tenhishadow / mbkp Goto Github PK

Mikrotik backup script | simple bash script for doing encrypted backups of mikrotik devices(Routeros) via ssh. Script will do password-protected binary and encrypted with openssl export on regular basis

License: MIT License

Shell 100.00%

mikrotik-backup-script mikrotik bash bash-script routeros mikrotik-router

mbkp's Introduction

mbkp

Mikrotik backup script

This script can be used to centralize the backup configurations of Mikrotik devices. Each device has its own configuration file in which it can override the standard options.

Russian

Supported versions:

Configuration

Read example.cfg
Configure your devices using ssh_config files ( read man ssh_config )

example config for host( for those who don't want to read documentation )

# file ~/.ssh/config
host *
  ControlMaster          auto # use just one connection for script
  ControlPath            ~/.ssh/control-%h-%p-%r
  ControlPersist         5m
  ForwardX11             no # disable useless
  IdentityFile           ~/.ssh/id_rsa # define default key if needed
  PasswordAuthentication no # disable useless
  Port                   22 # default port
  StrictHostKeyChecking  no # dont check hostkey
  User                   backupusr # default backup user

# gw jump
host mikrotik1
  Hostname 1.1.1.1

# ap
host mikrotik-ap1
  Hostname 192.168.88.2
  ProxyJump mikrotik1 # use gw as an entrypoint
  IdentityFile ~/.ssh/mykey # override if needed
  User xxx # override if needed

To make ProxyJump work you need to allow ssh forwarding on your mikrotik device via

> /ip ssh set forwarding-enabled=both

Scheduling

Here is crontab example:

# VARS:
MCFG="/etc/mikrotik_backup"
MBKP="/usr/local/bin/mbkp"
MLOG="/var/log/mikrotik_backup/log"
# TASKS:
00 03 * * *     $MBKP $MCFG"/somehost.cfg" >>$MLOG 2>>$MLOG             # Comment

Recommended paths:

/etc/mikrotik_backup directory where configuration files located
/usr/local/bin/mbkp executable bash script with default variables
/var/log/mikrotik_backup/log logfile to trace script execution results

This script does two backups (binary and export). Binary backup is protected with password default password is included in executable script and it can be overrieded via custom config file. Export is also password-protected but via openssl. Script export config to the temp file as a plain text via ssh, then it encrypt this file and move it to the destination. Encrypted exported config can be easly decrypted with openssl command:

 # NOTE: decrypt the file
 # openssl des3 -d -salt -in encryptedfile.txt -out normalfile.txt

mbkp's People

Contributors

Stargazers

Watchers

Forkers

phandorin resolance sergio-badanin lucianosds dbhd marsalans carldavis bulkim01 elraro filou59 alexxoid fioleta72

mbkp's Issues

Refine Backup Logs with Additional Device Details for Enhanced Troubleshooting

Description:
The existing backup script, while effective in logging basic information such as device name and backup status, requires enhancements to better support troubleshooting and device tracking. By incorporating additional device-specific details into the CSV logs, we can significantly improve our ability to identify and resolve issues related to SSH configuration errors and potential mismatches in device backups.

Enhancements Requested:

Device Version: Include the software version of the device to help correlate backup issues with specific software environments.
Serial Number: Capture the device's serial number to uniquely identify devices and prevent backup mismatches.
Hardware Version: Log the hardware version for insights into hardware-related backup issues.
Purpose:
These enhancements aim to enable precise detection of problems in SSH configurations or instances where the wrong device is being backed up due to incorrect host configuration. Additionally, logging these details provides further information about the backed-up device, aiding in comprehensive troubleshooting and analysis.

ssh: Could not resolve hostname : hostname nor servname provided, or not known

ssh: Could not resolve hostname : hostname nor servname provided, or not known
ssh: Could not resolve hostname : hostname nor servname provided, or not known
ERR: cannot establish ssh-connection

Permission denied (password).

I try to setup your backup script from Synology server, but has errors.

in mbkp.sh I changed ST_ROOT="/volume3/Documents/server/mikrotik/backup"
in example.cfg I changed

TGT_HOSTNAME="router.spb.lan"
ST_ROOT="/volume3/Documents/server/mikrotik/backup"

then I created DSA key and imported it into Mikrotik

root@Server:~# ssh-keygen -t dsa
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.

scp id_dsa.pub [email protected]:/

[admin@MikroTik router] > user ssh-keys import

Then in winbox if I go to system > users on the tab SSH Keys I can see imported certificate data

User = admin
Key owner = root@Server

Then I setup root/.ssh/config file

Host router.spb
  Hostname router.spb.lan
  Port 22
  User admin
  IdentityFile ~/.ssh/id_dsa

Task is done like that

I try to run script and have this report

Task Scheduler has completed a scheduled task.

Task: Mikrotik backup
Start time: Sat, 21 Nov 2020 21:27:39 GMT
Stop time: Sat, 21 Nov 2020 21:27:40 GMT
Current status: 1 (Interrupted)
Standard output/error:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (password).
Permission denied, please try again.
Permission denied, please try again.
Permission denied (password).
ERR: cannot establish ssh-connection

From Server

On my server I can see ./router.spb.lan and ./router.spb.lan/archive directories created, but empty and log and readme file.
In log file I can see following

#######
# logfile for /volume3/Documents/server/mikrotik/mbkp.sh
# The format is:
#       DATE;STATE;FILENAME
# author: tenhi([email protected])
#######
   ###
    #
 
20201121_2126;fail;router.spb.lan_20201121_2126.backup
20201121_2126;fail;router.spb.lan_20201121_2126.export.des3
20201121_2127;fail;router.spb.lan_20201121_2127.backup
20201121_2127;fail;router.spb.lan_20201121_2127.export.des3

Then I go server command line to check ssh connection from server to router

root@Server:~# ssh router.spb
[email protected]'s password:

I suppose that the problem is that mikrotik still asking for a password, but it is not clear for me why.

rosv7 export changes

export changed in rosv7

get version major:
depends on <=6 - just export, >6

export show-sensitive terse

add terse as default

Feature Request: Implement Tagging System for Backups with Configurable Option

an enhancement for the project that I believe could significantly improve the manageability and organization of backups. It would be beneficial to introduce a tagging system for backups, allowing users to assign custom names or identifiers to their backups. This feature could serve as a way to easily distinguish and manage backups over time.

The idea is to implement this functionality as an additional option in the configuration settings, where users can specify a tag for each backup operation. By default, this feature could be disabled (i.e., no tag is assigned), ensuring backward compatibility and not imposing any changes on users who may not need this functionality.

The end implementation could be as straightforward as creating a symbolic link (symlink) on the file system that points to the actual backup file. This symlink would be named after the tag, providing a user-friendly way to access and identify backups based on their designated tags.

Implementing such a feature could enhance the user experience by providing more flexibility in organizing and retrieving backups, especially in environments where backups are frequent and need to be categorized or identified quickly.