Backup Central

Dear all,

I have a server XPTO where I am consolidating the backups of some virtual servers (on /mnt/backups/machine1,machine2...). I now want to copy these files to a remote QNap NAS server over the internet.

I installed rsnapshot on my NAS and configured it to backup XPTO's /mnt/backups. However, I have a security issue that I'd like your help with:

- The current XPTO user I'm using in the NAS' rsnapshot script is "backuper" (owner of /mnt/backups in XPTO). However, since I'm keeping the original ownership of the files inside machine1,machine2..., rsnapshot will have problems with files that have more restrictive permissions [1]

- The only alternative I see is using "root" instead of "backuper" as the rsnapshot user. However, this leaves me with a security issue: if the NAS is compromised, my XPTO server will also be compromised as I have the shared-key to root there. And naturally it'll be compromised entirely (ie, from /).

Do you see any alternative setup that reduces or eliminates this security risk?


Cheers,

Miguel Almeida


[1] rsync: send_files failed to open "/mnt/backups/backuptest/dummySystem/home/Cache/_CACHE_MAP_": Permission denied (13)

Hi Miguel,

I posted one possible approach [1] to this list a while ago. The crux
of it is that you make encrypted copies of any non-world-readable files
using rsyncrypto, and then run rsnapshot as an unprivileged user.
Rsnapshot skips the protected files, but backs up their cyphertext
versions. It's not transparent, but it seems to work.

-Eric


[1] https://github.com/ewa/rsyncrypto-rsnapshot-config

On 01/09/2012 12:14 PM, Miguel Almeida wrote:
Dear all,

I have a server XPTO where I am consolidating the backups of some
virtual servers (on /mnt/backups/machine1,machine2...). I now want to
copy these files to a remote QNap NAS server over the internet.

I installed rsnapshot on my NAS and configured it to backup
XPTO's /mnt/backups. However, I have a security issue that I'd like your
help with:

- The current XPTO user I'm using in the NAS' rsnapshot script is
"backuper" (owner of /mnt/backups in XPTO). However, since I'm keeping
the original ownership of the files inside machine1,machine2...,
rsnapshot will have problems with files that have more restrictive
permissions [1]

- The only alternative I see is using "root" instead of "backuper" as
the rsnapshot user. However, this leaves me with a security issue: if
the NAS is compromised, my XPTO server will also be compromised as I
have the shared-key to root there. And naturally it'll be compromised
entirely (ie, from /).

Do you see any alternative setup that reduces or eliminates this
security risk?


Cheers,

Miguel Almeida


[1] rsync: send_files failed to open
"/mnt/backups/backuptest/dummySystem/home/Cache/_CACHE_MAP_": Permission
denied (13)




------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox



_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss


--
Eric W. Anderson Electrical and Computer Engineering
andersoe < at > ece.cmu.edu Carnegie Mellon University
phone: +1-412-268-1908 Roberts Hall 244

PGP key fingerprint:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

On Mon, Jan 9, 2012 at 9:14 AM, Miguel Almeida <miguel < at > almeida.at> wrote:
- The current XPTO user I'm using in the NAS' rsnapshot script is "backuper"
(owner of /mnt/backups in XPTO). However, since I'm keeping the original
ownership of the files inside machine1,machine2..., rsnapshot will have
problems with files that have more restrictive permissions [1]

- The only alternative I see is using "root" instead of "backuper" as the
rsnapshot user. However, this leaves me with a security issue: if the NAS is
compromised, my XPTO server will also be compromised as I have the
shared-key to root there. And naturally it'll be compromised entirely (ie,
from /).

Do you see any alternative setup that reduces or eliminates this security
risk?

I may not understand your situation, but I think you have two issues:
1) rsnapshot server needing root access to XPTO.
2) rsnapshot server containing sensitive files from XPTO.

