USG40 config backup o password reset

GPane
GPane Posts: 7
Friend Collector First Comment
edited April 2021 in Security

Hello,

Our IT Technician, my old friend, has passed away. He was the one and only to know all the system password, server included. I have find a paper with all the password, the one is missing is the firewall, USG40 from Zyxel


I need absolutely to access to the firewall. I don't care if i need to buy another USG40, in case, but i need to access to that "old" config and see what is inside. I don't have idea what how many things are configured, so is absolutely necessary for me to access.

Is possible to reset the password without loose the config? I have found this guide

But i don't know if i can apply, if is secure, i can't loose the actual configuration. Please help me

Thanks

Accepted Solution

  • GPane
    GPane Posts: 7
    Friend Collector First Comment
    Answer ✓

    Was the damn original cable! With that work. I have restored the original cofing and i have change the password. Thanks guys!!!

«1

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi GPane FWIW, if you DID RESET the USG110 (assuming its at a recent Firmware), it will MAINTAIN all the BACKUP or COPIED configurations that your ex-colleague MIGHT have saved.

    However if NONE ( no backup.conf's) were saved, the one and only will be written over and the is undesirable for you.

    One assumes you wouldn't know what your colleague has done unless there's documentation that they have performed various internal backups / copies of the configurations.


    The procedure that you have included from Zyxel_Stanley looks good!


    You simply need to have the RS-232/serial cable (DB25?-USB2?) from the USG110 to a host with a serial.application running on it. Those cables are shipped with the USG appliance usually.

    FWIW, we have some of these Serial Cables permanently attached to service hosts in rack unit in case the routers have an issue and SSH | Https don't work.

    TIP: as soon as you acceee your USG110 with user/password, use the console commands to make a COPY of the startup.conf. It's really easy.

    Router> # Step 1 - list whats there in the /conf directory
    Router> dir /conf/
    File Name    Size  Modified Time
    ===============================================================================
    lastgood.conf  110117 2020-03-30 05:04:07
    startup-config.conf                  110031 2020-04-01 21:58:37
    system-default.conf                  71587  2020-03-30 05:01:24
    usg40lab2_2020-03-12.conf               109348 2020-03-12 15:13:15
    usg40lab2_2020-03-24-001.conf             111011 2020-03-24 14:21:42
    usg40lab2_ike2_ike1_ok_2020-03-25.conf        111317 2020-03-25 14:33:02
    usg40lab2_ike2_ike1_002_2020-03-25.conf        110330 2020-03-25 17:02:59
    usg40lab2_ike2_ike1_003_2020-03-25.conf        110330 2020-03-25 17:24:21
    autobackup-4.33.conf                 104377 2019-10-26 13:24:03
    msf_usg40lab2_2019-dec-03.conf            105775 2019-12-03 13:50:56
    usg40lab2_2019-dec-07.conf              105379 2019-12-07 19:11:10
    usg40lab2_2019-dec-17.conf              106076 2019-12-17 20:02:47
    autobackup-4.35.conf                 108963 2020-03-10 13:14:19
    435AALA2-2020-03-08-11-52-09.conf           108963 2020-03-08 11:52:09
    usg40lab2_2020-03-10.conf               108963 2020-03-10 15:26:08
    Router> #####__>
    Router> # Step 2 - list whats there in the /conf directory
    Router> copy /conf/startup-config.conf /conf/usg40_lab2_2020_04-01.conf
    Router>
    

    HTH

    Warwick

    Hong Kong

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    @GPane

    Firstly, please accept our deepest sympathies, and hope everything will be getting better in this period.


    Enter debug mode and type “atkz –b”and Use “atgo” booting device, and after device reboot, you can get the old configuration. The name of configuration will be"startup-config-back.conf"

    For next process, just follow the Guide you found for resetting the password .

  • GPane
    GPane Posts: 7
    Friend Collector First Comment
    edited April 2020

    Hi,

    Thanks for the help

    warwickt,

    I don't know if there are "backup.conf", how i can check it the file exist before reset? You have write "as soon as you acceee your USG110 with user/password" i don't have it and if i reset there is a chance i'll loose everything?

    I don't know if the firmware is recent,

    Zyxel_Charlie

    i don't want to loose the configuration file... there is any risk doing "atkz –b" and “atgo”?

