most secure "rsync + ssh" setup , possibly for backups
This instructions are for a setup that pushes
data (such as backups) from a localhost to a serverhost,
using rsync in daemon mode, but tunneled inside an SSH
connection, and making sure that if someone hacks into
the localhost, they will not be able to use the backup machinery
to hack into the serverhost.
-
Pros: it is much more secure than other stuff you see in the -net;
it can be used to backup multiple hosts.
-
Cons: rsync does not run as root in the server, so
currently it cannot chroot ; and you cannot retain ownership in backups,
unless you mount the serverhost backup volume
with option user_xattr.
Note, all following commands should be executed as "root" user,
or prepended by the "sudo" command.
Prepare serverhost
In the serverhost, create the script
/usr/local/sbin/rsyncd_wrapper
with the following content
#!/usr/bin/python
import sys, os, subprocess, string
if len(sys.argv) != 3 or sys.argv[1] != '-c' :
print 'NO! ', repr(sys.argv)
sys.exit(1)
a=string.split(sys.argv[2],' ')
if len(a) != 4 or a[0] != 'rsync' or \
a[1] != '--server' or a[2] != '--daemon' or a[3] != '.' :
print 'NO!! ', repr(sys.argv)
sys.exit(1)
a=['/usr/bin/rsync','--config','/home/rsyncd/rsyncd.conf']+a[1:]
subprocess.call(a)
and dont forget
serverhost# chmod +x /usr/local/sbin/rsyncd_wrapper
Create special system user
serverhost# adduser --system rsyncd
serverhost# su rsyncd -s /bin/sh -c 'ssh-keygen'
serverhost# usermod rsyncd -s /usr/local/sbin/rsyncd_wrapper
serverhost# su rsyncd -s /bin/sh -c 'touch ~/.hushlogin'
Create the config file /home/rsyncd/rsyncd.conf for rsyncd,
serverhost# cp -i /usr/share/doc/rsync/examples/rsyncd.conf ~rsyncd/
and edit it at taste; add one or more 'backup' module,
optionally enforce passwords, etc etc (see man rsyncd.conf).
Here is an example /home/rsyncd/rsyncd.conf.
# sample rsyncd.conf configuration file
# GLOBAL OPTIONS
log file=/home/rsyncd/rsyncd.log
pid file=/home/rsyncd/rsyncd.pid
# MODULE OPTIONS
[backup]
comment = backup space
path = /bigdisk/backups
use chroot = no
# the default for read only is yes...
read only = no
ignore nonreadable = yes
transfer logging = no
refuse options = checksum
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
#for this , /bigdisk must be mounted with option user_xattr
fake super = yes
Foreach localhost
On the localhost
localhost# ssh-keygen -f ~/.ssh/rsyncd
Copy the key in the serverhost, e.g. copy/paste between
terminals using
localhost# cat ~/.ssh/rsyncd.pub
serverhost# su rsyncd -s /bin/sh -c 'nano -w ~/.ssh/authorized_keys'
Test it
localhost# rsync -e "ssh -l rsyncd -i /root/.ssh/rsyncd" serverhost::
it should return the list of available modules. Backup what you want to backup
localhost# rsync -ax -e "ssh -l rsyncd -i /root/.ssh/rsyncd" /home serverhost::backup/localhost/.
If it works fine, put the backup command in an executable file in /etc/cron.daily/.
Why is this secure
IMHO this is quite secure, since the server part of the backups is the
rsync daemon; the rsync daemon is a service that is worldwide offered on
unprotected TCP/IP ports, and I would consider this to be quite
secure; in my implementation moreover the rsync daemon is not
listening on any public TCP/IP port, so it is quite protected.
The other tool used is ssh with pub/private keys, enough
said.
If someone hacks in the localhost, s/he may use the ssh key to open
the connection to the serverhost, but all they would gain would be
access to a rsync daemon; so the most damage they may do would be
to the backupped files.
multiple local host backups
There are two layers of
authentication, first layer by the ssh key, second possible layer by a rsync
username/password.
This method may be used to give backup access to multiple hosts,
and/or to different users in the hosts.
By setting multiple modules with username/passwords in
/home/rsyncd/rsyncd.conf, the different backups may be
isolated one from the others.
further developments
By adding the setuid/setgid permissions to
the script /usr/local/sbin/rsyncd_wrapper, and changing the script
a bit, then the rsync daemon may run as root, and so it may chroot; I have
no idea if this would make it all more secure, or less secure.
Other sources
I read some people ideas before developing my own. Some random comments.