Security :: Securing Backups Via Rsync And SSL?

Apr 27, 2011

There are multiple servers to be backed up. Different access rights exist in each server. There are two backup servers with plenty of disk space, one local, and one offsite. The local one feeds to the offsite one. The rsync command is being used to make a replica of backed up data. Deleted data is also being archived. There are two methods that have been considered: One is to have the individual servers run rsync which logs in to the backup server to push data. Two is to have the backup server run rsync which logs in to each individual server to pull data. Because system data is involved and meta information (like owning user) must be stored, root is required to access the data as well as to store it. That means everything runs as root both ends. So method one was quickly dismissed because each server would effectively have rights to access ALL the data on the backup server since it logs into the backup server as root. The security containment here involves different groups using different servers, and they need to be isolated from each other.

But even method two involves some risks that are a concern. This means one machine has access rights to every server. If the backup server were compromised, every machine could be compromised.What I'd like to find is some way to allow backups to be run without either machine granting root access to the other, while still running as root, or something equivalent, that allows accessing all data and storing all metadata. So I was looking at setting up an rsync daemon on each individual server (running as root so it can access what it is specified to access), and running an rsync client on the backup server (as root so it can store metadata). This opens network access issues. Any user on the network can connect to the rsync daemon. So password protection is needed. But this communication is also not encrypted, which exposes the password and the data should the network be sniffed.

So now I'm thinking about a non-root ssh login between machines. The backup server would login to a non-privileged user on each individual server and set up a secure forwarding channel to the rsync daemon. Is this the best that can be done? Is there a way to run rsync via SSL with key verification so it can all be done together? I'd like to have the rsync daemons configured to always talk SSL, and always verify the client's key against a list of authorized keys, and likewise the client verify the server's key against the known public key for that server.

View 14 Replies


ADVERTISEMENT

Security :: Logging In As Root Over Rsync/ssh For Backups?

Sep 30, 2010

I need to login as root, or at least get root privileges, in a cron triggered backup run. The straight way to do this would be the backup server making an ssh connection to the server to be backed up (this way because I want to avoid many servers being backed up in parallel and the backup server itself would be managing this diversity), via the rsync command which would be performing the backup's synchronization step.

I'm looking for alternatives to this in some form. I'd like to disallow direct root login to my ssh port (not 22One idea I have is to have the backup server initiate an ssh login as a non-root user, to either the actual source server, or to a server that can reach the source server ... and set up port forwarding. Over the forwarded port, then initiate the rsync that logs in as root via another port that allows direct root, but cannot be reached from the internet at all (because the border firewall doesn't include this port as allowed in).FYI, these logins will be using ssh keys, not passwords. I do need to keep ownership metadata for files being backed up, so this is why I am using root. Also, rsync is needed to get the incremental updates to keep bandwidth usage lower (otherwise I could just transfer a tarball each day).Anyone have any other ideas or comments, for security issues, based on experience doing things like this (backups, routine data replication, etc)?

View 5 Replies View Related

Ubuntu Security :: Rsync Automated Backups Of Entire File Structure Over Ssh?

May 16, 2011

I am in the process of writing an rsync script to run unattended backups of my entire file system to another system located on my local network using ssh and password-less rsa keys.

I will absolutely will not use password-less keys with the root account and this is the limitation preventing me from accomplishing my goal because root is required by rsync to access the / tree and copy it to another location. I decided that if I compiled the script into a binary that I didn't have a problem with the password being contained within the binary itself but from what I've read there is no way to elevate to root and then back down to user level from within the script/binary.

I can create the script as the user and use chroot to make it owned by root but retain execution permission for the user but it will still cause the ssh login to be under root and therefore require either that I am there to enter my password or the use of password-less keys under the root account which I reiterate I will NOT do. Currently the script is executed by the user on the machine containing the files to be backed up.

View 9 Replies View Related

General :: Rsync Incremental Backups Rather Than Full Backups?

Nov 12, 2009

How do you get Rsync to do incremental backups rather than full backups? At the moment I have a script that will create a backup folder (if it doesnt already exist) then copy the source files into the backup directory with the command

rsync $VERBOSE --exclude=$TARGET/ $EXCLUDE --exclude '/Ls-wtgl1c8/**' -rt --delete $source/ $TARGET/$source/ >> $LOG_FILE

Target is where the files will be backed up to Sources is the dir(s) to be backed up Exclude files is the list of files not to backup
log file is where the output will be saved to. At the moment it only does full backups, but I would only like to do incremental, how would this be achieved? Am I missing out an option in the Rsync that is required.

