[Dirvish] pushing backups
dgoldsmith at sans.org
Tue Oct 11 10:12:45 PDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Mateusz Pospieszny wrote:
> I was just wondering, would it be possible to make the clients initiate
> the rsync sessions instead of my backup server ?
> Then i could possibly have local root rsync to backup server where it
> doesn't have to have full root access (possibly).
> I am just concerned that if somebody hacks my backup server somehow they
> can use that machine to easily access all the other machines that backup
> to it because they will accept ssh root sessions from it.
> Ie. it becomes a single point of failure.
> I would think that pushing the backups would make it harder for the
> above scenario to happen.
> Yes, the backup server should be on the private network not accessible
> from the internet, but still it needs to talk to the other machines so
> somebody could in theory hack the client, then get access (hack) to the
> backup machine, and hit all the other clients from it....
If you push to the server, you will still need to connect as root so you
can preserver ownership/permissions on the files/directories.
Also, you now have new security holes in that server in a less-secure
zone (DMZ) have root access to the backup server in a more secure zone
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: GnuPT 188.8.131.52 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Dirvish