SearchFAQMemberlist Log in

Backup Central Forums Forum Index » BackupPC » Rsyncd & Read-only & Ssh

The time now is Thu May 24, 2012 6:04 pm
View previous topic | View next topic
Reply to topic Page 1 of 1
Rsyncd & Read-only & Ssh
Author Message
Guest



Post Rsyncd & Read-only & Ssh 
Hello everybody,

I've been happily using backuppc to backup a couple of linux machines
using the rsync over ssh transport (with ssh keys).

However, I'm having nightmares about the security of this system. If the
[backup server] is compromised, then _all_ the machines that are
backupped by the [backup server] are also compromised, seen that the
attacker kan just use the ssh keys to login as root.

Therefore, I was thinking about limiting the allowed command executed
with the ssh keys to rsyncd. On the website
http://samba.anu.edu.au/ftp/rsync/rsyncd.conf.html is more information
about this under the "RUNNING AN RSYNC SERVER OVER A REMOTE SHELL
PROGRAM" topic. This rsyncd would then run with the 'read only' module
option.

The benefit of such a setup would be that even if an attacker succeeded
in compromising the [backup server], he would still be unable to cause
any harm to the client machines. The read only rsyncd would provide a
added form of security against file system changes.

Is this setup possible to combine with backuppc? As far as I can tell,
choosing 'rsyncd' as $Conf{XferMethod} would cause backuppc to connect
directly the the rsync daemon, instead of over ssh.

Greetings,

Jan-Frederik Martens



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sat Apr 17, 2004 2:02 am
Guest



Post Rsyncd & Read-only & Ssh 
Hi Jan-Frederik,

If you're concerned about the ssh-keys allowing root access (IMO you should
be) then you can use a non-root user and sudo to get the backups working but
only allow root use of rsync or tar. I posted the howto do this back in
January so you can find it in the archives. If you can't email me off-list
and I'll send it to you.

I personally now use the rsyncd for machines that are on their own private
network (ie DMZ) as it is easier to back up both unix and win machines this
way. If you are using public networks you are best to use ssh with a non-root
user and sudo.

Regards,
Josh.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sat Apr 17, 2004 2:21 am
Guest



Post Rsyncd & Read-only & Ssh 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan-Frederik wrote:

| However, I'm having nightmares about the security of this system. If the
| [backup server] is compromised, then _all_ the machines that are
| backupped by the [backup server] are also compromised, seen that the
| attacker kan just use the ssh keys to login as root

Depending on the files you backup, a hacker should normally get what he
want's when he is in the backup server Wink

I would suggest to use selinux on your backup machine.

regards
~ Daniel

- --
nihil me cirumdat

.. . .. ... . . .. . ... . .. . ... . . .
pgp key < at > http://files.poelzi.org/pgp.txt
ED80 E53D 5269 4BB1 1E73 3A53 CBF9 A421 0A7B 003D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAgRGZy/mkIQp7AD0RAtW7AJ4xk+2AokDwTkOsAfbPnxvEtt1vfgCg2oSS
EabWcRpZeRMdr6ccOm/EaUE=
=w/1C
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sat Apr 17, 2004 3:14 am
Guest



Post Rsyncd & Read-only & Ssh 
daniel.poelzleithner wrote:

| However, I'm having nightmares about the security of this system. If
the
| [backup server] is compromised, then _all_ the machines that are
| backupped by the [backup server] are also compromised, seen that the
| attacker kan just use the ssh keys to login as root

Depending on the files you backup, a hacker should normally get what he
want's when he is in the backup server Wink


That is true, he would have complete access to all backuped data. But he
would not be able to modify the data on the client machines, nor login
as root on the client machines and cause havoc. This is quite essential
to me, and a lot of people who use this kind of backup mechanisme I suspect.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sat Apr 17, 2004 5:31 am
Guest



Post Rsyncd & Read-only & Ssh 
Josh Marshall wrote:

If you're concerned about the ssh-keys allowing root access (IMO you should
be) then you can use a non-root user and sudo to get the backups working but
only allow root use of rsync or tar. I posted the howto do this back in
January so you can find it in the archives. If you can't email me off-list
and I'll send it to you.

Found it: http://sourceforge.net/mailarchive/message.php?msg_id=7099064

But this doesn't really solves the problem, or does it? What is to stop
an attacker from login in as a non-root user on the client machine,
executing sudo rsync, and overwriting /etc/shadow with a version in
which he has altered the pasword crypt for the root user?

I personally now use the rsyncd for machines that are on their own private
network (ie DMZ) as it is easier to back up both unix and win machines this
way. If you are using public networks you are best to use ssh with a non-root
user and sudo.

So rsyncd+ssh for use public networks, combined with backuppc would not
be possible in your opinion?



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sat Apr 17, 2004 5:58 am
Guest



Post Rsyncd & Read-only & Ssh 
Joshua Marshall wrote:
It wont stop an attacker from doing that, no. But as pointed out by Daniel
Poelzleithner he will already have access to the data on the machines. That
includes access to the /etc/shadow file which he can go away and find out all
your passwords using a cracking tool, then get in via ssh anyway.

I'm not familiar with the endurance of the crypt used to encode the
passwords in /etc/shadow, but we always use very long root passwords,
consisting of alfanumeric & other characters.

I took a quick look at the website you originally posted, it seemed to suggest
that the rsyncd server was being spawned via the shell over ssh but it didn't
really say that the data going to/from the rsync server would then be
encrypted.

I believe your right about this Sad

An option that you do have is to have the rsyncd server running, allowing
connections only to localhost. Have a pre-backup script start up an ssh
tunnel to the server and port forward the rsyncd port on the machine being
backed up to the backup machine, then get the backup to use the encrypted
link. I'm not sure on the specifics but it's a start.

Very interesting approach! I will definately explore this possibility.
Thanks for the idea.

Strange however, that these security concerns are discussed so little in
the backuppc documentation?



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Sun Apr 18, 2004 2:55 pm
Guest



Post Rsyncd & Read-only & Ssh 
On 04/17 12:02 , Jan-Frederik wrote:
However, I'm having nightmares about the security of this system. If the
[backup server] is compromised, then _all_ the machines that are
backupped by the [backup server] are also compromised, seen that the
attacker kan just use the ssh keys to login as root.

I posted this to the BackupPC list a few months ago, but here's my scheme
for securing backups.

The way I actually prefer to do rsync backups, is:
- have a special 'backup' user on the client machine
- the 'backup' user is allowed to run rsync as root without a password, via
sudo
- the 'backup' user is logged into via an RSA key, and the
.ssh/authorized_keys file which contains the key, only allows the specific
sudo+rsync command to be run. (this is where the actual exclude patterns
go). so it looks something like:
# cat authorized_keys
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo
/usr/bin/rsync --server --sender -logDtpr --exclude='/proc' --exclude='/mnt'
--exclude='/staff' --delete --blocking-io . /" ssh-dss <insert rest of the
key here>== rsync backup login

this way, there's no remote login as root, and the user who does the rsync,
can only do the one rsync command. I was doing this with my own rsync
scripts before I found backuppc.


Carl Soderstrom.
--
Systems Administrator
Real-Time Enterprises
www.real-time.com


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
Fri Apr 23, 2004 2:11 pm
Display posts from previous:

Backup Central Forums Forum Index » BackupPC » Rsyncd & Read-only & Ssh

The time now is Thu May 24, 2012 6:04 pm | All times are GMT - 8 Hours
 
Reply to topic Page 1 of 1
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
  


Magic SEO URL for phpBB