View 9 Replies View Related

Ubuntu :: What Can Use For Backups That Is Faster Then Rsync?

May 9, 2010

I am currently backing up my data but find that it takes way to long to do a rsync, it takes forever to just find the differences and transfer them.Out of 3 separate rsyncs the main one that is slow is my www.skins.be mirror directory which is 41GB and has 392,200 files, sorted into multiple directories. Which grows by around 100 every couple days.I think that something that would be able to track changes by inotify time on directories will speed it up since Picasa sure finds the changes fast when I open it and it is tracking over 26,200 pictures. I just don't know of a backup solution that does that.

View 4 Replies View Related

General :: Rsync Not Doing Incremental Backups?

Jan 21, 2010

I am using rsync to backup dirs on my ubuntu server onto a NAS (which is mounted onto the filesystem), but the problem is that it is constantly doing full backups rather than doing incrementals and I am not really sure why. After doing a bit of expermienting with the script I noticed that if I just backed up a home dir (/home/user) the incremental backups work fine. If however I was to back up a dir like (/home/domain/user) it always does full backups.I have tried various different scripts but still the same end result. The latest script is a variation on the a script found on the samba rsync examples webpage, see below...

#!/bin/bash
# rsyncbu.sh -- backup to nas using rsync
# This script backups files listed in BDIR to the BSERVER. The verbose output along with the date is listed in the LOG_FILE specified
# verbose output

[code]....

View 4 Replies View Related

Server :: Using Rsync For Incremental Backups?

Jan 29, 2010

Can I use rsync for incremental backups of the running linux server?

View 5 Replies View Related

Debian :: Rsync Error In Rsnapshot Backups

Apr 5, 2011

I am backing up my debian server with rsnapshot which actually uses rsync to perform the backup. The backups are located in an external storage of size 1.4T .

[code]....

I tried to understand what this error message means and i founde that error code 12 : 12 Error in rsync protocol data stream I understand that when rsync find that a file on the target was changed , it will send only the block/blocks that contain the changes and in the destination rsync will create new file and not update the old one (new inod...) . I want to know if this error i get is due to full disk or perhaps it is some other factor

View 2 Replies View Related

Software :: Rsync: Backups And Hard Links?

Jul 13, 2011

I am using rsync for incremental backups. I am backing up to a second hard drive on my computer. When I check the individual backup directories (backup.0 through backup.4) with du -hs they each show 12G; when I check the parent directory squeeze it shows 15G. Over 4 backups I have added 3G. I haven't made very much for changes to directories I'm backing up and am using hard links. I have included some info below.

Quote:

Backup script:

#!/bin/bash
mount /mnt/backup
cd /mnt/backup/squeeze/
rm -rf backup.7

[code]....

View 2 Replies View Related

Software :: Rsync Incremental Backups To Be Restored?

Dec 2, 2010

With the --backup and --backup-dir= options on rsync, I can tell it another tree where to put files that are deleted or replaced. I'm hoping it fills out the tree with a replica of the original directory paths (at least for the files put there) or else it's a show stopper. What I'm wanting to find out applies when I'm restoring files. Assuming each time I run rsync (once a day) I make a new directory tree (named by the date) for the backup directory. For each file name/path in the tree, I would start with whatever is in the main tree (the rsync target) and work through the incremental trees going backwards until I reach the date of interest to restore to. If along the way I encounter a file in an incremental, I would replace the previous file at that path with this next one. So by the time I get back to a given date, I should have the version of the file which was present at that date. Do this for each file in the tree and it should be a full restore.

But ... and this is the hard part, it seems. What about files that did not exist at the intended restore date, but do exist (were created) on a date after the intended restore date. What I'd want for a correct restore would be for such files to be absent in the restored tree (just as they were absent in the source tree on that date). How can such a restore be done to correctly exclude these files? Wouldn't rsync have to store some kind of sentinel that indicates that on dates prior, the file did not exist. I suspect someone might suggest I just make a complete hard linked replica tree for each date, and this way absent files will clearly be absent. I can assure you this is completely impractical because I have actually done this before. I ended up with backup filesystems that have so many directories and nodes that it could take over a day, maybe even days, to just do something like "du -s" on it. I'm intending to keep daily changes for at least a couple years, if not more. So that means the 40 million plus files would be multiplied by over 700, making programs like "du -s" have to check over 28 BILLION file names (and that's assuming the number of files does not grow over the next two years).

