We were having problems with default TCP probes on port 22 from our Cisco ACE Load Balancer showing up in our logs as bad SSH connections. I modified a Cisco TCL script for checking SSL to send a greeting to a SSH server and check that a SSH greeting is returned. It by no means does a complete login, but it does check to make sure the SSH service is alive. Tested on RedHat and Ubuntu. Let me know if this works on other services.
Ubuntu
root@***:/var/log# uname -a
Linux ***2.6.31-19-generic-pae #56-Ubuntu SMP Thu Jan 28 02:29:51 UTC 2010 i686 GNU/Linux
root@***:/var/log# ssh -V
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
Redhat
[root@*** root]# uname -a
Linux *** 2.4.21-63.ELsmp #1 SMP Wed Oct 28 23:15:46 EDT 2009 i686 i686 i386 GNU/Linux
[root@*** root]# ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
sshProbe.tcl
SSH_PROBE_SCRIPT.tcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| #!name = SSH_PROBE_SCRIPT
########################################################################################
#
# Description :
# Script connects sends a connect request to a SSH server to see if its alive.
#
# ACE version :
# 1.0+
#
# Author :
# Chris Greenough (Chris.Greenough@nau.edu)
#
# Parameters :
# [debugFlag]
# debug - default 0. Do NOT turn on while multiple probes are configured
#
# Example config :
# probe sshProbe script
# script SSH_PROBE [0]
#
########################################################################################
#-------------------------------------------
# debug procedure
# set the EXIT_MSG environment varaible to help debug
# also print the debug message when debug flag is on
#-------------------------------------------
proc ace_debug { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
}
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
}
}
#-------------------------------------------
# main
#-------------------------------------------
ace_debug "initializing varaible"
set EXIT_MSG "Error config: script SSH_PROBE <debug(0|1)>"
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
## if port is 0 , use default port 22
if { $port == 0 } {
set port 22
}
set debug [ lindex $argv 0 ]
if { $debug == "" } {
set debug 0
}
# open connection
ace_debug "opening socket"
set sock [ socket $ip $port ]
ace_debug "setting fconfigure to binary"
fconfigure $sock -translation binary
ace_debug "sending ssh client hand-shake message"
# Sending SSH-2.0-SecureCRT_6.5.0 (build 335) SecureCRT??
set ssh_hello "5353482d322e302d5365637572654352545f362e352e3020286275696c642033333529205365637572654352540d0a"
set ssh_length [ string length $ssh_hello ]
puts -nonewline $sock [ binary format "H${ssh_length}" $ssh_hello ]
flush $sock
# read frist 100 bytes from server
ace_debug "receiving response"
set lines [ read $sock 100 ]
# close connection
ace_debug "closing socket"
close $sock
# parsing the 1st 3 bytes from the ssh headers
# if it is not a ssh hand shake successful message. failed the probe with exit 30002
# If the server responds with its SSH info then it must be alive
set ssh_header "SSH"
ace_debug $lines
if { ![ binary scan $lines "@0a3" res ] } {
ace_debug "probe fail : ssh server response parsing failure"
exit 30002
}
ace_debug $res
if { $res != $ssh_header } {
ace_debug "probe fail : ssh hand shake failure with $res !"
exit 30002
}
# Everything went fine. probe exit with success exit_code 30001
ace_debug "probe success"
exit 30001 |
VN:F [1.9.13_1145]
Rating: 7.0/10 (2 votes cast)
VN:F [1.9.13_1145]
