[Dirvish] pushing backups
jon at radel.com
Tue Oct 11 14:33:42 PDT 2005
David Goldsmith wrote:
> Mateusz Pospieszny wrote:
>>>I was just wondering, would it be possible to make the clients initiate
>>>the rsync sessions instead of my backup server ?
>>>Then i could possibly have local root rsync to backup server where it
>>>doesn't have to have full root access (possibly).
>>>I am just concerned that if somebody hacks my backup server somehow they
>>>can use that machine to easily access all the other machines that backup
>>>to it because they will accept ssh root sessions from it.
>>>Ie. it becomes a single point of failure.
>>>I would think that pushing the backups would make it harder for the
>>>above scenario to happen.
>>>Yes, the backup server should be on the private network not accessible
>>>from the internet, but still it needs to talk to the other machines so
>>>somebody could in theory hack the client, then get access (hack) to the
>>>backup machine, and hit all the other clients from it....
> If you push to the server, you will still need to connect as root so you
> can preserver ownership/permissions on the files/directories.
> Also, you now have new security holes in that server in a less-secure
> zone (DMZ) have root access to the backup server in a more secure zone
> (internal/backup segment).
Also, you should keep in mind that just because you allow ssh access to
your client boxes doesn't mean you have to allow interactive logins, or
access to commands other than rsync for that matter. If you put some
effort into it, you can lock down your certificate to allow access only
to rsync, in which case the person who cracked your backup server can
only use rsync. Not completely cracker-proof, but I wouldn't go calling
it "easily access." In any case, if your backup server is fully
compromised, all of your data is compromised, which means that game is
mostly over anyway.
BTW, on the client machine you don't need to run as root unless you're
backing up files only root can read. I have some special purpose
servers where I use an account with little privilege to backup some
critical data, but I leave the system files alone, as rebuilding the
server would be faster than trying to do a restore.
jon at radel.com
More information about the Dirvish