Securing your RSYNC backups with SSH & SUDO

We use several dedicated server in remote locations responsible for backing up the server farm. The backup server pulls the data from source.

Lets start by adding a new backup user on the source server.

source:~/# adduser backup-user

Add user to /etc/sudoers and allow rsync without password.

source:~/# export EDITOR=$(which vim) && visudo

 # This file MUST be edited with the 'visudo' command as root.
 #
 Defaults env_reset
 Defaults mail_badpass
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

...
# Backup without password!
backup-user ALL = NOPASSWD: /usr/bin/rsync

Create a new SSH-Key on destinations server (backup server)
destinaion:~/# ssh-keygen

Add “_backup” suffix to key filename and leave the password empty

 Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa_backup
 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:
 Your identification has been saved in /root/.ssh/id_rsa_backup.
 Your public key has been saved in /root/.ssh/id_rsa_backup.pub.

Set permissions on keys
destinaion:~/# chmod 600 ~/.ssh/id_rsa_backup*

Copy your new key to source server
destinaion:~/# ssh-copy-id -i ~/.ssh/id_rsa_backup.pub backup-user@source

Try out your new setup
destinaion:~/# rsync -a -e "ssh -i ~/.ssh/id_rsa_backup" --rsync-path="sudo rsync" backup-user@source:/some/dir /destination/dir/

The BASH script that i use

#!/usr/bin/env bash
# ASBRA AB <j@asbra.nu> 2018

[[ ${UID} -ne 0 ]] && echo "You are not root!" && exit 1 ;

rSync() { 
    if [[ $# != 2 ]]
      then echo "rSync expects two arguments..." ; exit 1
      else echo "Backing up $1 to ${2}..."
    fi
    rsync $ARGS -e 'ssh -i ~/.ssh/id_rsa_backup' --rsync-path='sudo rsync' $1 $2
}

########## Pick one of the configs
#ARGS="-az --delete"                     # Silent, suitable for CRON jobs
#ARGS="-avzh --delete"                   # Verbose but no progress, suitable for output to log file 
#ARGS="-azh --delete --info=progress2"   # Show only one progress
ARGS="-avzh --delete --info=progress2"  # Progressbar for every file

######### Your Backup Commands
rSync backup-user@server1:/home /storage/backups/server1/
rSync backup-user@server2:/home /storage/backups/server2/

Leave a comment

Your email address will not be published. Required fields are marked *