Hi,
brunal wrote on 2008-07-30 12:20:38 +0200 [Re: [BackupPC-users] Why should I
use root to connect to host]:
> [...]
> - MainServer is the server where all important data are store (on a
> raid-1). It's located inside the building on a internal 1Gbyte network.
> - BackupServer is a tiny NAS, a DNS-323, running a linux on a ARM. We
> want to locate it outside the building (namely in my home basement),
> with an internet access.
>
> The goal is to be sure we won't lost our data even if the building burn.
> And as those data are critical and confidential, I want to be sure
> that every data transmitted by internet are crypted and also that
> access to the backupserver are secured.
>
> I have two options :
>
> 1) Running backuppc on MainServer and using BackupServer just as a
> deported hard-drive. This, I understand, maybe set up with NFS and a
> VPN, but it seems that it is not easy to setup, and further more with
> the DNS-323. But maybe There are solution that I didn't imagine? like
> a ssh connection and a link to a pipe? I just don't know how to do
> that for now.
>
> 2) Running backuppc on BackupServer connecting to MainSever through
> ssh+rsync. There are a few tutorial using backuppc on a DSN-323, with
> rsyncd, so it seems to work pretty well.
actually I was suggesting
3) Run backuppc on BackupServer, mount MainServer:/datadir on
BackupServer:/import/mainserver and set BackupPC to backup
BackupServer:/import/mainserver with sudo.
But, as you describe your scenario, I don't think that is easier, because
you'd need a VPN just as well. I was thinking of backups on a local LAN in
case MainServer:/datadir is visible anyway.
> I choosed to do the second solution, so BackupServer would be
> autonomous.
>
> What do you think? Which solution is the easiest?
I agree with you. The second one.
> For now my problem is that I still get error where peolple using a
> DNS-323 don't...
That was another thread, so let's leave it there :).
> After that, dealing with user and permission would be the cherry on
> the cake, as The only port open on the two server would be port 22,
> something that I can change to make security harder to brake.
The fact about "security by obscurity" you need to be aware of: it will only
help against script kiddie type attacks. If an ssh vulnerability is discovered
and people scan for random vulnerable ssh servers in the hours before a fix is
available, they'll probably miss your server on port 23489. For a determined
attacker specifically targeting you, the port makes no difference.
Aside from that, do you need port 22 open on the BackupPC server? You probably
do, if the device has no console. Can you limit access to the device to your
internal home net, for example? Or put it behind a firewall/NAT device that
completely forbids incoming connections? What about your MainServer? Is it
visible from the internet?
Regards,
Holger
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
