Automated Rsync – without compromising security

Rsync is one of the most popular tools to synchronize data between two computers, and used mostly in taking backups using this sync feature. It’s easy to use and only uploads the changed files when a sync is necessary, so it’s effective in saving bandwidth and time too. To run rsync, you need root or a properly privileged user which can access that specific path in the remote machine. And to setup this privilege, you can either use a should-never-be-used root account or an user chrooted using a jail shell. But if, by any chance, current machine is compromised then remote machine is compromised too. Because anyone can connect to your remote machine using those credentials from the current machine. To avoid plain text credentials (or the credentials written in a shell script), people usually use ssh keys to establish a connection between two machines. Still, your remote machine is unsecured if anything goes wrong in the current machine from where you’re taking the backup.

So a fullproof solution is to use ssh keys and properly chroot the remote user so that it can only access the backup files and nothing else. However, setting up a jailed shell is a not-for-everyone type task and takes time and experience to accomplish properly. So here is a quick work around that you can implement in your remote machine to prevent the connecting user from doing anything malicious but only tasks those are needed to perform the rsync backup. Let’s see how we can do that

Before continuing, let’s name our two machines. The one which should be backed up, lets name that Workstation. And the one which is storing the backups is BackupServer. Also for now, let’s assume that you are backing up complete “/var/www” folder in the WorkStation.

Step 1: Create SSH key in the BackupServer
Log into the BackupServer and run the following command in ssh terminal. But remember, if you already have a key in ~/.ssh/id_rsa.pub then IGNORE IGNORE IGNORE this step.

ssh-keygen -t rsa

It will prompt for a passphrase, REMEMBER to just hit the enter without typing anything.

Step 2: Display and Copy the SSH key from BackupServer
Run the following command to display the ssh public key in the terminal, and then copy it.

cat ~/.ssh/id_rsa.pub

If you’d created the key in any other place then edit the path in the command above.

Step 3: Authorize the SSH key from BackupServer in the WorkStation
Now this is an important step. Now you have copied the SSH key from the BackupServer and you are planning to backup the entire /var/www folder from the WorkStation. So log into the WorkStation and add the following line in ~/.ssh/authorized_keys file. We are adding “command” directive in front because we are allowing BackupServer ONLY TO PERFORM rsync and nothing else. This way, our data in WorkStation will remain safe even if the BackupServer was compromised by any chance.

#BackupServer Key
command="rsync --server --sender -vlprxe.iLs . /var/www/" KEY_DETAILS_OF_BACKUP_SERVER

If you are logged in as root then you don’t need to do anything else, but if you are logged in as another user then make sure to add this user in the sudoers list with NOPASSWD directive (see step 3.1)

Step 3.1: Add the user in SUDOer’s list
This step is ONLY necessary if you’re using any user other than root in step 3. This time you need to add this user in the sudoer’s list and we have to add it like this. Open /etc/sudoers file or use visudo in the WorkStation and add the following line. Replace USER with your actual username

# /etc/sudoers
USER        ALL = (ALL) NOPASSWD: ALL

Remember again, this step is only necessary for non root users.

Step 4: Run the Rsync from the BackupServer
Ok now we are done setting up everything and it’s time to experiment if our settings were correct. Log into the BackupServer. Lets assume that we are going to take the backup of WorkStation’s /var/www folder in BackupServer’s /var/backups/workstation/www folder. So run the following command in your SSH terminal, just replace the USER with actual username.

rsync -rtluvh user@WorkStationIP:/var/www/ /var/backups/workstation/www

If you’re using any other port than the standard 22 in WorkStation for SSH, then you need to specify the port number in above command, like the following if you are using port number 11202

rsync -rtluvh  --rsh='ssh -p11202'  USER@WorkStationIP:/var/www/ /var/backups/workstation/www

Last but the not Least Tip
Instead of hardcoding the folder name in the ~/.ssh/authorized_keys file in the WorkStation, you can also enable support for arbitrary parameters for rsync command, like this

#BackupServer Key
command="rsync ${SSH_ORIGINAL_COMMAND#* }" KEY_DETAILS_OF_BACKUP_SERVER

Now you can just add the above command in a shell script and run it periodically via cron job to automate the backup process, without compromising security.

So that is how to secure rsync using ssh keys by adding additional commands. Beside rsync, you can also use this technique to restrict the connecting user to any particular command or a set of commands :)

About these ads

3 thoughts on “Automated Rsync – without compromising security

    • Nothing, your backup will remain intact. Because if you check the rsync command then you will notice that it was not told to delete the file if it’s deleted in the origin. So it’s always safe and intact when the files are removed from the WorkStation :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s