Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Rsync Daemon help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Rsync Daemon help

Scenario:

I've got 1x backup box and 2x mail servers that need to backup to it.

So would you:

  • Setup rsync daemon on the backup box and then have the mail servers connect to it and push their data, via a predefined user / password / share specified in /etc/rsyncd.conf - on the backup box.

OR

  • Setup rsync daemon on each of the mail servers and allow the backup box to connect and pull the data.

Which would you pick and WHY?

Thanks!

Comments

  • It really depends on your setup, but really any will work.

    If your backup server is going to hold encrypted backups, I suggest having the mail servers push the backups to it. This way the backup server only holds a public key allowing them to connect to it, and increasing your security and preventing a vector of attack back to access your mail server(s).

    You could also pull the backups to your backup server, but really comes with no benefits other then doing backups. It also has a route via your key to access the mail servers, and could cause damage. The advantage here is that if someone was really malicious and deleted your files, they couldn't delete your backups.

    You take your pick, really no wrong answer.

    Thanked by 1Falzo
  • Something you need to be aware of is that the rsync protocol is unencrypted; all hops between server A and B will be able to eavesdrop on the data being transmitted. Not that big of a deal if the two servers are on the same segment but it's almost always better to use rsync+ssh which works just as well and you don't need to deal with setting up the rsync daemon.

    rsync -avzP -e ssh [email protected]:/var/mail /var/backup/serverA

    Push and pull really comes down to personal preference and, personally, I'd have to say I prefer pulling, simply for the reason that all of the backup scripts are on one machine, in one place and I won't have to replicate scripts, login details, ssh keys, etc to all of the involved nodes if something should change.

  • @vmp32k - You make a good point re having all the scripts in one place. SSH vs daemon probably comes down to overhead. You'll probably only see 200-300mbps on a gigabit link with SSH, whereas its probably closer to 800mbps via rsync daemon. So I guess it comes down to speed vs security.

  • definitely going with @Mun - push your backups, security matters.
    and for the same reason, push it via ssh as @vmp32k says...

  • I prefer the pull model. By having the backup server use rsync+SSH to connect to mail servers, there is no additional configuration necessary on mail servers. This approach makes the setup very flexible and easy to maintain, in my opinion.

  • IkoulaIkoula Member, Host Rep

    Hello,

    Hard to choose, in addition of what have been said before if your backup server is supposed to hold more backups in the future (from more servers) you might want to setup everything on the backup server to save time.

  • dg51 said: I prefer the pull model. By having the backup server use rsync+SSH to connect to mail servers, there is no additional configuration necessary on mail servers

    you have to set up some access method like keys or such on the mail server though.
    if your backup-server does pull from more than one box this may become risky as if this backup box becomes compromised it will allow access to all other servers it pulls from.

  • jeromezajeromeza Member
    edited February 2016

    For all those promoting RSYNC and SSH.

    How do you do the following?:

    • How do you lock down the SSH user? I'm assuming a key without a passphrase?

    • How do you lock down the SSH user to only be able to use the RSYNC process and NOTHING else?

    • How do you lock the user to a certain directory and NOTHING ELSE? e.g. I don't want the user to be able to RSYNC out sensitive files, like the shadow or sudoers file, etc

    ALSO - Does anyone else get blocked by Cloudflare when trying to enter /pathto/shadow file?

  • @jeromez rssh + chroot

  • jeromeza said: How do you lock down the SSH user? I'm assuming a key without a passphrase?

    Not necessarily, I would prefer to keep the private key in PKCS8 format, encrypted using PBKDF2 and a strong cipher algorithm with atleast 512K iterations. There are stronger methods but this seems to have good compatability with OpenSSL. Run OpenSSH agent and have rsync use it. This way, stealing your private key is not a trivial task.

    How do you lock down the SSH user to only be able to use the RSYNC process and NOTHING else?

    You can force the command to be run on login, in .ssh/authorized_keys file, look for command= in sshd man page. I am not sure what command rsync uses, so this may or may not work.

    just my 2 cents.

  • Falzo said: you have to set up some access method like keys or such on the mail server though. if your backup-server does pull from more than one box this may become risky as if this backup box becomes compromised it will allow access to all other servers it pulls from.

    Absolutely. I would isolate the backup box into a private network, so as to minimize the risk. But, the risk always exists.

  • FalzoFalzo Member
    edited March 2016

    dg51 said: You can force the command to be run on login, in .ssh/authorized_keys file, look for command= in sshd man page. I am not sure what command rsync uses, so this may or may not work.

    +1 for this, good read: http://positon.org/rsync-command-restriction-over-ssh
    (edit, even better: https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/)

    in addition you may want to restrict the connecting IP via from="1.2.3.4" or make use of AllowUsers user@IP in your ssh-config....

    Thanked by 1ehab
  • elgselgs Member

    I don't think rsync has a daemon. It could work with crontab.

  • @elgs said:
    I don't think rsync has a daemon. It could work with crontab.

    Rsync daemon - look it up...

Sign In or Register to comment.