Using SSH for system backup

From MikroTik Wiki
Jump to: navigation, search

As an alternative to scripts that email backups to a central location, you can use ssh from a central linux/unix box to run the commands and retrieve the backup files from your Mikrotiks. The benefits of this approach are complete encryption, and one centralized piece of backup software, as opposed to various scripts on various Mikrotiks.

Preparing the Mikrotik

The security package must be installed and activated in order to use ssh with your Mikrotiks.

Follow these wiki instructions to setup your ssh public key for easier access to your Mikrotiks.

Use SSH to execute commands (DSA key login)

I have summarized my use of this for completeness of the instructions.

jp@huehuetenango:~> ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/jp/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jp/.ssh/id_dsa.
Your public key has been saved in /home/jp/.ssh/id_dsa.pub.
The key fingerprint is:
omitted jp@huehuetenango

jp@huehuetenango:~> cp .ssh/id_dsa.pub huekeys

I have now created the keys and have put it in a file I can send to the Mikrotik.

jp@huehuetenango:~> ftp 10.0.2.1
Connected to 10.0.2.1.
220 oakstreet FTP server (MikroTik 2.9.50) ready
Name (10.0.2.1:jp): admin
331 Password required for admin
Password:
230 User admin logged in
Remote system type is UNIX.
ftp> bin
200 Type set to I
ftp> put huekeys
local: huekeys remote: huekeys
500 'EPSV': command not understood
227 Entering Passive Mode (10,0,2,1,128,6).
150 Opening BINARY mode data connection for '/huekeys'
100% |*************************************|   606       6.28 MB/s    00:00 ETA
226 BINARY transfer complete
606 bytes sent in 00:00 (120.65 KB/s)
ftp> by
221 Closing
jp@huehuetenango:~> telnet 10.0.2.1
Trying 10.0.2.1...
Connected to 10.0.2.1.
Escape character is '^]'.

MikroTik v2.9.50
Login: admin
Password: 

Terminal xterm detected, using multiline input mode
[admin@oakstreet] > user ssh-keys import file=huekeys user=admin 
[admin@oakstreet] > quit
Connection closed by foreign host.
jp@huehuetenango:~>

The key is now installed.

The first time you connect with ssh, it will ask you to confirm the new connection, then future ssh accesses will be completely convenient.

Executing Commands

Now you can have a normal interactive session on the Mikrotik by the command

ssh admin@10.0.2.1

You can also run commands from the server commandline by putting those commands after the normal ssh command. Here we ran two commands, one to export the configuration to the named file, the other to view the files on the Mikrotik.

jp@huehuetenango:~> ssh admin@10.0.2.1 export file=20080304-25oak
jp@huehuetenango:~> ssh admin@10.0.2.1 file print           
 # NAME                   TYPE                  SIZE       CREATION-TIME       
 0 key                    file                  181        aug/04/2006 09:00:21
 1 sys-note.txt           .txt file             133        dec/28/2007 09:11:36
 2 20080304-25oak.rsc     script                17915      mar/04/2008 21:26:38

Getting Files

Though not well documented, the Mikrotik supports sftp using the same ssh key system. This means you can log in for ftp without using passwords or storing passwords.

jp@huehuetenango:~> sftp admin@10.0.2.1:20080304-25oak.rsc
Connecting to 10.0.2.1...
Fetching /20080304-25oak.rsc to 20080304-25oak.rsc
/20080304-25oak.rsc                           100%   17KB  17.5KB/s   00:00    
jp@huehuetenango:~> 

Putting it all together

You can package it in a nasty bash script if you want to automate it.

jp@huehuetenango:~> cat backup10.0.2.1 
#!/bin/bash
export name=25oak
bfile=`date +%Y%m%d-$name`
ssh admin@10.0.2.1 export file=$bfile
sftp admin@10.0.2.1:$bfile.rsc

Chmod u+x the script filename to make it executable.

Here is the script in action

jp@huehuetenango:~> ./backup10.0.2.1 
Connecting to 10.0.2.1...
Fetching /20080304-25oak.rsc to 20080304-25oak.rsc
/20080304-25oak.rsc                           100%   17KB  17.5KB/s   00:00    
jp@huehuetenango:~> 

As you can see it connected to the Mikrotik, did it's work, and retrieved the file it created.

If you had a large number of Mikrotiks, you could put the lines of my bash script in a loop where the name and IP changed by querying a database for a list of names and IP numbers.

See also