On Wed, 2009-02-04 at 10:49 +0000, Chris G wrote:
Having passwordless ssh access to the backup machine means that a malicious attacker who gets into the backup client machine can destroy all the backups as well as the files being backed up. While this is a fairly remote possibility (a malicious attacker getting in) I'd like to protect against it if I can.
Why does your backup server and the credentials it uses to log in for backup jobs even have write access to the original data in the first place ?
So I'm looking for a backup/mirror/remote copy facility that will allow me to 'push' files from a client machine to the backup machine without needing passwordless access. It also needs to do either timed or incremental backups in some shape or form as otherwise, of course, destroying files on the backup client would probably also destroy them on the backup.
Hmm surely if the backups are going to be automated then either the backup system is going to have to store credentials for the local system or the other way round..the best you can do as far as I can see is restrict the rights those credentials give to the task in hand.
Any ideas anyone? I'm toying of playing with rsync with an rsync server on the remote backup machine though I haven't investigated this enough to see if it will work as I hope. There are a number of backup utilities that use rsync and provide timed and/or incremental backups but I'm not sure if they'll use rsync server on the remote.
Well rsync would work without having to store passwords only because on it's own (i.e. not via an ssh tunnel) it pretty much has no security beyond "host a can see folder x for r-w" So get on the lan and pretend to be "host a" and you have the same access. Also the data-stream is not encrypted so any files transfered could be intercepted from the wire.
That said..if your backup server attaches to your local machine via rsync set up for read only access then at least an attacker on the backup machine can't delete files on the local one.
But this is only practical/safe if the connection between the two is a trusted network.