Community discussions

MUM Europe 2020
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

mikrotik scp/sftp client to transfer file between MT

Wed Apr 06, 2016 12:54 am

I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don't want to use ftp or third party server to transfer file between two MT.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: mikrotik scp/sftp client to transfer file between MT

Wed Apr 06, 2016 2:41 am

I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don't want to use ftp or third party server to transfer file between two MT.
forget ssh and use directly the ftp server service inside mikrotik:

(RouterOS 6.3x.x)

for upload one file to anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=yes address=00.11.22.33 port=21 user="user" password="pax" src-path="/localfolder/localfile.rsc" dst-path="/remotefolder/remotefile.rsc" keep-result=yes;
for download one file from anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=no address=00.11.232.33 port=21 user="user" password="pax" src-path="/remotefolder/remotefile.rsc" dst-path="/localfolder/localfile.rsc" keep-result=yes;
I'm Italian, not English. Sorry for my imperfect grammar.
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: mikrotik scp/sftp client to transfer file between MT

Wed Apr 06, 2016 4:36 am

I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don't want to use ftp or third party server to transfer file between two MT.
forget ssh and use directly the ftp server service inside mikrotik:

(RouterOS 6.3x.x)

for upload one file to anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=yes address=00.11.22.33 port=21 user="user" password="pax" src-path="/localfolder/localfile.rsc" dst-path="/remotefolder/remotefile.rsc" keep-result=yes;
for download one file from anonther RB (with ftp service confugured):
/tool fetch mode=ftp upload=no address=00.11.232.33 port=21 user="user" password="pax" src-path="/remotefolder/remotefile.rsc" dst-path="/localfolder/localfile.rsc" keep-result=yes;
I mentioned there, I don't want to do ftp because it's not secure on wire. If RouterOS can run SSH server don't you think it should support scp client atleast?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: mikrotik scp/sftp client to transfer file between MT

Wed Apr 06, 2016 4:39 am

But ftp is the most fast and secure protocol you can use without waiting any implementation.

Simply firewall rules and/or change the default 21 port to any make impossible to hack on easy way or brute force the ftp...
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
eworm
Member
Member
Posts: 445
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Sat Jan 20, 2018 12:22 am

But ftp is the most fast and secure protocol you can use without waiting any implementation.

Simply firewall rules and/or change the default 21 port to any make impossible to hack on easy way or brute force the ftp...
The point is not hacking or brute force attack... If your two devices communicate with each other a third party can read your unencrypted credentials from wire.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
tippenring
Member Candidate
Member Candidate
Posts: 182
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Sat Jan 20, 2018 1:05 am

But ftp is the most fast and secure protocol you can use without waiting any implementation.
ost fast and secure protocol you can use without waiting any implementation.

Simply firewall rules and/or change the default 21 port to any make impossible to hack on easy way or brute force the ftp...
The point is not hacking or brute force attack... If your two devices communicate with each other a third party can read your unencrypted credentials from wire.
It is true that FTP is not secure. Credentials and the data are passed in cleartext. However, if you're using VRRP, I would expect your routers and the cables between them to be relatively secure. If the routers and cables are secure, then capturing the traffic between these two devices seems quite unlikely. If the cables pass through unsecured areas or devices, then I share your concern. If your routers are insecure, you have bigger problems than FTP.
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: mikrotik scp/sftp client to transfer file between MT

Sat Jan 20, 2018 3:16 am

Currently you have only two basic options how to securely transfer files between two Mikrotiks:
  • activate https management interface at both Mikrotiks in question and use file download/upload of the WebFig interface which is secured by https
  • create a secure tunnel between the Mikrotiks (IPsec, SSTP) and use ftp over that tunnel
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
petterg
Member Candidate
Member Candidate
Posts: 198
Joined: Wed Sep 16, 2009 2:55 pm

Re: mikrotik scp/sftp client to transfer file between MT

Sun Aug 12, 2018 12:59 am

Where do you store a file in router os to make it available to download via https (webfig)?
 
saenito
just joined
Posts: 21
Joined: Wed Aug 22, 2018 3:37 am

Re: mikrotik scp/sftp client to transfer file between MT

Tue Feb 05, 2019 7:19 am

I dont know how to implement it in mikrotik but knowing a bit of ipsec i think you can establish some ipsec rules to "encript" your ftp ports (for example tcp 21, i dont remember if password data goes trough that one) between your routers

Also you can paste your firewall rules from a third equipment like a server on both routers. Just an idea how would i do it
 
User avatar
eworm
Member
Member
Posts: 445
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Mon Apr 08, 2019 1:09 pm

Starting with version 6.45beta22 the changelog lists:
*) fetch - added SFTP support;
Not sure how it works, though. Looks like mode=sftp is not (yet?) valid.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Mon Apr 08, 2019 1:17 pm

mode option is deprecated, left for compatibility with older scripts.
Use url=sftp://
 
User avatar
eworm
Member
Member
Posts: 445
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Tue Apr 09, 2019 6:47 pm

I gave it a try, but did not succeed. The server is running openssh 7.9p1, the account is locked to sftp only with openssh's internal sftp implementation.
[admin@Mikrotik] > /system ssh user=mikrotik-upload sftp-host
Password: 
This service allows sftp connections only.

Welcome back!
[admin@Mikrotik] > /tool fetch url=sftp://sftp-host/upload/test.txt user=mikrotik-upload password=xxxx
  status: failed
  
failure: closing connection: <> 10.0.0.10:22 (16) (6)
[admin@Mikrotik] > /tool fetch upload=yes url=sftp://sftp-host/ user=mikrotik-upload password=xxxx src-path=export.rsc dst-path=upload/export.rsc                      
  status: failed
  
failure: closing connection: <> 10.0.0.10:22 (17) (6)
Neither download nor upload works. Tried from a linux box, on server side everything works as expected. The directory "upload" exists and is writable.

Anybody having more success? What topics to enable for useful debug output?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
tucsy
just joined
Posts: 6
Joined: Sat Mar 31, 2018 8:15 pm

Re: mikrotik scp/sftp client to transfer file between MT

Mon Jul 01, 2019 9:59 pm

Hello eworm,

I had a similar problem: I couldn't upload the exported config file to my server via SFTP.
Finally, I found a syntax error.

Try this for upload:
/tool fetch upload=yes url=sftp://sftp-host/upload/export.rsc user=mikrotik-upload password=xxxx src-path=export.rsc
So not use dst-path, just add destination to the URL.

I hope it will help.

Regards,
Imre
 
User avatar
eworm
Member
Member
Posts: 445
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: mikrotik scp/sftp client to transfer file between MT

Thu Jul 25, 2019 10:37 pm

Finally found the cause for my issue with help of support. Looks like the sftp client in RouterOS fails if too many authentication methods are supported by the server. On my SSH server I added this block in /etc/ssh/sshd_config:
Match User mikrotik-upload
    AuthenticationMethods password
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts

Who is online

Users browsing this forum: ammaree, Google [Bot], Zacharias and 38 guests