[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rdiff-backup-users] Post-setup questions
From: |
David Precious |
Subject: |
Re: [rdiff-backup-users] Post-setup questions |
Date: |
Fri, 19 Aug 2011 11:18:56 +0100 |
User-agent: |
KMail/1.13.6 (Linux/2.6.38-10-generic; KDE/4.6.2; x86_64; ; ) |
On Friday 19 August 2011 07:45:31 Nicolas Jungers wrote:
> > You can disallow root logins using password authentication, and set
> > PermitRootLogin without-password in /etc/ssh/sshd_config. That would
> > be secure against any dictionary attack launched against the root
> > account.
[...]
> There is a third solution, designed specifically for that kind of
> problem. You can put a command= option in front of your key in the
> authorized_keys file to restrict the usage of the key to a specific [set
> of] command. See AUTHORIZED_KEYS FILE FORMAT in "man sshd".
This is the approach I used - I set PermitRootLogin forced-commands-only in
/etc/ssh/sshd_config, and set up the public key used by the backup server to
pull backups in /root/.ssh/authorized_keys on the machines to be backed up to
force rdiff-backup to run (with read-only access), and only to be accepted
from the IP of the backup server.
It still means that, if the backup server was compromised, the keys on it
could be used to get read-only access of files on the systems that are backed
up by it - but, if the backup server is compromised, the data from those
systems which is on the backup server is already accessible to the attacker
and should be considered compromised anyway.
On the other hand, if one of the systems that are being backed up is
compromised (rather more likely, being laptops / workstations), they cannot
access the backup server.
I documented my setup on my blog, hopefully it may be of use:
http://www.preshweb.co.uk/2011/04/incremental-backups-with-rdiff-backup/
I think this is a reasonable approach, as long as good effort is taken to
ensure the backup server remains secure.
--
David Precious ("bigpresh")
http://www.preshweb.co.uk/
"Programming is like sex. One mistake and you have to support
it for the rest of your life". (Michael Sinz)
- Re: [rdiff-backup-users] Post-setup questions, (continued)
- Re: [rdiff-backup-users] Post-setup questions, Grant, 2011/08/14
- Re: [rdiff-backup-users] Post-setup questions, Maarten Bezemer, 2011/08/15
- Re: [rdiff-backup-users] Post-setup questions, Grant, 2011/08/16
- Re: [rdiff-backup-users] Post-setup questions, Maarten Bezemer, 2011/08/18
- Re: [rdiff-backup-users] Post-setup questions, Grant, 2011/08/18
- Re: [rdiff-backup-users] Post-setup questions, Dominic Raferd, 2011/08/19
- Re: [rdiff-backup-users] Post-setup questions, Maarten Bezemer, 2011/08/19
- Re: [rdiff-backup-users] Post-setup questions, Nicolas Jungers, 2011/08/19
- Re: [rdiff-backup-users] Post-setup questions, Maarten Bezemer, 2011/08/19
- Re: [rdiff-backup-users] Post-setup questions,
David Precious <=