Contact our honeypot department if you are desperate to get blacklisted.

Monday, June 27, 2011

BackupPC client quickstart with improved security

To embellish and improve upon http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided I've been using the following procedure:


  1.  Add the 'mybackuppc' user to the machine that is being backed up.  I try to avoid using "backuppc" as the username in case a common dictionary attack occurs. Then,  create a SSH key pair on the client as the 'mybackuppc' user (do not enter a password):
    useradd mybackuppc -c "Backup User"
    su - mybackuppc
    ssh-keygen -t rsa
    exit

  3. Add the 'mybackuppc' user to the client's sudoers file using visudo to give the user sudo rights as follows:
    mybackuppc ALL=(ALL) NOPASSWD: /usr/bin/rsync --server *
    Defaults:mybackuppc !requiretty




  4. Copy 'backuppc' users public key from the backup server:
    /var/lib/backuppc/.ssh/id_rsa.pub) to the mybackuppc's auth keys file on the client (/home/mybackuppc/.ssh/authorized_keys


  5. SSH from the BackuPC server to the client once as the backuppc user (su - backuppc; ssh -l mybackuppc $host) to get the RSA fingerprint into the backup server's /var/lib/backuppc/.ssh/known_hosts file:
    bash-3.2$ /usr/bin/ssh -l mybackuppc client-host
    The authenticity of host 'client-host (x.x.x.x)' can't be established.
    RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'client-host, x.x.x.x' (RSA) to the list of known hosts.
    [mybackuppc@client-host ~]$ exit
    logout

    Connection to client-host closed.


  6. Use the BackupPC web interface to add a new host. Notice in the comments at the bottom of the page that you can easily copy an existing host, or just add one from scratch with the defaults. You don't have to use an valid name available via DNS if you make sure the name is in /etc/hosts on the backup server. Alternatively, you could create a config file on the Backup Server in /etc/BackupPC/pc/ and then add them to /etc/BackupPC/hosts file.


  7. Use the BackupPC server's web interface to initiate a full backup of the new client machine.


Posted by Unknown at 9:17 PM
Labels: ,