Secure rsync setup
Hello,
I'm thinking of using rsync for backup purposes.
Sadly, the server (alpha) hosting the files I'd like to backup does not allow
ssh or rsync connections - but I may execute rsync as a cron job or
cgi-script.
But I run a server (beta - debian sarge), that may serve as the rsync server,
therefore I'd thought, that alpha may call beta to back up his data by using
rsync over ssh and ssh-keys.
However, this requires alpha having a ssh-key. Furthermore I'm not in charge
with alpha's security, thus I've to make sure, that a attacker, who gained
access to alpha's ssh-key is not able to compromis beta (well, he might be
able to delete / modify the backup'ed data, but this might be circumvented by
regularly tar the backed up data).
Thus my question is: How should I configure / secure beta to prevent this?
I thought of using a new sarge installation in vmware, but this will require a
lot of ressources I'm unwilling to spend.
I thought of an new sarge installation on Xen - but I don't none whether Xen
is ready to be used in a hostile environment.
I thought of a sarge installation in a chroot enviroment, but I don't know
whether a "tight (tightend by grsecurity)" chroot would allow ssh / rsync to
be called.
I thought of just creating a user for that on beta and set appropiate
permissions - but what kind of permission would be appropiate?
What do you think?
Greetz
Thorsten.
Reply to: