March 17, 2016 - Warren Held

Check RSA modulus length & telnet access on Cisco devices

If you’re following best security practices then you should be using SSH with an RSA modulus length of at least 2048 and have telnet disabled on your devices.  There isn’t a command to view the RSA modulus length in Cisco IOS other than running sh crypto key mypubkey rsa and then calculating the modulus length manually from the key. By using Python and paramiko we can easily check the modulus length. We can also quickly check to see if the device is accepting telnet connections.  If you are working with a large list of devices like I am, and you’re using Solarwinds to manage your devices, we can use the orionsdk Python module to easily import our list of Cisco devices.

Change the npm_server variable to the address of your Solarwinds server. The script will prompt you for your Solarwinds credentials when it is run. It will loop through every Solarwinds node with Vendor ‘Cisco’ and attempt to establish an SSHv2 session and telnet session. It never actually authenticates with the devices, it only establishes the initial connection. The script will save the output in a .csv file in the same folder as the script. If it is unable to connect to a device or if it encounters an error it will save the error message in the comments column of the csv file and continue on to the next device. You will need to install the paramiko, orionsdk, and requests modules. The rest of the modules should come with Python. This was written on Python 3.5.1. I am also not a programmer and this is my first “real” Python program so there’s probably better ways some of this could be written.

Example output:

Device IP RSA Modulus Length Comments
lorem_ipsum_rt1 10.10.10.1 1024 Accepts Telnet
lorem_ipsum_rt2 10.10.10.2 2048
lorem_ipsum_lorem_rt1 10.10.50.1 Accepts Telnet
lorem_ipsum_ipsum_rt2 10.11.50.4 timed out

If there is nothing in RSA Modulus Length then SSH isn’t enabled. If SSH is enabled but paramiko encountered an error then the error message should be under comments. If Accepts Telnet doesn’t appear under Comments and there is no error message then telnet isn’t enabled. If telnetlib encounted an error while attempting to telnet to the device it will also be in the comments column.

 

Cisco / Python