    Thanks guys, thanks for all the support

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi GPane as Zyxel_Charlie pointed out and in the Zyxel_Stanley 's original document you posted, the idea is the you need to:

    1. Access the USG110 using its SERIAL PORT with a host (laptop etc) that has a Serial xmit/rcv for RS232(??) on it .. a "console" as you might
    2. follow the procedure outlined in the aforementioned doc to change the root/admin password using the interface in 1.
    3. then login with the Console with use/password from 2.
    4. issue a dir /conf command and review the configuration files
    5. use a copy /conf/startup-config.conf /conf/usg110_2020_04-02.conf to backup the current good startup.conf locally
    6. Optionally - reset the USG .. maybe not need to ...if you do... else go to 7.
      1. the file /conf/usg110_2020_04-02.conf will still be there
      2. connect to a host and temporarily set up your host NIC on the 192.168.1.1/24 and then access as
      3. https://192.168.1.1 admin / 1234 refer to the default in Users Guide.
      4. you can enter a new password for the fault admin user account
      5. download the /conf/usg110_2020_04-02.conf locally (a host) and use it as a reference.
        1. the .conf file is 100% composed of ZYOS commands.. so you can certainly access the original working configuration and of course others that your colleague may have provided.
      6. DONT APPLY the /conf/usg110_2020_04-02.conf file cause it will restart and you will have the old password in and you back at the beginning once again.
    7. Login and administer the USG110 at your leisure
    8. make an new instance of the startup.conf file (as mentioned above), and save it as this now contains the current authentication for your admin account (password) .


    Others on this forum will also have good ideas for you.


    Tips: for convenience
    • once you're up and away. configure ssh (optionally on another port other than 22 if you like) and
      • DONT expose this service it to the WANs
    • set up another account with administrator ability that you use all the time
    • use some obnoxious string password for the default admin account
      • it seems the default admin can't be deleted or disabled.
    • habitually when you change configuration, create another instance of the startup.conf file and download it and maintain for reference to others.
      • use the File Management UI or the cli for this.


    HTH

    warwick

    Hong Kong

  • GPane
    GPane Posts: 7
    Friend Collector First Comment
    edited April 2020

    Can't connect using the cable!

    I have set the specific from the manual

    115200

    8

    None

    1

    None

    But i see only black screen, not the login window!

    Plase help...


    EDIT: I have set the same specific for the COM inside driver...

    EDIT: I have try also to reboot, nothing...

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi GPane .. hmmm ... maybe Zyxel can assist.


    FWIW we use the default which are as you use 115200, 8, none, 1 none in the client.


    Welcome to USG60
    Username: freebsdmaster
    Password: 
    Router> show console
    console speed: 115200
    Router> 
    

    IS there any garbled chars on the host RS232 end?

    Maybe the cable is faulty...

    I'd be curious to know. Please post the you have some update.

    warwick

    Hong Kong

  • GPane
    GPane Posts: 7
    Friend Collector First Comment

    I don't have the original cable…

    I have try 3 different RS232 --> USB and 2 different RS232 --> LAN, nothing always black screen. Maybe i can find it to another friend of mine, monday

    I'll hope is the cable… i need that config

    P.S. There isn't any documentation about the cable? Color scheme? Or a place to buy?

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment

    Have you installed the driver for your RS232?

    For my RS232 console cable, I need to install their specific driver first for next process.

  • GPane
    GPane Posts: 7
    Friend Collector First Comment

    Yes i have installed. I see COM 3, i set the speed to both part (Teraterm and Windows) but none. Today i'll try with the original cable, i'll hope it will work...

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi GPane regarding the RS232 coms cable to USB, any generic one should work.

    try this search for picture:

    https://www.google.com/search?q=image+rs232++to+usb&tbm=isch&ved=2ahUKEwj7wbbLtdPoAhXpGKYKHS9jDS8Q2-cCegQIABAA&oq=image+rs232++to+usb&gs_lcp=CgNpbWcQA1ClsARY_sMEYM3YBGgBcAB4AIABmwGIAZYCkgEDMC4ymAEAoAEBqgELZ3dzLXdpei1pbWc&sclient=img&ei=K-2KXruAIemxmAWvxrX4Ag&bih=1308&biw=1309&client=safari

    The only GRIPE is the you may have to cut off the shoulder screws to get it anchored securely in the CONSOLE port of the ZYXEL appliance. (get you hacksaw out and flat file too!) .. lol!

    Software:

    FWIW in the example above for software on a  MacOS we used an application called "Serial" from https://www.decisivetactics.com

    Its not bad.


    BTW if all your setup is good, alert Zyxel Support as these blokes have a lot of tricks to get these boxes accessible.

    HTH

    Warwick

    Hong Kong

Security Highlight