Backup concept
A backup server which can be woken via wake-on-lan will pull data from live servers via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.
Key generation and automated login
First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth
. The generated file backup_auth.pub
has to be appended to /root/.ssh/authorized_keys
to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config
sets PermitRootLogin without-password
so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.
Rsnapshot
Run aptitude install rsnapshot
and modify /etc/rsnapshot.conf
to at least (see comments in config file for explanations):
snapshot_root <path> no_create_root 1 cmd_ssh /usr/bin/ssh retain ... ssh_args -i /root/.ssh/backup_auth # live server directories backup root@server.local:/etc/ ./ backup root@server.local:/home/ ./ [...]
Limiting rights of automated login
Extract (Debian 8/9) or copy (Debian 10) rrsync (restricted rsync) from /usr/share/doc/rsync/scripts
to /usr/local/bin/rrsync
and make it executable. The backup auth key can now be restricted in /root/.ssh/authorized_keys
. Prepend the entry with command="/usr/local/bin/rrsync -ro /"
which limits access with this key to just this command. Additionally limiting measures can be implemented by adding further restrictions after command
:
command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...
Additionally change PermitRootLogin
in /etc/ssh/sshd_config
to forced-commands-only
.
Automation
Waking the backup server
wakeonlan [...]
Creating backups
ssh -i <keyfile> rsnapshot [...]
Keyfile should authenticate the live server against the backup server.
Shutting the backup server down
ssh -i <keyfile> /sbin/ethtool -s eth0 wol g ssh -i <keyfile> /sbin/shutdown -h -t 1