Tcl Script to Probe SSH Connections for Cisco ACE Router
We were having problems with default TCP probes on port 22 from our Cisco ACE Load Balancer showing up in our logs as bad SSH connections. I modified a Cisco TCL script for checking SSL to send a greeting to a SSH server and check that a SSH greeting is returned. It by no means does a complete login, but it does check to make sure the SSH service is alive. Tested on RedHat and Ubuntu. Let me know if this works on other services.
Ubuntu
root@***:/var/log# uname -a Linux ***2.6.31-19-generic-pae #56-Ubuntu SMP Thu Jan 28 02:29:51 UTC 2010 i686 GNU/Linux root@***:/var/log# ssh -V OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
Redhat
[root@*** root]# uname -a Linux *** 2.4.21-63.ELsmp #1 SMP Wed Oct 28 23:15:46 EDT 2009 i686 i686 i386 GNU/Linux [root@*** root]# ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
sshProbe.tcl
SSH_PROBE_SCRIPT.tcl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | #!name = SSH_PROBE_SCRIPT ######################################################################################## # # Description : # Script connects sends a connect request to a SSH server to see if its alive. # # ACE version : # 1.0+ # # Author : # Chris Greenough (Chris.Greenough@nau.edu) # # Parameters : # [debugFlag] # debug - default 0. Do NOT turn on while multiple probes are configured # # Example config : # probe sshProbe script # script SSH_PROBE [0] # ######################################################################################## #------------------------------------------- # debug procedure # set the EXIT_MSG environment varaible to help debug # also print the debug message when debug flag is on #------------------------------------------- proc ace_debug { msg } { global debug ip port EXIT_MSG set EXIT_MSG $msg if { [ info exists ip ] && [ info exists port ] } { set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG " } if { [ info exists debug ] && $debug } { puts $EXIT_MSG } } #------------------------------------------- # main #------------------------------------------- ace_debug "initializing varaible" set EXIT_MSG "Error config: script SSH_PROBE <debug(0|1)>" set ip $scriptprobe_env(realIP) set port $scriptprobe_env(realPort) ## if port is 0 , use default port 22 if { $port == 0 } { set port 22 } set debug [ lindex $argv 0 ] if { $debug == "" } { set debug 0 } # open connection ace_debug "opening socket" set sock [ socket $ip $port ] ace_debug "setting fconfigure to binary" fconfigure $sock -translation binary ace_debug "sending ssh client hand-shake message" # Sending SSH-2.0-SecureCRT_6.5.0 (build 335) SecureCRT?? set ssh_hello "5353482d322e302d5365637572654352545f362e352e3020286275696c642033333529205365637572654352540d0a" set ssh_length [ string length $ssh_hello ] puts -nonewline $sock [ binary format "H${ssh_length}" $ssh_hello ] flush $sock # read frist 100 bytes from server ace_debug "receiving response" set lines [ read $sock 100 ] # close connection ace_debug "closing socket" close $sock # parsing the 1st 3 bytes from the ssh headers # if it is not a ssh hand shake successful message. failed the probe with exit 30002 # If the server responds with its SSH info then it must be alive set ssh_header "SSH" ace_debug $lines if { ![ binary scan $lines "@0a3" res ] } { ace_debug "probe fail : ssh server response parsing failure" exit 30002 } ace_debug $res if { $res != $ssh_header } { ace_debug "probe fail : ssh hand shake failure with $res !" exit 30002 } # Everything went fine. probe exit with success exit_code 30001 ace_debug "probe success" exit 30001 |
