Secure, Automated Network Device Backups

You probably have at least a few business-class switches and routers silently do their job, year after year. Network devices can be so reliable that we configure them once, and then forget that they exist. However, forgetting them is a really bad idea, since they require regular OS or firmware updates to patch vulnerabilities, and at some point, they will become unreliable and fail. If your device fails, do you have the configuration available to apply to its replacement? Are you sure the configuration that’s in your archive or documentation is up to date? This post deals with automating backups from Netgear switches and Ubiquiti EdgeRouters (and possibly switches, if they run EdgeOS). Please check out the accompanying repo at https://github.com/craigafinch/network-backup-scripts

SFTP Server

The prerequisite for backups is a functioning SFTP server. If you have a Linux server, an SFTP server comes with openSSH. Securing SFTP is beyond the scope of this article; here are the minimum necessary security requirements:

  1. Set up a chroot jail that forbids the backup user from accessing anything other than the backup directory. The backup user should NOT be able to access their own home directory.
  2. Disable SSH access for the backup user

In my configuration, the SFTP server runs a cron job that automatically creates a daily backup directory, so that the backup scripts don’t have to create directories. The SFTP user should have both a password (to connect from the Netgear switches) and an SSH key with no passphrase (to connect from EdgeRouters). I recognize that these are not the most secure methods for SSH authentication, which is why it’s so important to secure the SFTP server. For additional security, use a different backup user account (with different credentials) for each network device.

Netgear Switches

Netgear’s switch product line is pretty confusing, so I’m not sure exactly which models are compatible with this script. I know it works with the M4200 and M4300, but should work with other “fully managed” layer 3 Netgear switches. Please leave a comment below with your experience! A cron job on the SFTP server runs the script, which uses the expect application to simulated an interactive SSH session with the Netgear switch. The interactive session connects to the switch, initiates an SFTP backup from the switch to the server (with a username and password), and closes the connection when done.

Ubiquiti EdgeRouter Backup

Ubiquiti EdgeOS is based on Debian Linux, so it supports scheduling backup tasks from the router. Unfortunately, the task scheduler config is not officially documented anywhere that I can find! VyOS implements a similar task scheduler, but with a slight different syntax. When triggered by the task scheduler on the router, the script (running on the router) connects to the SFTP server via an SSH key (with no passphrase) and uploads the file config.boot.

EdgeRouter References

  1. https://help.ubnt.com/hc/en-us/articles/360002535514-EdgeRouter-Backup-and-Restore-Configuration
  2. Making SFTP work like SCP

Related Articles

  1. Daily backup via FTP
  2. Backup via SFTP using CURL as a client

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.