Hi, I have a big problem, I have no backup (only before reset backup, but with the last config)… I thought that I has a rsc backup but no… no has any backup…
I have created two netwatch rules to restart mikrotik if two IPs are not reachables… but I configured bad… now, mikrotik poweron and restart because it has no time to establish tunnel (tunnel that has the IPs that Netwatch monitor before restart)…
Is anyway to remove this rule ? any safe start or something? to disable the netwatch rules?
Well if yo have a other device, witch you can set the two IP-addresses on and connect to your Mikrotik so it could reach it (don’t now your routing), you can perhaps get it done.
I think of something like a second router as your simulated default ISP and fake hosts.
If this doesn’t work for you, reset and reconfigure is the only other option I know.
Hi, tried to add on another mikrotik eth (with this IPs configured) and connect to an interface of this mikrotik but no success… I think it could be difficult to recover…
Thinking… and thinking… and thinkg… I forgot I repair firmwares on Ubiquiti and sometimes on Mikrotik… what I do? I open the .backup file (encrypted) to check if the commands on “at down” shows in plain text and… BINGO!!
Open the file with the HxD hex editor and search for the any word in the “at down” box… in my case, “reboot” and BINGO AGAIN!! You can see the command in “at down” box that it´s “/system reboot”
How to “try” to solve it… we rewrite this two commands with dots and save the file…
Then upload it to the Mikrotik (the same mikrotik because is a .backup file) and restore it… and BINGO!! Mikrotik working and in the boxes of “at down” we have the dots… now delete the netwatchs rules and now all fine…
Hope this could be useful to any user if someone makes a mistake like mine xDD
How are you able to open an encrypted backup file in hex editor, search and change specific values, save and use it?
Is there no real encryption or where you able to decrypt and re encrypt the file?
I think, some personalized commands like that you put in “on up” and “on down”, comments and somethings are not encrypted… are in plain text… then the configurations such as ip-addresses, ip-routes, passwords, all this are encrypted…
Wow, you’re totally right. If you open a “AES-encrypted backup” in a hex editor like VSCode – I can totally search for stuff in /system/scripts and see all the RouterOS script code. Plain as day, once the ASCII charcodes are decoded. I assumed initially that somehow you had an unencrypted backup file, which isn’t the default, NOT an encrypted one where I would have thought your nifty trick wouldn’t work…
This may really helpful to @donsergio – but to anyone who want to store sensitive data in a script, this is a major problem. I guess I just assumed they encrypted the entire backup, not just a subset of the fields in the config. I suspect his behavior would surprise most people. I don’t use Cloud Backup but now I’m left wondering if leave some stuff in plain text when going to their cloud backup service.
Apparently the CLI and winbox allow you create a backups with the “aes” or “rc4” encryption set, but the backup won’t be encrypted unless a password is set. Without a password= being set, it ignore the encryption= part. i.e. So even if “Don’t Encrypt” is UNCHECKED – which should mean “Should Encrypt” – winbox/CLI gives NO warning or error that you’re about to create an un-encrypted backup, even though an encryption type is set!
Now the help does in fact note this, in it’s description of the password field. While I imagine encryption does need some keying material (e.g. the password), neither winbox nor CLI should let you set “encryption=” if it’s not actually going to encrypt it. That’s just plain confusing for something important like this.
So likely why the OP thought he was using an “encrypted backup”, it wasn’t really encrypted.
See https://help.mikrotik.com/docs/display/ROS/Backup under the “Password” field: Password for the encrypted backup file. Note that since RouterOS v6.43 without a provided password the backup file is unencrypted.
This is true in both V6 and V7. But while the help has plenty of warning, the doc writer though this should be relegated to a footnote.
If you do set a password, then the scripts etc are in fact encrypted it seems. The “Cloud Backup” does force a password to be set. It’s only in just “Backup” where it only APPEARS like your creating an encrypted backup.
watch-address (IP; Default: none)
The system will reboot, in case 6 sequential pings to the given IP address will fail. If set to none this feature is disabled. By default router will reboot every 6 minutes if watch-address is set and not reachable.
Hi, when do you reset the device (for example with the reset button) and the device create an “auto-backup-before-reset”, this backup is not encrypted with password… you can get this backup and see confidential data…
I want to tell you a history… years before.. I bought second hand mikrotik devices that comes… with or withouth config… I got a full plain text of a .backup file… I´ll not show how I do it… but it´s so simple… it´s so simple to get a plain text backup from a .backup file… with winbox only… I got a lot of configurations files and passwords from providers thanks to this “bug”… But I only use this “bug” to see and learn about other providers configurations…
That´s is the main trouble, when you reset the device, it create a .backup with no password… and (as you saw), with no full encrypted file… with sensitive information… maybe, tomorrow I´ll check about how sensitive information can we found in a .backup file with no password… maybe email password?.. tomorrow I´ll do any checks…
Hi!! This mean if… it the IP if not reachable for 6 times (in my case, the MK reboot 6 times, the 7th no reboot, keep online)… the RB not reboot anymore (until poweroff or reboot?) and it can be accessed?
I have the old backup with the netwatch “issue”… tomorrow I will check for six reboot if it still rebooting or keep for accesing ROS…
Yeah with physical access, all bets are off. I just think that this really should be an error:
/system backup save encryption=aes-sha256
since it works EXACTLY the same as this command:
/system backup save dont-encrypt=yes
Totally get why you’d need a password for it, but NOT having one should be error. Anyway the Linux/Mac command “strings ” will pretty readily show the differences:
> strings v6isaec-nopwd.backup | head -10
rosmode
wireless
schedulerH
admin
:delay 60s
/system script run notify-startup
:delay 15s
/system script run do-backup
:delay 15s
/system script run do-speedtest
With “password=”, you do get an encrypted file it seems:
Netwatch will reboot the device immediately after a single ping timeout.
Watchdog will reboot the device after 6 minutes, which should be enough time to setup a connection and fix the configuration.
(Watchdog will keep rebooting the device every time 6 consecutive pings timeout in a 6 minute time period)
Note that netwatch and watchdog are independent of eachother.
Using netwatch to reboot the device (without further scripting) is a configuration error, not a MikroTik issue.
