Terminus - Joerg Mertin's private server

Secured by phpPhobos

Login - No Account? Create One	Search	Friday, 26 April 2024 - RSS Feed rss rdf

Documentation

Applications

Hobbies

Modules

Blacklists

Registered Bloggers

Gallery [Listing]

> Diving

  > Steampunk

  > RC Planes

  > FPV Drones

  > Indy travels

FAQ [ ]

Terminus's FAQ [ | | | | | |]

Linux on Routerboards []

Answers

How can I archive Backups automatically on RouterOS ? [

View details

Print view

]

Actually - you can't. Well - it doesn't really make sense to keep the backup archives on the RouterBoard hardware. If it brakes - we want to be able to restore the backup's - right ? So - what we need - is an external system we dump the backups onto - which is going to do the backups.

First of all - we need to create a scheduler run on the routeros

/system scheduler
add comment="Scheduler backup dump" disabled=no interval=1d name="Backup" 
    on-event="/system backup  save name=daily_backup run"    
    start-time=01:01:00

This will take care of the automatic configuration backup. Next - as we don't want everyone to access the routerboard to download the backup-file - we need to add a backup group and user, and set appropriate access rights.

/user group
add name="ftp" policy=ftp,!local,!telnet,!ssh,!reboot,!read,!write,!policy,!test,
    !winbox,!password,!web,!sniff
/user
add address=10.X.X.X/32 comment="Backup User - to gain backups of the router 
    config" disabled=no group=ftp name="backup"

Add a password for the user backup. You'll need it later on.
Make sure that the address 10.X.X.X/32 is the IP-Address of your Linux Backup-server. So - only the user backup user from that IP-Address can access the routerboard through ftp.

On the server - you need curl installed. For this - b.e. on an Ubuntu system, issue

~#sudo aptitude install curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Building tag database... Done
The following NEW packages will be automatically installed:
  libcurl3
The following NEW packages will be installed:
  curl libcurl3
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 357kB of archives. After unpacking 680kB will be used.
Do you want to continue? [Y/n/?] Y
Writing extended state information... Done
Get:1 http://de.archive.ubuntu.com gutsy/main libcurl3 7.16.4-2ubuntu1 [182kB]
Get:2 http://de.archive.ubuntu.com gutsy/main curl 7.16.4-2ubuntu1 [175kB]
Fetched 357kB in 0s (541kB/s)
Selecting previously deselected package libcurl3.
(Reading database ... 141553 files and directories currently installed.)
Unpacking libcurl3 (from .../libcurl3_7.16.4-2ubuntu1_i386.deb) ...
Selecting previously deselected package curl.
Unpacking curl (from .../curl_7.16.4-2ubuntu1_i386.deb) ...
Setting up libcurl3 (7.16.4-2ubuntu1) ...

Setting up curl (7.16.4-2ubuntu1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Building tag database... Done

However - as it is insecure to provide scripts with passwords that can be seen inside the script or the process table - we'll use the .netrc file the curl program looks in for passwords. Create a file named .netrc in the home directory of the user who is going to perform the backups.

machine 10.X.X.X login backup password XXXXXXXX

Save the file - and make sure the mode is changed to 600 - e.g.:

~#chmod 600 .netrc
~$ ls -l .netrc 
-rw------- 1 backup backup 48 2008-03-14 16:32 .netrc

You should now be ready for a first test. As we'll be using curl - let's do it with curl.

~$ curl -n ftp://backup@10.X.X.X/daily_backup.backup -o backup.config
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  293k  100  293k    0     0  1013k      0 --:--:-- --:--:-- --:--:-- 1503k

Ok - the curl call works. All we need to do now - is to write a script and add it into the crontab of the local user. For the script - you can use the backuper.sh. This script has the advantage that it has some checks included - and moans in case something is not working right. So - copy that file to /usr/local/bin on your Linux Server, and add the following into the user's Crontab:

0 20 * * * /usr/local/bin/backuper.sh

This will execute the script every day, 20Minutes after midnight and append the date in reverse order to the name - e.g. 20080317_RB153.backup for March 17th.

Now - it is quite useless to not handle these also for backups. But this would be out of the scope of the local FAQ Entry. Check the Stargate's Backup section for one possibility in handling these.

Entered by smurphy on Monday, 17 March 2008 @ 09:39:58

Linux on Routerboards - Routerboard RBxxxAH, # Hits: 97833

Blacklist IP through phpAPI and terminate active connections [

View details

Print view

]

Having a self-defending (Passive) web-site, I noticed that executing a script to actually close a firewall takes too long if the attack onto the website is executedthrough parallel requests.
Even though one can limit the WebServer and the firewall to allow only a certain number of communication channels in, it is not enough - as firewalls tend to let pass already opened sessions. This part will require the firewall to actively terminate open connections from the offending IP Address.
This is exactly what the attached script does. It uses the routerOS phpAPI to connect to the firewall and directly lock (during the request) the remote IP out and at the same time terminate all open connections that may be coming from that IP.
This script is just an example on how to do it. Everyone can adapt it for himself.

Note: The attached script is just a prototype. On my site it has been integrated into a function and is called on demand.

Results are as follow [IP does not exist in blacklist yet]:

 > Entered IP 10.10.10.246 into blacklist 
   - Removed active connection *8D41 [10.10.10.246:62000 -> 172.168.0.2:80] 
   - Removed active connection *8D4D [10.10.10.246:62001 -> 172.168.0.2:80] 
   - Removed active connection *8D55 [10.10.10.246:3000 -> 172.168.0.2:53] 
   - Removed active connection *8D59 [10.10.10.246:61997 -> 172.168.0.2:80] 
   - Removed active connection *8D5B [10.10.10.246:61999 -> 172.168.0.2:80] 
   - Removed active connection *8D62 [10.10.10.246:61996 -> 172.168.0.2:80] 
   - Removed active connection *8D75 [10.10.10.246:61998 -> 172.168.0.2:80]

Results are as follow [IP does exist in blacklist]:

 !!! failure: already have such entry in firewall [IP 10.10.10.246]
   - Removed active connection *8C7A [10.10.10.246:61921 -> 172.168.0.2:80] 
   - Removed active connection *8C7B [10.10.10.246:61920 -> 172.168.0.2:80] 
   - Removed active connection *8C7C [10.10.10.246:61919 -> 172.168.0.2:80] 
   - Removed active connection *8C7D [10.10.10.246:61918 -> 172.168.0.2:80] 
   - Removed active connection *8C7E [10.10.10.246:61923 -> 172.168.0.2:80] 
   - Removed active connection *8C7F [10.10.10.246:61922 -> 172.168.0.2:80]

Entered by admin on Friday, 22 April 2016 @ 15:47:34

Linux on Routerboards - Routerboard RBxxxAH, # Hits: 29801

[ 3,487 bytes - application/octet-stream ]

Problems to - best viewed @ 1920bpp
This site is powered by phpPhobos v2.0b446
© J. Mertin smurphy(-AT-)solsys(-DOT-)org
Icons - Copyright Breeze artists GPL 2+