4

Here's the skinny: I have a Linode VPS that I want to backup to my local laptop via rsync. I have just generated ssh keys for the communication and left a blank passphrase for the private key so I can rsync via cron without worrying about passwords.

For extra security I also denied root ssh logins. Ideally I'd like to backup everything from / down but this is simply not possible using a regular user unless I give a specific user rwx access to everything.

What's the best way to backup an entire file system via rsync without allowing root logins?

user970638
  • 283
  • 1
  • 2
  • 10
  • This is not really related to the question, but rsnapshot is a great frontend to ssh+rsync backup. –  Jan 10 '13 at 10:13
  • Could you update the question and provide more information? For example, I guess you are crossing public networks for you backups as the vps is likely to be remote. –  Jan 10 '13 at 11:03

3 Answers3

1

Use the root account : Only uid 0 can read the whole filesystems.

Now, as you want to improve security, here's what you can do :

  • Disallow root to login with password via ssh (PermitRootLogin without-password in sshd config).
  • Use key authentication for backups.

According to man 5 sshd_config :


"     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be ``yes'', ``without-password'', ``forced-commands-only'',
             or ``no''.  The default is ``yes''.

             If this option is set to ``without-password'', password
             authentication is disabled for root.

             If this option is set to ``forced-commands-only'', root login
             with public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.

             If this option is set to ``no'', root is not allowed to log in."

Never tried the "forced-commands-only" parameter but it looks interesting.

  • You can use `PermitRootLogin forced-commands-only` with the `rrsync` perl script (included with rsync). See http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/ (scroll down to where the sshd_config setup is) – unhammer Jan 17 '13 at 11:18
1

You can run rsync in daemon mode on the remote server and backup whatever partition/folder you want by using the following command on the client side:

rsync -au rsync://user@your.server.ip.addr:/folder /path/to/dest

However, you need the following:

  1. Run rsync in daemon mode on the remote server.
  2. You need to have the port 873 opened between you and the remote server.
  3. You need to define the module [folder] on the remote server in /etc/rsyncd.conf.

To handle the security/encryption part, you can setup some tunnel or VPN. For example, you can setup tunnel SSH using the following command:

sudo ssh -L 873:your.server.ip.addr:873 user@your.server.ip.addr

Once the tunnel is established, you can use rsync locally and the connection will be forwarded to the remote server via the tunnel.

rsync -au rsync://user@localhost:/folder /path/to/dest

In this case, you don't need to have port 873 opened to the public as the connection is tunnelled via SSH on port 22.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • 1
    Does it provide encryption? Are files transmitted in plain text during backups? –  Jan 10 '13 at 10:01
  • This would be a great solution of I wasn't worried about my location. Since I would be backing up from different networks I wouldn't have a stable address. And yeah, the whole encryption thing too. – user970638 Jan 10 '13 at 10:03
  • So, you need to setup some other encryption layer. – Khaled Jan 10 '13 at 10:20
  • 1
    @user970638: To handle the encryption part, you can setup SSH tunnel. See my answer. – Khaled Jan 10 '13 at 10:31
0

How about putting the user in root group?

I believe root group will be able to read other files, similar to root.

Sharuzzaman Ahmat Raslan
  • 420
  • 1
  • 5
  • 15
  • 1
    No : Every file with 0600 permissions wont be read thus won't be backuped. For example : /root/.ssh//id_rsa.pub –  Jan 10 '13 at 09:59