Re: Backups between servers

To: stargazer@rodolico.org
Cc: debian-isp@lists.debian.org
Subject: Re: Backups between servers
From: Charles Fry <cfry@frogcircus.org>
Date: Thu, 10 Mar 2005 16:29:00 -0500
Message-id: <[🔎] 4230BC1C.2080204@frogcircus.org>
In-reply-to: <36535.68.93.97.27.1108933088.squirrel@client.dailydata.net>
References: <52032.68.93.109.36.1107917838.squirrel@client.dailydata.net> <20050209082504.GA4913@mentat.greentech.pl> <36535.68.93.97.27.1108933088.squirrel@client.dailydata.net>

I may have missed earlier parts of this conversation before I subscribedto this list, but one thing I recently discovered that helps make thiseven more secure is setting:


   PermitRootLogin forced-commands-only

in /etc/ssh/sshd_config.

FWIW,
Charles

--
Rhyme and reason
Every season
You've read
The rhyme
Now try the reason
Burma-Shave
http://frogcircus.org/burmashave/1941/rhyme_and_reason

Thanks, I finally got around to doing this. Works very nice and I
feel much more secure. One caveat to anyone else trying this; in
authorized _keys, the space after the comma separating the optional
command parameter and the actual key is required!

Again, thanks for all the help. Works very nicely.

Rod

On Tue, Feb 08, 2005 at 08:57:18PM -0600, Rod Rodolico wrote:

I have three web servers and would like them to back each other
up.
They host around 60 sites and a couple of hundred e-mail accounts.
They are on the same subnet.

In the past I have allowed root on one machine to ssh into the
others as "authorized keys" so I could run rsync as a cron job. It
works, but I'm worried about security. If the "master" machine is
ever cracked, it gives a good loophole into the others.

Any suggestions? Is there a way to authorize a machine to only
execute a limited set of commands on another (ie, rsync).


Take a look at:
http://lts2www.epfl.ch/~jost/rsync.html

In short - you can setup ssh to allow running only rsync:
Add to your /root/.ssh/authorized_keys something like that (or
better - have
only such lines in this file):

command="/root/bin/validate_rsync", ssh-dss PUBLIC_KEY
localuser@localhost

Where validate_rsync is like:
#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
rsync\ --server\ -vlogDtprz\ --delete\ .\ /backup_directory*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Regards,
 Robert Tasarz


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Re: can iptables distinguish difference between domains?
Next by Date: Re: Active Software-based file replication
Previous by thread: test
Next by thread: postfix starting trouble
Index(es):
- Date
- Thread