SearchFAQMemberlist Log in

Backup Central Forums Forum Index » Rdiff-Backup » Post-setup questions

The time now is Fri May 25, 2012 6:40 pm
View previous topic | View next topic
Reply to topic Page 2 of 2
Goto page Previous  1, 2
Post-setup questions
Author Message
David Precious
Guest



Post Post-setup questions 
On Friday 19 August 2011 07:45:31 Nicolas Jungers wrote:
You can disallow root logins using password authentication, and set
PermitRootLogin without-password in /etc/ssh/sshd_config. That would
be secure against any dictionary attack launched against the root
account.
[...]
There is a third solution, designed specifically for that kind of
problem. You can put a command= option in front of your key in the
authorized_keys file to restrict the usage of the key to a specific [set
of] command. See AUTHORIZED_KEYS FILE FORMAT in "man sshd".


This is the approach I used - I set PermitRootLogin forced-commands-only in
/etc/ssh/sshd_config, and set up the public key used by the backup server to
pull backups in /root/.ssh/authorized_keys on the machines to be backed up to
force rdiff-backup to run (with read-only access), and only to be accepted
from the IP of the backup server.

It still means that, if the backup server was compromised, the keys on it
could be used to get read-only access of files on the systems that are backed
up by it - but, if the backup server is compromised, the data from those
systems which is on the backup server is already accessible to the attacker
and should be considered compromised anyway.

On the other hand, if one of the systems that are being backed up is
compromised (rather more likely, being laptops / workstations), they cannot
access the backup server.

I documented my setup on my blog, hopefully it may be of use:

http://www.preshweb.co.uk/2011/04/incremental-backups-with-rdiff-backup/

I think this is a reasonable approach, as long as good effort is taken to
ensure the backup server remains secure.


--
David Precious ("bigpresh")
http://www.preshweb.co.uk/

"Programming is like sex. One mistake and you have to support
it for the rest of your life". (Michael Sinz)

_______________________________________________
rdiff-backup-users mailing list at rdiff-backup-users < at > nongnu.org
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Fri Aug 19, 2011 2:19 am
Display posts from previous:

Backup Central Forums Forum Index » Rdiff-Backup » Post-setup questions

The time now is Fri May 25, 2012 6:40 pm | All times are GMT - 8 Hours
 
Reply to topic Page 2 of 2
Goto page Previous  1, 2
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
  


Magic SEO URL for phpBB