World Backup Day!
How To Backup – The basics
How to Backup – Advanced rsync goodness
- Create an rsync user (if you didn’t above via the gui for, call it something other than rsync")
- Enable “User Home” in the Synology (Control Panel > User > Advanced Tab > User Home (and pick a volume to put it on)
- SSH in to your synology as admin. The following commands may be useful:
sudo bash # Switch from admin user to Root user on the Synology
su rsync-username # Where rsync-username is the name of the user you picked for the service!
whoami # what user are you running as?
Side Note: Synology has a nice guide for using ssh keys with the DSM
https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Management/How_to_log_in_to_DSM_with_key_pairs_as_admin_or_root_permission_via_SSH_on_computers
… follow that for setting up SSH keys. It would be a good idea to test (re-test) with the password(s) you set if you turn off password-based SSH authentication (recommended for sure. Keys only).
Lock down SSH
Enter rsync-backup.sh – this shell script is pretty hardened and we can use ssh to makes it so that ssh key will only be allowed to run this rsync backup command and that’s all.
Inside authorized keys:
command="~/bin/rrsync ~/backups/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAA...==
The rrsync
script:
https://git.samba.org/?p=rsync.git;a=blob_plain;f=support/rrsync;hb=HEAD
#!/usr/bin/perl
# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
# Author: Joe Smith <[email protected]> 30-Sep-2004
# Modified by: Wayne Davison <[email protected]>
...
I think this bit of lore has been lost to the ages, essentially… but this script is incredibly handy! And the script explains a bit about the strategy for hardening rsync to prevent attackers that have gained that level of access from moving laterally into the backup appliance.