A backup server which can be woken via wake-on-lan will pull data from live severs via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.
Key generation and automated login
First create an SSH key which will authorize the backup server against the live servers: On the backup server run
ssh-keygen -b 4096 -f backup_auth. The generated file
backup_auth.pub has to be appended to
/root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients
PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.
aptitude install rsnapshot and modify
/etc/rsnapshot.conf to at least (see comments in config file for explanations):
snapshot_root <path> no_create_root 1 cmd_ssh /usr/bin/ssh retain ... ssh_args -i /root/.ssh/backup_auth # live server directories backup email@example.com:/etc/ ./ backup firstname.lastname@example.org:/home/ ./ [...]
Limiting rights of automated login
Extract rrsync (restricted rsync) from rsync scripts:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /usr/local/bin/rrsync and make it executable
chmod +x /usr/local/bin/rrsync. The backup auth key can now be restricted in
/root/.ssh/authorized_keys. Prepend the entry with
command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionnally limiting measures can be implemented by adding further restrictions after
command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...
Waking the backup server
ssh -i <keyfile> rsnapshot [...]
Keyfile should authenticate the live server against the backup server.
Shutting the backup server down
ssh -i <keyfile> /sbin/ethtool -s eth0 wol g ssh -i <keyfile> /sbin/shutdown -h -t 1