View 2 Replies View Related

Ubuntu :: Rsync For Initial Backup Then Maintenance Backups?

May 9, 2011

So I am using rsync (3.0.7 on MAC OSX) to backup one hard drive to a folder on another one. The is USB drive to USB drive and I have done the initial backup from one drive to a new formatted other drive with the following command:

Code:
rsync -avX --progress /Volumes/Source /Volumes/Destination
This all appears to be going smoothly as I type. I am going to write a script to do subsequent backups in the

[code]....

View 2 Replies View Related

Networking :: Malformed Rsync Command (backups) On ReadyNAS

Oct 6, 2010

I'm trying to set up rsync backups on my ReadyNAS and I'm getting the following error: ERROR: The remote path must start with a module name not a / This error is accompanied by the following information:

[Code]...

View 1 Replies View Related

Ubuntu :: Rsync And Full-disk Backups - Failure Takes Too Long

Mar 20, 2010

I've been using dump/restore for backups, for quite some time. It's worked fine, but the process of recovering from a HD failure takes too long. What with eSATA and external drive docks, what I'd really like is to use rsync to maintain a current clone of my entire system drive. That is, start with a full disk clone, and then use rsync to keep it current.

I've seen plenty of instructions on how to do this with a directory tree, but I've seen none for doing it with a copy of the entire disk. If, for example, I copy /etc/fdisk, then the copied disk would have entries with the same UUIDs as the original disk. Which would mean that if the clone disk were to be bootable, its partitions would need the same UUIDs as the original disk. Which they would be, if the cloned disk started as a full-disk clone, I think. Am I wrong? But that means that when the clone disk was active, I'd have partitions with duplicated UUIDs. Is this going to cause problems? When I boot, will I get the correct partitions loaded?

View 4 Replies View Related

Fedora Security :: Securing Security Lab

Jun 29, 2010

I ran the LiveCD of Fedora SecurityLab and noticed these ports open, 111,631, 34526.How can I close them and what runs behind them. I know 111 is rpcbind, 631 ipp and 34526 is unknown.

View 4 Replies View Related

Fedora Security :: Securing PHP And PostgreSQL

Nov 19, 2009

I'm still new to PHP and SQL, but all the tutorials I've found connect to the database like this:

PHP Code:

Right now I'm just doing local network tests before exposing everything to the Internet.

Wouldn't leaving the password in there as plain text be a huge security issue? I tried downloading the php file off the server, and it just comes down blank. So does PHP already have a security feature that doesn't allow anyone to just nab PHP files off the server?

And for Postgre, I have pg_hba.conf set up to "trust" it's own IP address:

Code:

Would I need to use something like Kerberos, PAM, or ident authentication? Right now the only plan is to use it as login system for a website. The clients themselves won't be accessing the DB itself, because all the DB access will be through PHP.

View 4 Replies View Related

Fedora Security :: Securing An FTP Server ?

Mar 11, 2010

I am creating an FTP server using VSFTP. It will be in the wild, initially at least only functioning as an FTP server. I have the iptables config from the previous box I set up 3-4 years ago. I have also got private/public key authentication running with SSH to eliminate brute force attacks.

Here is where is my specific question. On the old server I set up something that allowed my clients to log in using accounts that were not system accounts but would translate to a single system account that was limited to FTP. I remember setting up a passwd account that had username / password pairs that FTP used for authentication.

What app is this? Is it just part of VSFTP or maybe SELInux? I really want to utilize this.

View 2 Replies View Related

Security :: Securing My Postgresql Database ?

Jan 5, 2010

I run Slackware 13.0 and I have an apache server 2.2.13 with a postgresql 8.4.1 database attached to it via php 5.3.0. Both the apache server and the postgresql database are on the same machine.

I have the apache server port 80 exposed to the WAN. It is not a fqdm, it's just a simple IP address. On my index page, a user can login with a user/password that encrypts to md5 via postgresql and takes them into the database.

Here is the vulnerability. Can't a hacker just scan port 80 and find my ip address running apache. Go to my index page, see that I accept user/password for authentication into my postgresql database. Then they could setup a script to simply inject html GET requests of random users and passwords and use those values on the php page(the one where the action link is pointing to in the form tag) that contains user login/password in php to login to my postgresql database. There's nothing stopping that. It would be a simple dictionary attack.

I checked out postgresql documentation and it suggested using ldap, kerberos, or md5 and not trust. I'm using md5 already. I currently use fail2ban for proftpd and sshd and it works great. After 6 failed user/pass attempts on either of these services, the IP gets banned via iptables for 24 hours. I love it. I was wondering if I could use that. Of course postgresql port is not exposed to the WAN which is a good thing. I know that when I put in a wrong user/pass from my index page, I get sent to a default postgresql pg_connect warning page. Perhaps I can increase the verbosity of postgresql's logger, find the phrase that it spits out when there's been a bad login and create a filter using that.

I understand that the way it is currently setup, my server is pretty secure, but where there's a will there's a way. I just feel that my postgresql database is unprotected even tho the postgresql port is not exposed to the WAN. They could just bruteforce from the apache server.

View 12 Replies View Related

Security :: Securing Port80 From Upload ?

Nov 19, 2010

I am using a linux fedora 12.0 with L7 filter and proxy as the main firewall for my system composed of some several hundred pcs. The port 80 is open for certain mac addresses these computers, that is to say that , only a few of these computers have access to internet and others have been denied. However, they have access to two specific websites on internet .

I would like to know that if there is a virus attack through these websites in form of executable adwares or malwares, can this linux firewall detect any information that might be directed out of those computers to the attacking source? In other words, is there s tuning in L7 filter or any other filter that can detect transfer of files or some bites through port 80 unrelated to normal http requests?

View 1 Replies View Related

Security :: Securing A Linux Centos VPS

Feb 7, 2011

I was looking for some help getting a good list of IP tables and other security measures on my new Linux Centos VPS.. I have some files I wan't no one other than myself to have access to.. I will be running some gameservers on it on ports 7777 and 7778 though and I want to have VSFTPD running for fast file transfers.

View 1 Replies View Related

Security :: Securing Machine Before Opening Up SSH Login?

May 12, 2010

I'm currently using Slackware 13.0 and have my machine behind a Linksys DD-WRT router. I believe the DD-WRT software has all ports blocked by default so opening up my machine for SSH login would only leave my system vulnerable at that port. To give an extra layer of security for that opened port, I've created the following script that would be invoked as the users' shell.

#!/bin/sh
#if SSH_CLIENT defined run nail with $SSH_CLIENT as an argument
if [[ -n ${SSH_CLIENT} ]]; then

[code]....

View 10 Replies View Related

Security :: Securing System For Email Abuse

Jun 25, 2010

I have a mail server that accepts to relay from system in the trusted network. One of the systems in the trusted network is a webserver. On the webserver there are several scripts that send email.Let's focus on the PHP scripts. These use the mail() function for that.I am looking for means to reduce the potential abuse of the mail server when one of the PHP scripts is hacked.For the situation that the code is modified by a hacker or a new script is installed I would like to take this approach:

1) scan the system for scripts using the mail() function
2) generate a checksum list from these scripts
3) intercept email (being sent to sendmail) from these scripts
4) check if they match the checksum list

In theory (I will still have to implement it) this would take care of the situation in which new/modified scripts try to send email.

However, there is also the option of an exploit of some script. Are there any ideas on means to prevent email abuse for this situation (other that: make sure scripts cannot be exploited )?

View 2 Replies View Related

Security :: Tools For Securing Mail Server?

May 21, 2011

iam working on mail server in redhat centos. i want to know how to secure my mail server for heavy loading , any monitoring tools in GUI or console , is any essential tool which is used in Like MNC for mail server..

i know few command in like top,netstat,etc through google but i willing to know some more

View 8 Replies View Related

Ubuntu Security :: Securing SSH Connection For SFTP Server

Jan 19, 2011

I'm running an SFPT server which my clients logon to using an FTP client. at the moment each client has a user name and password.

Thus far to improve security I've disabled root login but an looking for futrhrt ways to protect it from attack, having researched using google some of the security features suggested prevent the FPT clients from connecting.

Questions:
1- what further things can i do to secure my server that still allows it to be usable for FTP clients?
2- specifically is it possible to use non login pre-share key authentication?

How i set up the server is shown here: [url]

View 3 Replies View Related

Ubuntu Security :: Securing Bare-minimum Checklist?