Problem #1 can be resolved by setting the system up just right.
Search for rsync-wrapper on the web. I was not entirely happy with
any of the sites I found, so rolled my own, but cannot find my notes
;-(. Basically, you setup an rsnapshot user which is in sudoers,
tightly control who can be that user (such as not ability to login
except ssh with the public key), and tightly control what that user
can run (only a specific rsync command-line).

Problem #2 requires you to either not backup those files, or to have a
script on the server back them up to a local encrypted something, and
then back _that_ up. Of course, #1 implies that the backup server has
effective read-only access at root level. You could probably extend
the wrapper technique to restrict which directories rsync has access
to, but that might become infinitely annoying . Perhaps you could
also extend the technique to inject --exclude parameters to rsync, but
I'd worry about accidentally poking holes.

-scott

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

On Mon, Jan 9, 2012 at 21:14, Miguel Almeida <miguel < at > almeida.at ([email]miguel < at > almeida.at[/email])> wrote:
Do you see any alternative setup that reduces or eliminates this security risk?



Did you coonsider using sudo? it was designed for such things.

Scott H> I may not understand your situation, but I think you have two issues:
Scott H> 1) rsnapshot server needing root access to XPTO.
Scott H> 2) rsnapshot server containing sensitive files from XPTO.

I agree with Scott, but it sounds like you are asking about #1. You want to preserve file UIDs, GIDs, and permissions, which requires rsync to run as "root" on the XPTO.

To accomplish this, you can use "sudo", or you can just set tight restrictions in root's authorized_keys. You can restrict the SSH key to only allow a (read-only) backup using rsync (and nothing more). If you are particularly paranoid, you could do both.

To use "sudo", you'd need to edit /etc/sudoers to allow the user "backuper" to become root for the backup, but nothing else. I think this will be difficult to configure, because rsnapshot doesn't know how to use "sudo" on the remote side. You'll need some kind of wrapper script to invoke "sudo rsync [your unique client-side options here]" instead of the normal rsync command. In my opinion, this method would be unnecessarily complicated to configure and document.

Instead, I recommend just using SSH to restrict what the SSH key is allowed to do. Tell SSH that the key used for backup is allowed to run read-only rsync commands, but nothing else; no shell login, no rsync writes, no other commands, etc. Like sudo, this also requires a wrapper script on the client, but unlike sudo, this is easy to configure because there is a working script included with rsync called "rrsync", which enforces read-only backups. Options you'll want to include in the /root/.ssh/authorized_keys are:

- no-pty: Don't offer the user a psuedo terminal. This adds a layer against shell logins.
- no-agent-forwarding: Don't let an attacker use their own agent. (Doesn't really add much here.)
- no-X11-forwarding: Prevents X11 apps. Just another extra layer to reduce attack vectors.
- no-port-forwarding: Do not allow SSH tunnels using this key.
- command="/root/rrsync -ro /" : This forces the script to run on login, with the -ro "read-only" option

This way, the key trusted by root can do the backup, but nothing else. I give a full rsnapshot configuration tutorial using this method here:

http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/

Regarding the issue #2, you'll need store the files onto an encrypted something (like encrypted partition or EncFS filesystem) locally. If you want your Internet-connected backup copy to be encrypted, such that, if your backup server is compromised, the attacker will not see all your files, then do not run rsnapshot on the backup server. Instead, run rsnapshot locally on the XPTO to a remotely-connected and encrypted file store, such as an encrypted iSCSI partition, an encrypted DRDB device with a remote mirror, or an SSHFS mounted EncFS directory, or some other such system.

Note that using full-disk encrypted on the backup server is not sufficient, as that only protects data at rest (when the server is powered off), and offers nothing once the server is booted up and online. Also, be careful with strong encryption, because if the key is unavailable for any reason, including technical problems or a disgruntled employee, your data is gone forever. Other security considerations are firewall rules and intrustion detection.


