cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SFTP Server with Open SSH - installation / configuration

12777
Views
8
Helpful
3
Comments

There are only a handful of Cisco recommended SFTP servers for UC application backups. One of them is Open SSH. This document explains how to install a SSH server based on Open SSH. The proxy / relay function is optional.

Solution Description

The server is a proxy / relay for backups from Cisco Unified Communications Appliances (Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, etc.)

The UC appliance backups are received daily.

A script runs at 9pm each day to copy the backup files to a Windows file server after removing old backup files to preserve space.

The operating system for the backup server is Debian7 (Wheezy) 32-Bit (due to lower hardware requirements).

This guide assumes the server is installed on a virtual machine inside VMware ESXi.

Assumptions

Backup to SFTP Server:

Device

Backup time

Backup Destination

CUCM

18:30

SFTP (10.10.10.50)

CUC

20:00

SFTP (10.10.10.50)

Copy on Windows file server:

Device

Backup Destination

CUCM

\\fs1\UC\ Backup\cucm

CUC

\\fs1\UC\ Backup\cuc

Installation

Virtual machine setup:

Setting

Value

VM Name

SFTP-Server

Guest OS

Debian GNU/Linux 6 (32-Bit)

Memory

512 MB

Network

VM Network / E1000

Storage

40 GB

All settings not mentioned were left at default.

Operating system installation:

ISO image: debian-7.8.0-i386-netinst.iso

Setting

Value

Language / Location / Keyboard

English / Canada / American English

Host name

SFTP-Server

Domain name

domain.int

Software selection

SSH server / Standard system utilities

All settings / values not mentioned were left at default.

For usernames and passwords see appendix.

Configuration

Below are the required CLI inputs.

Network settings:

First the IP address, subnet mask and gateway are configured. Then the name servers are added and the server is rebooted.

nano /etc/network/interfaces

# The primary network interface

allow-hotplug eth0

iface eth0 inet static

  address 10.10.10.50

  netmask 255.255.255.0

  gateway 10.10.10.254

nano /etc/resolv.conf

domain domain.int

search domain.int

nameserver 10.10.10.1

nameserver 8.8.8.8

nameserver 8.8.4.4

shutdown -r now

Now you can login through SSH (e.g. Putty) using IP address 10.10.10.50

User configuration

User accounts for the SFTP connections are created.

adduser cucm

Enter new UNIX password:

Retype new UNIX password:

Full Name []: CUCM Backup

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n] Y

adduser cuc

Enter new UNIX password:

Retype new UNIX password:

Full Name []: CUC Backup

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n] Y

Installation of additional software

First the list of available software packages is updated.

apt-get update

Now the SMB file system (to access Windows file servers) is being installed.

apt-get install cifs-utils

Establish Windows file server connection

First a new directory is created which will be used to mount the windows file share.

mkdir /mnt/fs1

A separate file contains the username and password for the file server access.

nano /root/.smbcredentials

username=Username

password=Password

domain=Domain

The file "/etc/fstab" contains all mount points that are loaded during startup. The Windows file share is added and the credential file is referenced.

nano /etc/fstab

//fs1/UC /mnt/fs1 cifs sec=ntlm,credentials=/root/.smbcredentials 0 0

Create backup script

The backup script is similar to a batch file and is called by the scheduler "cron".

nano /root/cp-backups.sh

# shell script to copy Backups to Windows Server

#

# Remove old Backup files on Windows Server before copy

echo "removing old Backup files..."

rm /mnt/fs1/Backup/cucm/*

echo "starting copy of cucm..."

cp -r -v /home/cucm/* -t /mnt/fs1/Backup/cucm

# Remove old Backup files on Windows Server before copy

echo "removing old Backup files..."

rm /mnt/fs1/Backup/cuc/*

echo "starting copy of cuc..."

cp -r -v /home/cuc/* -t /mnt/fs1/Backup/cuc

#

echo "Done"

exit 0


After creating the script it needs to be made executable.

chmod +x /root/cp-backups.sh

Create cron job

The scheduler is configured to run the script regularly.

crontab -e

0 21 * * * /root/cp-backups.sh 2>&1 > /var/log/cp-backups.log


The first five parameters define the time as follows:

  • minute (from 0 to 59)
  • hour (from 0 to 23)
  • day of the month (from 1 to 31)
  • month (from 1 to 12)
  • day of the week (from 0 to 6) (0=Sunday)

An asterisk refers to "all the time" (ie. every day of the month, every month, every day of the week).

The script output will be written to the log file "/var/log/cp-backups.log".

After a reboot of the server it is ready to go (the network drive will be mounted).

shutdown -r now

Appendix

Usernames and Passwords:

Username

Password

used for

root

P@ssw0rd

Administrator of SFTP Server

cucm

cisco

SFTP backup user for CUCM

cuc

cisco

SFTP backup user for CUC

backup-cisco

cisco

Domain user with access to Windows file share

Directories:

/home/cucm

Backup directory for CUCM

/home/cuc

Backup directory for CUC

/root

Home directory of root user (e.g. for ".smbcredentials" file)

/var/log

Default log directory

Configuration of Cisco Unified Communications appliances for DRS

The SFTP server is configured under Disaster Recovery System.

Please note, the field "Path Name" must use "./". Then enter the appropriate username / password for the SFTP user (e.g. "cucm" or "cuc").

Afterwards backups can be scheduled by clicking on "Scheduler".

Comments
Beginner

Also be aware that with today Debian distribution you will have to modify the SSHD configuration file in order to re-enable old Cypher and Algorithm because Cisco SSH stack is still using old ones. If you don't do it you won't be able to pass the SFTP backup server validation in CUCM/CUC.

Here is the trick:

nano /etc/ssh/sshd_config

Add the following lines:

#Secure Ciphers and MAC

Ciphers aes128-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Thank you, this is good to know going forward. The last version I used was Debian 7.8 and it worked without those modifications.

Beginner

This was what exactly I was looking for. Thank you!

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards