projects/infrastructure/server-backup-with-rsync.md

Server Backup With Rsync

1. Make sure that rsync is installed on the server:

   apt install rsync
   

2. Create a backup user, for example backup1:

   useradd backup1 -m
   ls -al /home/backup1/
   

3. Create a ssh key-pair for this user:

   ssh-keygen -t ecdsa -P '' -q -f key1
   
   ls -l key1*
   cat key1
   cat key1.pub
   

4. Add the public key to /home/backup1/.ssh/authorized_keys:

   mkdir -p /home/backup1/.ssh
   chown backup1: /home/backup1/.ssh
   chmod 700 /home/backup1/.ssh
   
   cat key1.pub >> /home/backup1/.ssh/authorized_keys
   chown backup1: /home/backup1/.ssh/authorized_keys
   chmod 600 /home/backup1/.ssh/authorized_keys
   
   ls -al /home/backup1/.ssh/
   cat /home/backup1/.ssh/authorized_keys
   

5. Try to login with this key:

   ssh -p 22 -i key1 backup1@localhost
   

   You should be able to login without a password.

6. Try to copy something:

   mkdir -p /home/backup1/test1
   touch /home/backup1/test1/file1.txt
   touch /home/backup1/test1/file2.txt
   ls -al /home/backup1/test1
   
   rsync -a -e "ssh -p 22 -i key1" backup1@localhost:~/test1 .
   
   ls -al test1
   

7. Let’s find out the command that the client is sending to the server through SSH. Let’s try the same rsync command again, with the added SSH switch -v (verbose):

   rsync -a -e "ssh -p 22 -i key1 -v" backup1@localhost:~/test1 .
   

   Then let’s look for the debug line that says “Sending command”:

   rsync -a -e "ssh -p 22 -i key1 -v" backup1@localhost:~/test1 . 2>&1 | grep "Sending command"
   

   It should be something like this:

   rsync --server --sender -logDtpre.iLsfxC . ~/test1
   

8. We can restrict the SSH key key1 to execute only this command and nothing else. For this we need to add something like this before the public key on /home/backup1/.ssh/authorized_keys:

   command="rsync --server --sender -logDtpre.iLsfxC . ~/test1" ecdsa-sha2-nistp256 AAAAE2Vj....
   

   To make it even more secure, we can also add the options no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding. The file /home/backup1/.ssh/authorized_keys now should look like this:

   command="rsync --server --sender -logDtpre.iLsfxC . ~/test1",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMbMdR9uW4SMeinpVvr6UQZaFybkiVZxm2DRYxFlCuxHchpTMGR7U4gZGZwY4D5LQDDy1Py4TWSsEizda4LecgQ= root@server
   

9. Let’s check that now we cannot login with key1 anymore, but we can still use it to rsync:

   ssh -p 22 -i key1 backup1@localhost  # should fail
   
   rm -rf test1
   rsync -a -e "ssh -p 22 -i key1" backup1@localhost:~/test1 .
   ls -l test1
   
   rm -rf test1
   rsync -a -e "ssh -p 22 -i key1" backup1@localhost: .
   ls -l test1
   

10. For convenience, we can combine the command and the key in a bash script that looks like this:

    #!/bin/bash
    
    server=127.0.0.1
    port=22
       
    rsync -a -e "ssh -p $port -i $0" backup1@${server}: .
       
    exit 0
       
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIGHMv+mlPZg/V6TmLADsfZcpMRcfxykJGzXAF65tuQ4AoAoGCCqGSM49
    AwEHoUQDQgAExsx1H25bhIx6KelW+vpRBloXJuSJVnGbYNFjEWUK7EdyGlMwZHtT
    iBkZnBjgPktAMPLU/LhNZKwSLN1rgt5yBA==
    -----END EC PRIVATE KEY-----
    

    Let’s try it:

    chmod 700 backup1.sh
    rm -rf test1/
    ./backup1.sh
    ls -l test1/
    

11. Now we can move this script to the client (backup server), making sure to change the variable server with the IP of the server, and it should work.

12. To change the directory on the server that is being backed up, we should change it on /home/backup1/.ssh/authorized_keys (for example from ~/test1 to /var/backup, or anything else where the user backup1 has read access).

13. To backup a second directory we can create a second SSH key, append it to /home/backup1/.ssh/authorized_keys, and create a second backup script.