Thanks,
Derek Simkowiak


On 01/09/2012 10:29 AM, Scott Hess wrote: On Mon, Jan 9, 2012 at 9:14 AM, Miguel Almeida <miguel < at > almeida.at> ([email]miguel < at > almeida.at[/email]) wrote:
- The current XPTO user I'm using in the NAS' rsnapshot script is "backuper"
(owner of /mnt/backups in XPTO). However, since I'm keeping the original
ownership of the files inside machine1,machine2..., rsnapshot will have
problems with files that have more restrictive permissions [1]

- The only alternative I see is using "root" instead of "backuper" as the
rsnapshot user. However, this leaves me with a security issue: if the NAS is
compromised, my XPTO server will also be compromised as I have the
shared-key to root there. And naturally it'll be compromised entirely (ie,
from /).

Do you see any alternative setup that reduces or eliminates this security
risk?

I may not understand your situation, but I think you have two issues:
1) rsnapshot server needing root access to XPTO.
2) rsnapshot server containing sensitive files from XPTO.

Problem #1 can be resolved by setting the system up just right.
Search for rsync-wrapper on the web. I was not entirely happy with
any of the sites I found, so rolled my own, but cannot find my notes
;-(. Basically, you setup an rsnapshot user which is in sudoers,
tightly control who can be that user (such as not ability to login
except ssh with the public key), and tightly control what that user
can run (only a specific rsync command-line).

Problem #2 requires you to either not backup those files, or to have a
script on the server back them up to a local encrypted something, and
then back _that_ up. Of course, #1 implies that the backup server has
effective read-only access at root level. You could probably extend
the wrapper technique to restrict which directories rsync has access
to, but that might become infinitely annoying . Perhaps you could
also extend the technique to inject --exclude parameters to rsync, but
I'd worry about accidentally poking holes.

-scott

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net ([email]rsnapshot-discuss < at > lists.sourceforge.net[/email])
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

Thank you, Derek and Scott, for the input.

On Mon, 2012-01-09 at 13:45 -0800, Derek Simkowiak wrote:

http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/

In the restriction of root to use just the single command (which in fact is also part of Scott's 2-step method) I do have a doubt regarding the simultaneous usage of:
1) "PermitRootLogin forced-commands-only"
2) command="/root/rrsync " in the authorized_keys

Does this restrict any ssh connection attempt to the run of /root/rrsync, OR
does it run the command you want from the remote shell PLUS rrsync?

I'm also having doubts because I am looking at this in a similar way as sudoers - ie, 2) would restrict ssh-ed users to only be able to run /root/rrsync AND 1) would not allow a login shell, which therefore meant the only thing allowed would be:
(on remoteServer shell:) ssh XPTO -l root rrsync

but the actual command that will be run is rsnapshot (which I assume calls rsync), not rrsync. How does it work then?

Again, I appreciate your effort in helping me out with this configuration.

Miguel Almeida

2) command="/root/rrsync " in the authorized_keys
Does this restrict any ssh connection attempt to the run of /root/rrsync

    No.  That option goes only on the same line of "authorized_keys" as the SSH key that you are using for backups.  Anyone connecting with that particular (trusted) private key will have /root/rrsync executed, and nothing else.  That one SSH key will not be able to run any other command.  That is why you want to have a dedicated SSH key for your backups -- don't use any SSH key that you want to use for actual shell connections.

    Of course, you can still trust other keys (like your own personal keys) and they would be able to run any command that you want...  unless you also add this to your global /etc/ssh/sshd_config:

1) "PermitRootLogin forced-commands-only"

    This option is global to SSH and basically says, "don't allow generic SSH shell logins for root".  If you set this, then every SSH key in /root/.ssh/authorized_keys must also have a "command=..." option next to it.  But different keys can be forced to run different commands, so you could have a separate key that was "forced" to run "command=/bin/bash".

    The PermitRootLogin forced-commands-only option does not make sense if you want to SSH directly to your servers as root.  But you shouldn't do that anyway; instead, SSH to your servers as a regular user, and trust the keys in (e.g.) /home/derek/.ssh/authorized_keys.  Then, once connected, you can use "sudo -s" or "sudo bash" to become root.

    The reason is so your server access can be audited.  If you have 5 admins on your team, then if you all connect as "root" directly you won't necessarily who logged in and broke things.  But if you all log in as your own user account, "john", "jane", etc., then the SSH logs will show who logged in and the sudo logs will show who (and when) that person became root.  It also requires the user to provide their password to become root, instead of just requiring a trusted key file.  (Also, it conveniently allows each person to manage their own trusted keys in their own authorized_keys file.)

    That is similar to how Debian/Ubuntu systems are configured.  There is no root password -- only users who are in the sudo "admin" group.  To become root on Ubuntu, you must first get a console as a regular user.  (But SSH does its own authentication so it is possible to SSH directly to an Ubuntu server as root with a trusted key... even if root doesn't have a password.  But don't do that.)


the only thing allowed would be:
(on remoteServer shell:) ssh XPTO -l root rrsync

    That is (basically) correct.  Your example might be clearer if you had "ssh -i /root/my_backup_key_id_rsa XPTO -l root rrsync", with the -i option to illustrate that this is all bound to a particular trusted key.

but the actual command that will be run is rsnapshot (which I assume calls rsync), not rrsync. How does it work then?

    It works with a bit of magic.

    First, note that Rsnapshot only calls "rsync" on the remote computer.  You don't need "Rsnapshot" installed on your primary server, you only need "rsync".  Rsnapshot will basically try to run this:

ssh -i /root/my_backup_key_id_rsa XPTO -l root rsync --server --sender -vlogDtpr --partial . [ARGS]

    Notice it is trying to run rsync, not "rrsync".  Also, the options are different and longer from the simplistic "rrsync -ro /" that you use as the forced command in authorized_keys.

    So then how does it work?  Well, even when you use a forced command with "command=...", OpenSSH will tell you what command the user tried to run (even though they are not allowed to run it).  OpenSSH will put the attempted command into an environment variable called $SSH_ORIGINAL_COMMAND.  If you examine that variable, the forced command can see what was attempted.

    And that is exactly what "rrsync" does; it looks at $SSH_ORIGINAL_COMMAND to know the full rsync options that Rsnapshot is trying to use.  "rrsync" will then invoke rsync (as Rsnapshot as requested) after scrubbing the command to make sure that it is only doing a read-only download, and not trying to use rsync to upload new file content.  "rrsync" is a simple Perl script, and I recommend you browse through the source.

    To summarize:

would restrict ssh-ed users to only be able to run /root/rrsync

    No -- the "command=..." option is specific to a particular key in authorized_keys.  Other keys would be unaffected.

"PermitRootLogin forced-commands-only" would not allow a login shell

    In short, yes, however you can still enable a login shell by using something like "command=/bin/bash" on all the other keys.  If you want to connect as root, they you probably don't want the "PermitRootLogin forced-commands-only" option.  But you shouldn't connect as root anyway.


Thanks,
Derek Simkowiak
Linux Consultant and Software Developer
http://derek.simkowiak.net
Biz: http://www.cool-st.com/


On 01/10/2012 03:02 AM, Miguel Almeida wrote: Thank you, Derek and Scott, for the input.

On Mon, 2012-01-09 at 13:45 -0800, Derek Simkowiak wrote:

http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/

In the restriction of root to use just the single command (which in fact is also part of Scott's 2-step method) I do have a doubt regarding the simultaneous usage of:
1) "PermitRootLogin forced-commands-only"
2) command="/root/rrsync " in the authorized_keys

Does this restrict any ssh connection attempt to the run of /root/rrsync, OR
does it run the command you want from the remote shell PLUS rrsync?

I'm also having doubts because I am looking at this in a similar way as sudoers - ie, 2) would restrict ssh-ed users to only be able to run /root/rrsync AND 1) would not allow a login shell, which therefore  meant the only thing allowed would be:
(on remoteServer shell:) ssh XPTO -l root rrsync

but the actual command that will be run is rsnapshot (which I assume calls rsync), not rrsync. How does it work then?

Again, I appreciate your effort in helping me out with this configuration.

Miguel Almeida