0

I have two Linodes in the same data center. I want to copy files from one to the other each night or on demand (for about the next month, until this project is finished). So I'm thinking about using rsync.

My question is how do I set up the two Linode servers to communicate via private IP addresses securely? Both servers are SSH hardened, they use denyhosts and have a fairly restrictive iptables setup.

I know I need to first assign private IP addresses to each server, then configure static networking according to this guide.

What is next? What SSH or iptables settings are needed to allow these two servers to communicate?

What further info do I need to supply in this question? I'm looking for a basic step-by-step guide for how to do this.

MountainX
  • 701
  • 3
  • 12
  • 25
  • If you can access the hosts through ssh then that's all you need to copy files (use scp). Although I am not sure what _ssh hardened_ means. – drcelus Jun 22 '12 at 06:59
  • This is a very basic discussion of ssh hardening: http://askubuntu.com/questions/2271/how-to-harden-an-ssh-server. I could post my sshd_config (redacted) if needed. I plan to use rsync, not scp, but the same considerations apply. – MountainX Jun 22 '12 at 07:01
  • As mentioned by @drcelus the only thing now left is to copy/transfer the files using rsync(which internally uses scp by default). Further, you could also configure SSH public key authentication for transferring the files without the SSH daemon prompting for a password. This will also help you to automate the transfer using cronjob. You can see the following guide for the same [SSH Public Key Authentication](http://www.cyberciti.biz/tips/ssh-public-key-based-authentication-how-to.html) – Swapneel Patnekar Jun 22 '12 at 07:13

3 Answers3

2

As you are using Linux you have all the tools you need. Just use rsync over ssh

rsync -avz -e ssh user@remotehost:/remote/dir /this/dir/

No need for private IPs etc as this encrypts your traffic end to end.

user9517
  • 115,471
  • 20
  • 215
  • 297
1

As mentioned in a comment by ErikA, one advantage with using private IPs in Linode is that you don't pay for bandwidth on their private network. And the whole point of my question was to ask how to do this with private IP's. So I'm answering my own question with the solution I ended up using.

What SSH or iptables settings are needed to allow these two servers to communicate?

No changes were needed. Iain was right. The communication is still via the same port, and that port was already open in iptables. Even though this server is "SSH hardened", no changes where needed when using the private IPs instead of the public IPs.

As stated in my original question, I did plan to use rsync -- and that ended up being the final solution. But the use of a custom port and keyfile required quoting the ssh piece of the command as shown here:

rsync -av -e "ssh -p 222 -i /home/user/.ssh/id222_rsa" /this/dir/ --delete-excluded --exclude-from=my_exclude_list.txt user@www.example.com:/remote/dir

Figuring out the need for quotes and what part was inside the quotes was about the only minor challenge to the whole thing. It ended up being easier than I thought.

MountainX
  • 701
  • 3
  • 12
  • 25
0

Unless Linode can provision you a private VLAN, using internal IPs won't make it any more secure.

Your easiest solution would be to set up a simple OpenVPN tunnel between the two machines, then send your rsync traffic over that. You could even use a weak cipher like arcfour with rsync to speed things up, as the encryption will be handled by he VPN tunnel itself.

There are lot ans lots of very simple guides out there for OpenVPN using x509 certificates for auth and on Linux, you can have it set up in minutes.

Here is a simple guide http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn

Ben Lessani
  • 5,244
  • 17
  • 37