this to rancid's cron:

[rancid@box]$ crontab -e
#run backups
1 */3 * * * /usr/local/bin/rancid-run
#clean up old logs
50 23 * * * /usr/bin/find /backup/network/mydevices/logs -type f -mtime +14 -exec rm {} \;

You can find your network devices' backups in /backup/network/mydevices/configs

Using mod_evasive for dos attack prevention

A quick solution for blocking dos attacks can be mod_evasive
Installing mod_evasive on an apache2 web server:

# mkdir -p /root/tmp
# cd /root/tmp
# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar zxvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# apxs -cia mod_evasive20.c

then, in /etc/httpd/conf/httpd.conf add the following lines and restart apache:

<IfModule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 5
 DOSSiteCount 20
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
</IfModule>

remember to modify DOS* directives to suit your needs.

first post

Yep, this is the first post on this blog, welcome to all of you :)

On these pages you will be able to read my posts on my systems administrator position and also some news/notes from the IT world.

I hope real soon i will manage to find some spare time and publish a few notes on subjects that i am interested in.

Also I'd be glad to hear any feedback / comments from you!

Thanks, and see you soon.