EdgeRouter - How to Sanitize EdgeRouter Configurations
Overview
Readers will learn how to properly format and sanitize EdgeRouter configurations to remove all personal and sensitive information.
- Applicable to the latest EdgeOS firmware on all EdgeRouter models.
- The latest EdgeOS firmware can be downloaded from the EdgeRouter Downloads page.
Table of Contents
- Downloading the Configuration from the EdgeRouter
- Sanitizing the Configuration
- Posting the Configuration on the Community
- Related Articles
Downloading the Configuration from the EdgeRouter
The first step is to download the backup archive from the EdgeRouter using the Web UI.
1. Navigate to the System tab in the bottom-left of the Web UI to download the backup configuration archive.
System > Configuration Management & Device Maintenance > Back Up Config
2. Download the backup config file by clicking on the Download button.
3. The EdgeRouter will prompt you to save the archive on your computer.
4. Open the edgeos_hostname_yyyymmdd.tar.gz archive using a file archival program such as 7-Zip.
5. Extract the config.boot file from the archive.
Sanitizing the Configuration
Now we can modify the contents of the config.boot file in order to sanitize (obscure) any sensitive information. Some examples are:
Usernames
Passwords
Public IP addresses
UNMS connection info
Commit archival location
Router hostname
Custom banner message
1. Open the config.boot file using a text editor.
2. Look for any public IP addresses to obscure. Notable configuration areas are the interfaces and firewall sections.
A good way to sanitize IP addresses, while maintaining readability, is to keep the values unique or only obscure part of the address. Instead of replacing each address with x.x.x.x or y.y.y.y, a better way is to obscure part of the address (x.x.x.154 and y.y.y.29 for example) or completely replace it with a RFC5737 documentation address. The documentation range IP addresses are:
192.0.2.0 - 192.0.2.255
198.51.100.0 - 198.51.100.255
203.0.113.0 - 203.0.113.255
The private IP address ranges defined in RFC1918 are:
- 192.168.0.0 - 192.168.255.255
- 172.16.0.0 - 172.31.255.255
- 10.0.0.0 - 10.255.255.255
3. Look for any usernames or passwords to obscure. Notable configuration areas are the vpn and system sections.
4. Save the edited config.boot file.
Posting the Configuration on the Community
1. Select a blank line and click on the icon in the toolbar, converting the line into a code block
.
2. Paste the configuration into the code block, and submit.
code block
prior to pasting in the configuration. Reversing the order (pasting the configuration before converting the text to a code block) may affect the line spacing which causes the output to be misaligned.
Below is an example of a properly formatted configuration:
interfaces { ethernet eth0 { description WAN address 203.0.113.1/30 duplex auto speed auto } ethernet eth1 { description LAN address 192.168.1.1/24 duplex auto speed auto } } ...
And an example of a misaligned configuration that has extra line spacing, causing it to be harder to read:
interfaces {
ethernet eth0 {
description WAN
address 203.0.113.1/30
duplex auto
speed auto
}
ethernet eth1 {
description LAN
address 192.168.1.1/24
duplex auto
speed auto
}
}
...
Related Articles
EdgeRouter - Backup and Restore Configuration
EdgeSwitch - How to Sanitize EdgeSwitch Configurations
Intro to Networking - How to Establish a Connection Using SSH