Backing up a remote fileserver with rsync over a ssh tunnel

Our scenario

We want to backup data from our remote host to our backup location.
For this, we use a combination of ssh and rsync.

This guide is held very general. Originally, I set up a secure rsync backup from a Synology NAS at a remote site to a linux server hosted in a DMZ, but it should also work for normal linux to linux box backups.

[] -----rsync over ssh------> []
remote-host                   backup-location

Setting up users and programs

  1. Make sure, you have installed rsync and ssh on both machines
  2. Create a new user on the backup-location (i.e. backupuser) and place his homedrive in /home

Creating SSH trust relationships between the two servers

To be able to schedule a backup job, and avoiding to save the ssh login password somewhere in plain text, we have to build our own small PKI

  1. Create a RSA keypair on the remote-host
    cd /home/USERNAME OR cd /root (if you work as root)
    mkdir .ssh
    cd .ssh

    ssh-keygen -t dsa -b 2048 (you can leave the passphrase empty)
  2. Export the remote-hosts public key to the backup-location
    cd /home/USERNAME OR cd /root (if you work as root)
    mkdir .ssh
    cd .ssh

    If you have previously copied the public key to a usb stick:
    cp /mnt/usb/ /home/USERNAME/.ssh OR /root/.ssh
  3. Tell the backup-locations ssh server that certificate login requests coming from the remote-host are ok
    cd /home/USERNAME/.ssh OR cd /root/.ssh (if you work as root)
    cat >> authorized_keys
  4. Test the ssh connection from the remote-host to the backup-location
    ssh “backup-location”
  5. Make sure, all keys have restrictive permissions applied to them: Only allow the owner to interact with them (chmod 700)!

Setting up the rsync server infrastructure (on backup-location)

log file=/var/log/rsyncd
pid file=/var/run/

	comment = public archive
	path = /home/backupuser/data
	use chroot = no
	lock file = /var/lock/rsyncd
	read only = no
	list = yes
	uid = backupuser
	ignore errors = no
	ignore nonreadable = yes
	transfer logging = yes
	log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes.
	timeout = 600
	refuse options = checksum dry-run
	dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz

Make sure, the backupuser has the rights to write to the rsyncd- logifile (/var/log/rsyncd)

Testing our rsync tunnel (on remote-host)

rsync -avz -e “ssh -i /root/.ssh/remote_host.priv” /vol/folder backupuser@backup-location::backup OR
rsync -avz -e “ssh -i /home/USERNAME/.ssh/remote_host.priv” /vol/folder backupuser@backup-location::backup

Scheduling the backup job (on remote-host)

Take the command above (from the testing part), paste it into a textfile (put it where you want) and call it (dont forget to chmod +x it afterwards):

rsync -avz -e "ssh -i /home/USERNAME/.ssh/remote_host.priv" /vol/folder backupuser@backup-location::backup

Then, open up your crontab (usually somwhere in /etc) and add the following lines:

#minute hour    mday    month   wday    who     command
0       3       *       *       *       root    
  /PATH-TO-YOUR-SH-FILE/ 2>&1 >> /var/log/rsync_backup.log

This will start your backup job every day at 3am.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.