I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don’t want to use ftp or third party server to transfer file between two MT.
forget ssh and use directly the ftp server service inside mikrotik:
(RouterOS 6.3x.x)
for upload one file to anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=yes address=00.11.22.33 port=21 user="user" password="pax" src-path="/localfolder/localfile.rsc" dst-path="/remotefolder/remotefile.rsc" keep-result=yes;
for download one file from anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=no address=00.11.232.33 port=21 user="user" password="pax" src-path="/remotefolder/remotefile.rsc" dst-path="/localfolder/localfile.rsc" keep-result=yes;
I mentioned there, I don’t want to do ftp because it’s not secure on wire. If RouterOS can run SSH server don’t you think it should support scp client atleast?
But ftp is the most fast and secure protocol you can use without waiting any implementation.
Simply firewall rules and/or change the default 21 port to any make impossible to hack on easy way or brute force the ftp…
The point is not hacking or brute force attack... If your two devices communicate with each other a third party can read your unencrypted credentials from wire.
It is true that FTP is not secure. Credentials and the data are passed in cleartext. However, if you're using VRRP, I would expect your routers and the cables between them to be relatively secure. If the routers and cables are secure, then capturing the traffic between these two devices seems quite unlikely. If the cables pass through unsecured areas or devices, then I share your concern. If your routers are insecure, you have bigger problems than FTP.
Currently you have only two basic options how to securely transfer files between two Mikrotiks:
- activate https management interface at both Mikrotiks in question and use file download/upload of the WebFig interface which is secured by https
- create a secure tunnel between the Mikrotiks (IPsec, SSTP) and use ftp over that tunnel
Where do you store a file in router os to make it available to download via https (webfig)?
I dont know how to implement it in mikrotik but knowing a bit of ipsec i think you can establish some ipsec rules to “encript” your ftp ports (for example tcp 21, i dont remember if password data goes trough that one) between your routers
Also you can paste your firewall rules from a third equipment like a server on both routers. Just an idea how would i do it
Starting with version 6.45beta22 the changelog lists:
*) fetch - added SFTP support;
Not sure how it works, though. Looks like mode=sftp is not (yet?) valid.
mode option is deprecated, left for compatibility with older scripts.
Use url=sftp://
I gave it a try, but did not succeed. The server is running openssh 7.9p1, the account is locked to sftp only with openssh’s internal sftp implementation.
[admin@Mikrotik] > /system ssh user=mikrotik-upload sftp-host
Password:
This service allows sftp connections only.
Welcome back!
[admin@Mikrotik] > /tool fetch url=sftp://sftp-host/upload/test.txt user=mikrotik-upload password=xxxx
status: failed
failure: closing connection: <> 10.0.0.10:22 (16) (6)
[admin@Mikrotik] > /tool fetch upload=yes url=sftp://sftp-host/ user=mikrotik-upload password=xxxx src-path=export.rsc dst-path=upload/export.rsc
status: failed
failure: closing connection: <> 10.0.0.10:22 (17) (6)
Neither download nor upload works. Tried from a linux box, on server side everything works as expected. The directory “upload” exists and is writable.
Anybody having more success? What topics to enable for useful debug output?
Hello eworm,
I had a similar problem: I couldn’t upload the exported config file to my server via SFTP.
Finally, I found a syntax error.
Try this for upload:
/tool fetch upload=yes url=sftp://sftp-host/upload/export.rsc user=mikrotik-upload password=xxxx src-path=export.rsc
So not use dst-path, just add destination to the URL.
I hope it will help.
Regards,
Imre
Finally found the cause for my issue with help of support. Looks like the sftp client in RouterOS fails if too many authentication methods are supported by the server. On my SSH server I added this block in /etc/ssh/sshd_config:
Match User mikrotik-upload
AuthenticationMethods password
been dealing with this lately and it does work with pub key authentication - which is superior to password. esp that password auth is disabled by default in openssh.
you can easily add private keys to the respective account in routeros, and there it is.
Has anyone tried to upload a file (Mikrotik router to remote server) using the src-address parameter? I’m using the following command:
/tool fetch upload=yes url="sftp://serverIP/path/file" user=$user password=$password src-path=$file src-address=$ip
But it seems there’s a bug or something because it returns this error (even the error says SFTP supports it):
failure: only http[s]/sftp supports src-address
ROS Version: 6.46.5
Fixed in v6.47.4.
Can you please share your wisdom on how to do that ? Many have tried and failed. Debug shows that ROS does not like the publickey method …
Hello I use
/tool fetch upload=yes url="sftp://192.168.120.2/backup/test.txt" src-path="test.txt" user=******** password=********
and get error:
status: failed
failure: connection timeout
but the file was uploaded!
From Windows I was try winSCP and working OK.
Tested on 6.49.2 and 7.5 , synology DSM 7.1