[j-nsp] Sanitising m/t series routers?

Christopher Hartley chartley at oar.net
Tue Jul 7 08:42:30 EDT 2009

Depends on how paranoid you are...  this is probably overdoing it.

Start shell (boot in single user if you can by interrupting boot sequence and
typing boot -s at loader> prompt, and using 'recovery' shell...  still possible remotely
if you have terminal server)

# Identify the /config partition:
# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
 . . .
/dev/da0s3e     55M    4.0K     51M     0%    /config
 . . .
# Choose /dev/da0s3e in this case.
# Force unmount the partition:
umount -f /dev/da03se
for a in 1 2 3 4 5 6 7 8 9; do
  echo -n "Wipe $a:";
  dd if=/dev/zero of=/dev/da0s3e

# Write super block to partition so that it can be remounted
newfs /dev/da0s3e
# #### Clear logs
cd /var/log
for a in *; do (cd $a 2>/dev/null && cd ..) && (echo "not a dir: $a") || (rm -f $a; echo ' ' > $a; echo "Cleared $a"); done
for a in */*; do rm -f $a; echo ' ' > $a; done
for a in 0 1 2 3 4 5 6 7 8 9; do
   echo "Wipe $a";
   dd if=/dev/zero of=garbage
   rm -f garbage
   sync; sync

# Mount and create some required directories
mount /dev/da0s3e
mkdir /config/db
mkdir /config/db/config
mkdir /config/db/commits
# Reboot and let device load default configs.
# While booting, you should see:
   Creating initial configuration...mgd: error: Cannot open configuration file: /config/juniper.conf
   mgd: warning: activating factory configuration
# The device will also need to create new key pairs since we blew them away.

# The root password will now be empty.
# Fix that:
set system root-authentication plaintext-password
commit and-quit
request system halt
# Fin.

Nothing magical... I may have forgotten something.  Oh yeah, this takes a while.


>>> Andrew Cheng <arbcat at gmail.com> 07/07/09 1:53 AM >>>
Hi There

I have to sanitise a large number of routers (ie, remove all configs,
logs.. everything), and
was wondering if there was a magic way of doing it remotely?

There is the tedious way of going through and deleteing /var/log, all
configs.. etc etc, but surely
there must be a better way?


juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list