[Dirvish] pushing backups

Jon Radel jon at radel.com
Tue Oct 11 14:33:42 PDT 2005

David Goldsmith wrote:
> Mateusz Pospieszny wrote:
>>>I was just wondering, would it be possible to make the clients initiate
>>>the rsync sessions instead of my backup server ?
>>>Then i could possibly have local root rsync to backup server where it
>>>doesn't have to have full root access (possibly).
>>>I am just concerned that if somebody hacks my backup server somehow they
>>>can use that machine to easily access all the other machines that backup
>>>to it because they will accept ssh root sessions from it.
>>>Ie. it becomes a single point of failure.
>>>I would think that pushing the backups would make it harder for the
>>>above scenario to happen.
>>>Yes, the backup server should be on the private network not accessible
>>>from the internet, but still it needs to talk to the other machines so
>>>somebody could in theory hack the client, then get access (hack) to the
>>>backup machine, and hit all the other clients from it....
> If you push to the server, you will still need to connect as root so you
> can preserver ownership/permissions on the files/directories.
> Also, you now have new security holes in that server in a less-secure
> zone (DMZ) have root access to the backup server in a more secure zone
> (internal/backup segment).
> Dave

Also, you should keep in mind that just because you allow ssh access to 
your client boxes doesn't mean you have to allow interactive logins, or 
access to commands other than rsync for that matter.  If you put some 
effort into it, you can lock down your certificate to allow access only 
to rsync, in which case the person who cracked your backup server can 
only use rsync.  Not completely cracker-proof, but I wouldn't go calling 
it "easily access."  In any case, if your backup server is fully 
compromised, all of your data is compromised, which means that game is 
mostly over anyway.

BTW, on the client machine you don't need to run as root unless you're 
backing up files only root can read.  I have some special purpose 
servers where I use an account with little privilege to backup some 
critical data, but I leave the system files alone, as rebuilding the 
server would be faster than trying to do a restore.

--Jon Radel
jon at radel.com

More information about the Dirvish mailing list