[rancid] Securing RANCID installation

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Dec 17 22:22:05 UTC 2014


I wrote an article on tacacs.org on security rancid.  However, tacacs.org
appears to be gone.  Pretty easy to lock down with do_auth.  As for local
passwords, if tacacs is properly configured, they are useless.


On Tue, Dec 16, 2014 at 1:30 PM, Daniel Anderson <dan.w.anderson at gmail.com>
wrote:
>
> I would also recommend configuring/using a dedicated network
> (TACACS/RADIUS) account that only has permissions to run the commands that
> RANCID uses so that if someone does get the .cloginrc file somehow that
> it's harder for them to make config changes on the devices.
>
> --
> Dan
>
> > On Dec 16, 2014, at 2:55 PM, Alan McKinnon <alan.mckinnon at gmail.com>
> wrote:
> >
> >> On 16/12/2014 16:43, Jason Humes wrote:
> >> Hi
> >> Are there are tips or best practices for securing a RANCID
> installation...the clogin files, the backed up configs, etc.
> >>
> >> Thanks for any advice! :)
> >
> >
> > Others have explained well how to secure the data rancid produces to
> > avoid information leakage.
> >
> > I would add that protecting .cloginrc is very very important as it
> > contains login and enable passwords for the admin account on all your
> > network devices.
> >
> > Make sure that only authorized sysadmins have login access to the rancid
> > host, and that the rancid user's home directory is set with very
> > restricted permissions (assuming a user called rancid):
> >
> > chown -R rancid ~rancid
> > chmod -R go-rwx ~rancid
> >
> >
> > Considering what can happen if .cloginrc leaks, it's a good idea to run
> > rancid on a dedicated single-purpose host. Rancid is very light on
> > resources, a basic VM with 1 cpu and 512M RAM does the job admirably
> >
> >
> >
> > --
> > Alan McKinnon
> > alan.mckinnon at gmail.com
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20141217/c4e0f7bc/attachment.html>


More information about the Rancid-discuss mailing list