Our scenario
We want to backup data from our remote host to our backup location.
For this, we use a combination of ssh and rsync.
This guide is held very general. Originally, I set up a secure rsync backup from a Synology NAS at a remote site to a linux server hosted in a DMZ, but it should also work for normal linux to linux box backups.
[] -----rsync over ssh------> [] remote-host backup-location
Setting up users and programs
- Make sure, you have installed rsync and ssh on both machines
- Create a new user on the backup-location (i.e. backupuser) and place his homedrive in /home
Creating SSH trust relationships between the two servers
To be able to schedule a backup job, and avoiding to save the ssh login password somewhere in plain text, we have to build our own small PKI
- Create a RSA keypair on the remote-host
cd /home/USERNAME OR cd /root (if you work as root)
mkdir .ssh
cd .ssh
ssh-keygen -t dsa -b 2048 (you can leave the passphrase empty) - Export the remote-hosts public key to the backup-location
cd /home/USERNAME OR cd /root (if you work as root)
mkdir .ssh
cd .ssh
If you have previously copied the public key to a usb stick:
cp /mnt/usb/remote_host.pub /home/USERNAME/.ssh OR /root/.ssh - Tell the backup-locations ssh server that certificate login requests coming from the remote-host are ok
cd /home/USERNAME/.ssh OR cd /root/.ssh (if you work as root)
cat remote_host.pub >> authorized_keys - Test the ssh connection from the remote-host to the backup-location
ssh “backup-location” - Make sure, all keys have restrictive permissions applied to them: Only allow the owner to interact with them (chmod 700)!
Setting up the rsync server infrastructure (on backup-location)
# GLOBAL OPTIONS log file=/var/log/rsyncd pid file=/var/run/rsyncd.pid # MODULE OPTIONS [backup] comment = public archive path = /home/backupuser/data use chroot = no lock file = /var/lock/rsyncd read only = no list = yes uid = backupuser ignore errors = no ignore nonreadable = yes transfer logging = yes log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes. timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
Hint:
Make sure, the backupuser has the rights to write to the rsyncd- logifile (/var/log/rsyncd)
Testing our rsync tunnel (on remote-host)
rsync -avz -e “ssh -i /root/.ssh/remote_host.priv” /vol/folder backupuser@backup-location::backup OR
rsync -avz -e “ssh -i /home/USERNAME/.ssh/remote_host.priv” /vol/folder backupuser@backup-location::backup
Scheduling the backup job (on remote-host)
Take the command above (from the testing part), paste it into a textfile (put it where you want) and call it rsync_backup.sh (dont forget to chmod +x it afterwards):
#!/bin/sh
rsync -avz -e "ssh -i /home/USERNAME/.ssh/remote_host.priv" /vol/folder backupuser@backup-location::backup
Then, open up your crontab (usually somwhere in /etc) and add the following lines:
#minute hour mday month wday who command
0 3 * * * root
/PATH-TO-YOUR-SH-FILE/rsync_backup.sh 2>&1 >> /var/log/rsync_backup.log
This will start your backup job every day at 3am.