Return to

World Backup Day - Backup All The Things

World Backup Day!

How To Backup – The basics

How to Backup – Advanced rsync goodness

  1. Create an rsync user (if you didn’t above via the gui for, call it something other than rsync")
  2. Enable “User Home” in the Synology (Control Panel > User > Advanced Tab > User Home (and pick a volume to put it on)
  3. SSH in to your synology as admin. The following commands may be useful:
sudo bash # Switch from admin user to Root user on the Synology
su rsync-username # Where rsync-username is the name of the user you picked for the service! 
whoami # what user are you running as?

Side Note: Synology has a nice guide for using ssh keys with the DSM

… follow that for setting up SSH keys. It would be a good idea to test (re-test) with the password(s) you set if you turn off password-based SSH authentication (recommended for sure. Keys only).

Lock down SSH

Enter – this shell script is pretty hardened and we can use ssh to makes it so that ssh key will only be allowed to run this rsync backup command and that’s all.

Inside authorized keys:

command="~/bin/rrsync ~/backups/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAA...==

The rrsync script:;a=blob_plain;f=support/rrsync;hb=HEAD

# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
# Author: Joe Smith <[email protected]> 30-Sep-2004
# Modified by: Wayne Davison <[email protected]>

I think this bit of lore has been lost to the ages, essentially… but this script is incredibly handy! And the script explains a bit about the strategy for hardening rsync to prevent attackers that have gained that level of access from moving laterally into the backup appliance.


@wendell great content first of all.
But it’s feasible and more affordable to one home setup, let’s say with two 8TB HDD NAS setup (with one for parity) and one raspberrypi4 conected by Lan. And making a rsync cronjob to another RPi for the backups?
Video for that and further suggestions :wink: