Hi,

I am setting up a BorgBackup server using a storage VPS from HostHatch for the first time, primarily following the Gemini. So far, the setup is functioning as expected. I would appreciate any advice, especially regarding security best practices, to further secure the server and address any potential vulnerabilities I may have overlooked. Thank you.

Setup

1. Identify and Partition the New Disk

First, you need to identify the unpartitioned disk.

1. List block devices:

   sudo lsblk -f
   

   Look for a disk that doesn't have any partitions listed under it or has unallocated space. It will likely be named something like /dev/sdb, /dev/vdb, etc. Let's assume it's /dev/vdb for this guide. Be absolutely sure you've identified the correct disk.

2. Partition the disk using fdisk

   sudo su
   fdisk /dev/vdb
   

   Inside fdisk:

• n - Create a new partition.
• p - Choose primary partition.
• 1 - Partition number.
• Press Enter twice to accept default first and last sectors (uses the whole disk).
• w - Write changes to disk and exit.

3. Verify the new partition:

   lsblk -f
   

   You should now see a new partition like /dev/vdb1.

2. Format the New Partition

Now, format the newly created partition with a suitable filesystem like ext4.

sudo su
mkfs.ext4 -L YOURLABEL /dev/vdb1

3. Create a Mount Point and Mount the Partition

1. Create a directory to mount the partition: This will be the root of your Borg backup storage.

   sudo su
   mkdir /mnt/borg-storage
   

2. Mount the partition:

   sudo mount /dev/vdb1 /mnt/borg-storage
   

3. Make the mount permanent (fstab):

• First, get the UUID of the new partition:

  sudo blkid /dev/vdb1

  Copy the

  UUID

  value (e.g.,

  UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

  ).

• Open

  /etc/fstab

• Add a line like this at the end, replacing

  YOUR_UUID_HERE

  with the actual UUID you copied and

  /mnt/borg-storage

  with your chosen mount point:

  UUID=YOUR_UUID_HERE /mnt/borg-storage ext4 defaults 0 2

  or you can use LABEL
  LABEL=YOURLABEL /mnt/borg-storage ext4 defaults 0 2

• Save and close the file.

• Verify it's mounted:

   df -h /mnt/borg-storage
  

4. Install BorgBackup

Install BorgBackup on the server:

5. Create User Accounts and Home Directories for Borg

You'll create dedicated user accounts (can add more user later). These users will only have access to their specific Borg repositories.

1. Create a group for Borg users (optional, but good practice):

   sudo groupadd borgusers
   

2. Create users and their dedicated Borg repository directories: Repeat for each user (user1, user2, ..., user5).

   # For user1
   sudo useradd -m -d /mnt/borg-storage/user1 -s /bin/bash -g borgusers user1
   sudo chown -R user1:borgusers /mnt/borg-storage/user1
   sudo chmod -R 700 /mnt/borg-storage/user1
   
   # ... and so on for other users
   

• -m: Create home directory.
• -d /mnt/borg-storage/userX: Sets their home directory to be within your backup storage. This is where their Borg repo will live.
• -s /bin/bash: You can set this to /usr/sbin/nologin or a restricted shell later if you want to prevent interactive logins, but for Borg, they need to execute the borg serve command. We'll restrict commands via authorized_keys.
• -g borgusers: Adds the user to the borgusers group.

6. Configure SSH and authorized_keys for Restricted Borg Access

This is crucial for security. Each user will provide their public SSH key. You'll add it to their respective ~/.ssh/authorized_keys file on the server with a command restriction, allowing only Borg operations.

1. For each user (e.g., user1):

• Ensure the .ssh directory exists and has correct permissions (do this as the user, or as root then chown).

  # As root, preparing for user1 sudo mkdir -p /mnt/borg-storage/user1/.ssh sudo touch /mnt/borg-storage/user1/.ssh/authorized_keys sudo chown -R user1:borgusers /mnt/borg-storage/user1/.ssh sudo chmod 700 /mnt/borg-storage/user1/.ssh sudo chmod 600 /mnt/borg-storage/user1/.ssh/authorized_keys

• Get the public SSH key from user1 (e.g., id_rsa.pub or id_ed25519.pub from their client machine).

• Edit user1's authorized_keys file:

  sudo nano /mnt/borg-storage/user1/.ssh/authorized_keys

• Add the public key, prepended with the command restriction. The path to the repository should be the absolute path on the server that this user is allowed to access. For Ed25519 keys:

  command="cd /mnt/borg-storage/user1; borg serve --storage-quota 20G --restrict-to-path /mnt/borg-storage/user1",restrict ssh-ed25519 AAA... user1@clientmachine

  Explanation:

  • command="borg serve --restrict-to-path /mnt/borg-storage/user1": This forces any SSH connection using this key to only execute the borg serve command and only allows it to operate on the specified path.
  • restrict: Adds further restrictions (disables port forwarding, X11 forwarding, etc.).
  • ssh-ed25519 AAA...: This is the actual public key content.

7. Initialize Repositories (Client-Side)

Each user will need to initialize their Borg repository from their client machine once.

On user1's client machine:

# Replace server_ip_or_hostname with your server's address
export BORG_REPO='ssh://user1@server_ip_or_hostname/./REPOSITORY_NAME'
# Recommended: Use repokey encryption for security
borg init --encryption=repokey-blake2