[BBLISA] Securely backing up Linux machines to NAS?

Edward Ned Harvey bblisa3 at nedharvey.com
Sun Sep 13 09:50:43 EDT 2009 

You have a really strange set of requirements.  Generally speaking, if
you're backing up a bunch of servers, you need to do it on a LAN and not a
WAN, for speed reasons alone.  If it's given, that you're backing up across
a LAN, from one server that you own and secured in your server room, through
a switch that you own and secured in your server room, to a destination that
you own and secured in the server room ... Generally speaking, there's no
need to encrypt the traffic during transit, because it's physically secured.

If the network traffic encryption were not a requirement, and you are going
from linux to linux, CIFS and NFS would be my default answer.  Fastest most
well understood reliable supportable protocols you're ever going to get.

If for some reason, you DO need to encrypt your backup traffic, then I don't
think NFS or CIFS will satisfy your requirements. 

You also said "ssh requires interactive login" which is false.  For many
situations, all over the place, I use ssh keys to securely authenticate
without interaction.  Give this a try:

(On Machine 1)
ssh-keygen -t rsa
(keep pressing enter for defaults.  It will create ~/.ssh/id_rsa and
~/.ssh/id_rsa.pub)
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh
cat ~/.ssh/id_rsa.pub
(copy the text)

(On Machine 2)
cat >> ~/.ssh/authorized_keys
(paste the rsa public key from above, hit Enter, and Ctrl-D)
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh

Now, you can ssh from Machine 1 to Machine 2 without interaction.  You can
do something like:
	tar cpzf - /some/dir/foo/bar | ssh user at machine2 'cat >
somedirfoobar.tar.gz'
and
	scp mybackupfile user at machine2:/path/to/destination/mybackupfile





> I have been tasked with having a Buffalo Terastation Pro 2 NAS box,
> likely to be connected to a Linux box via samba, be the storage device
> to back up mostly Ubuntu and Centos systems.  The trick is, the
> machines to be backed up need to do so in an automated fashion and
> make a secure, encrypted connection to my Linux box hosting the NAS.
> The NAS does have SSL enabled for web admin access, though the same
> login credentials are used to authenticate the Linux host via samba to
> the NAS.
> 
> So what are the simplest options to back up the Linux hosts?   rsync
> does come to mind, but how to do so securely from each host?   I'd
> consider something via ssh, but that would mean an interactive login,
> and encrypting individual files on the hosts is not an option.
> 
> NFS is also available on the NAS, but considering the security
> concerns, I will not use that, nor do I want to enable any more
> services on the linux machines being backed up than necessary, meaning
> samba is not an option, unless it remains the ONLY one.
> 
> I ONLY plan to use samba to mount the NAS to my Linux server, unless
> someone comes up with a more secure method, or even away to negate the
> need of the Linux server and permit the hosts to back up directly to
> the NAS...
> 
> Ideas are welcome.
> 
> Thanks.
> 
> Scott
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa

More information about the bblisa mailing list