Jul 10, 2011

That's the title of article at[URL]Did ubuntu do all this already or is it that ubuntu isn't secure out of the box that it is assumed to be?explain if these steps are applicable to ubuntu and why/why not.

View 5 Replies View Related

Fedora Security :: Securing A Server For Deployment In Untrusted Zone?

Apr 1, 2010

I have to deploy a server to some customers that should not be given access to the server itself. I know that nothing is 100% secure but I've searched without finding a decent answer (maybe I googled for the wrong terms ?)I need some advice about encrypted filesystem. * The server must boot without asking for a passphrase (the server will be in a restricted access area so typing a password could take a while). I can't store the password for luks in an unencrypted file so it seems a loop to me. The only way out I can see is to store the passphrase in the boot binaries (better than nothing...) but this results in more work for me.* possibly the customer should not be able to move the hard disks to another pc, i.e. reading the passphrase from some unique hardware ID. This is risky but I could add a master passphrase to be used in case of hardware replacement

View 3 Replies View Related

General :: Security - Securing A Server When There Is Potential Physical Access?

Jun 9, 2011

We want to set up a Linux server (hosting Git or later SVN repositories) which should have all stored data strongly encrypted, so that if one steals the server the data cannot be read. For example, our notebooks have all important data stored on a "true-crypted" partition.

We plan to access it with SSH private keys and only after successful login should the data be readable. The server would be located in our office, shut down at night and not be connected to the Internet directly, but only accessible in our intranet.

View 1 Replies View Related

Ubuntu Security :: 'Securing' A .pdf File And Changing The Listed Author?

Aug 18, 2010

I had some help via email from someone drafting my CV into the correct table format with open office. It's a .pdf file but now unfortunately lists the author in the document tab of properties as that person.

Is there anyway to change it to my own name, and also how do I 'secure' the document so that it's not easy for people viewing it to copy and paste, I've heard this is why many people now use .pdf for their CVs/rsums?

View 2 Replies View Related

Security :: ISC Praises Momentous Step Forward In Securing The Domain Name System?

Jul 17, 2010

Quote:

ISC joined other key participants of the internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers.

View 3 Replies View Related

CentOS 5 :: Scheduled Unattended Backups With Alerts If The Backups Fail

Feb 3, 2011

I've been a DOS/Windows guy for 20 years, and recently became a SW test lab helper. My company uses CentOS for a lot, so I've become familiar with it, but obviously not as comfortable as I am with Windows.

Here's what I have planned:

machine: Core 2 Duo E8400, 8GB DDR2, 60GB SSD OS drive, ATI 4650 video card, other storage is flexible (I have 3 1TB drives and 4 750GB drives around that can be used in this machine.)

uses: HTPC, Network Storage, VMWare server host: SMTP, FTP server, and Web server virtual machines

I've figured out how to do much of this, but I haven't figured out how to do backups in Linux. I've been spoiled with Windows, with the built in backup system so simple to use. I find myself overwhelmed with the array of backup software, and unable to determine which to use. none of them seem to do everything I need them to do, but some come close, I think. I'm hoping someone here can help me out in figuring out which program to use and how to use it.

Here is what I need the backup software to do:
1. scheduled unattended backups, with alerts if the backups fail
2. a weekly full backup with incremental every 12 hours
3. removing the old backups when the new full backup runs, I would prefer to keep 2 weeks of backups, but that's not necessary
4. a GUI would be preferable, since my arthritic fingers don't always do as I want them to do. I typo things a lot, and the label worn off my backspace can attest to that.

View 7 Replies View Related

Security :: Secure And Automated Backups - Add Public Key To Authorized_hosts File On Prod Server?

Mar 13, 2010

I'm trying to find a secure way to backup files on my Prod Server to Backup Server. It must be automated, so I will need to run a command with cron which will login to Prod Server from Backup Server and backup data. 1. Do you think it would be secure enough to do this by creating an passwordless RSA private key on Backup Server and adding it's public key to authorized_hosts file on Prod Server? I can't think of a way to Automate this without having to enter any passwords without passwordless RSA key. Is there another. more secure way? 2. Should I create a special user for backup, which will only have read access to all files in the directory that I am backing up? If so, How can I run a check that this new backup user indeed has read access to ALL files in the folder that I intent to back up? How can I ensure the backup process will not skip files due to some permission problem? 3. I'm thinking of using rsnapshot tool, which uses rsync.

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved