I’m trying to back up my machine in a datacenter to my home server, using rsnapshot. The home machine is behind a firewall and pretty secure but I don’t want to be stupid about it. The remote machine should be secure, but is not firewalled. (OTOH both run ssh and http, so the attack surface is about the same). I found two useful guides for doing remote backups securely: one, two.
My final config is a pastiche of the two. Here’s the concept behind what I did. Backups run as root on the backup server and as a special-purpose user on the client being backed up (who can sudo to root to run rsync).
- On the backup server, tell rsnapshot to backup a remote host via rsync.
- On the backup client, create a new user who has no special privileges
- Set up ssh keys (with no passphrase) so that root on the backup server can login as the backup user on the client. Restrict that ssh key to only be allowed to run an rsync frontend.
- On the client, give the backup user the right to sudo to root but only to run /usr/bin/rsync.
I feel pretty good about the security; the user would have to steal my private key from the backup server to access the client, and even then they’re only restricted to run rsync. However that rsync is run as root and I’m sure could pretty easily escalate by, say, overwriting /etc/sudoers.
It’d be more secure to run backups on the remote client as some user other than root. But I want to back up files only root can read, so I’m kind of stuck.