On Tuesday 29 November 2005 14.04, kevin bailey wrote: > if backing up to another server get that server to pull backups out. on > my new machines i was pushing out the backups from the primary server - > this would mean a cracker would then have an easy way in to the backup > machine because i was using authorized_keys so the backup would run in a > script. Note that its not a question of push vs. pull but a question of where the authentication happens. In both cases you'll have some means (ssh key, hardcoded password etc.) to access the other machine - the decision should thus not be push vs. pull but to store the authentication information on the side where a compromise is less likely. Then, use tools like rssh to lock down the account used to transfer the back up data. Also allow log in on this account only from a fixed IP address. (Obviously not always possible in the hobbyist scenario when you're backing up your server to your home machine on DSL or so.) cheers -- vbi -- Beware of the FUD - know your enemies. This week * Patent Law, and how it is currently abused. * http://fortytwo.ch/opinion
Attachment:
pgpkZuKgJ6dvS.pgp
Description: PGP signature