On Wed, Feb 04, 2009 at 11:22:33AM +0000, Srdjan Todorovic wrote:
Hi folks,
2009/2/4 Chris G cl@isbd.net:
I backup our important data (e.g. /home and some other bits and pieces) to a couple of remote 'servers'.
If they provide a service, they are servers.
Yes, OK, they're real servers for me anyway.
Having passwordless ssh access to the backup machine means that a malicious attacker who gets into the backup client machine can destroy all the backups as well as the files being backed up. While this is a fairly remote possibility (a malicious attacker getting in) I'd like to protect against it if I can.
Physical access to the machine or remote access to your machine?
Either, but in reality the most likely case is someone guessing a not very good password and getting remote access. I'm fairly paranoid on that front too (only allowing ssh access from a couple of specific IP addresses) but you never know.
So I'm looking for a backup/mirror/remote copy facility that will allow me to 'push' files from a client machine to the backup machine without needing passwordless access.
How will you authenticate?
None, it will be a server process that will *only* provide incremental backup services so the only damage possible would be to fill up space. In reality it might be worth adding some authentication but it could only be at machine level as it needs to be non-interactive.
How will this system know to push/commit a new file that you tell it to, versus a bogous file *I* tell it to?
It won't. This is why I'm suggesting that only incremental backup is allowed, the worst you can do is fill up space on the remote.
Isn't this going back to some previous email we had about trust (millitary terminology and "trusted computing")? Where, if you trust some machine, it's not secure at all.
"Secure / Easy to use --- pick one". Does this apply?
Probably, I've been kicking this around for a while. It's closely connected with my recent question about how to check if a remote machine has died. I was thinking of doing the backups by 'pulling' from the remote but if I can 'push' from the systems requiring backup then the issue of knowing whether it worked is much easier.
I'm after 'Easy to use' in the sense of being sure that the backup has succeeded with paranoia about security less important. It's no use at all being wonderfully secure if the backups you thought you were doing haven't been working for the past six months and you don't know! I know how lazy I am and unless something telling me the backup has (probably) failed hits me in the face I'll not notice. Systems that require me to 'go and look' don't work (for me anyway).
I don't really have any solutions for you. I suspect a reasonable mix of solutions might be to make sure your OS is patched and firewalled, and that you encrypt your data as it goes to your backup server.
By definition (IMHO), anything that makes your life easier is going to have worse security.
Depends on what you mean by security, there's two sides to it, security against attack and security of data so that you can restore it if attacked. Ease of use is *vital* for that second side of security or you find that backups aren't there.
I've been looking into rdiff-backup options (and sshd options) and it looks as if I might be able to get what I want with rdiff-backup and a restrictive ssh setup that allows *only* rdiff-backup connections for a specific backup user.