Advice Needed for Secure Backup Script Setup

By
Aaron Garnes
-
0
28
Asked By TechyNinja47 On

I'm in the process of setting up an offsite server to rsync my file server for backup, intending to use a Samba share to keep it read-only for emergencies. However, I realize my current method is not secure since I'm logging in as root to perform the rsync, which allows SSH access as root. I want to fix this but I'm unsure of the best approach. I've considered a few options:

1. Modify the authorized_keys for root to restrict SSH commands, but this feels risky and potentially problematic in the future.
2. Create a dedicated user, `backupuser`, with restricted SSH access and add this user to all groups used in my Samba share, yet this could be cumbersome if new groups arise.
3. Use `backupuser` with SSH restrictions but modify permissions on files instead of group membership, which also feels unclean.

The server involved is a Samba share. My instinct leans towards option 2, but I would love to hear how others handle similar setups.

3 Answers

Answered By DataDude202 On

If you’re worried about security, using SSH with a forced command for root may work for you. But that doesn't completely change the security level if someone manages to access your backup server. Honestly, if you can console into the server, SSH configuration matters less.

And just a thought—why not check out 'Dirvish'? It’s a solid backup tool that can help streamline your setup without reinventing the wheel.

Answered By FileMaster21 On

I like your approach of pulling files for backups; it adds a layer of security since the backup server won’t be affected by any issues on the main server. Just ensure that your backup works well and test the restore function regularly to avoid surprises. Also, managing the authorized_keys for root is helpful for grabbing file permissions, so I would keep some SSH restrictions in place but still manage your backups carefully.

Answered By BackupBuddy99 On

You should definitely SSH as a non-root user—using root for regular tasks is risky. Either go for option 2 with group ownership or option 3 with ACLs, whichever suits your backup needs better. Personally, I'd lean towards ACLs, but make sure you're comfortable with whatever choice you make.

By the way, have you considered using 'rsnapshot' for your backups? It might be a good alternative for versioned backups. Whatever you choose, sticking to tested solutions can save a lot of headache later on.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.