World Backup Day - Backup All The Things

World Backup Day!

How To Backup – The basics

How to Backup – Advanced rsync goodness

  1. Create an rsync user (if you didn’t above via the gui for, call it something other than rsync")
  2. Enable “User Home” in the Synology (Control Panel > User > Advanced Tab > User Home (and pick a volume to put it on)
  3. SSH in to your synology as admin. The following commands may be useful:
sudo bash # Switch from admin user to Root user on the Synology
su rsync-username # Where rsync-username is the name of the user you picked for the service! 
whoami # what user are you running as?

Side Note: Synology has a nice guide for using ssh keys with the DSM 
https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Management/How_to_log_in_to_DSM_with_key_pairs_as_admin_or_root_permission_via_SSH_on_computers

… follow that for setting up SSH keys. It would be a good idea to test (re-test) with the password(s) you set if you turn off password-based SSH authentication (recommended for sure. Keys only).

Lock down SSH

Enter rsync-backup.sh – this shell script is pretty hardened and we can use ssh to makes it so that ssh key will only be allowed to run this rsync backup command and that’s all.

Inside authorized keys:

command="~/bin/rrsync ~/backups/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAA...==

The rrsync script:
https://git.samba.org/?p=rsync.git;a=blob_plain;f=support/rrsync;hb=HEAD

#!/usr/bin/perl
# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
# Author: Joe Smith <[email protected]> 30-Sep-2004
# Modified by: Wayne Davison <[email protected]>
...

I think this bit of lore has been lost to the ages, essentially… but this script is incredibly handy! And the script explains a bit about the strategy for hardening rsync to prevent attackers that have gained that level of access from moving laterally into the backup appliance.

5 Likes

@wendell great content first of all.
But it’s feasible and more affordable to one home setup, let’s say with two 8TB HDD NAS setup (with one for parity) and one raspberrypi4 conected by Lan. And making a rsync cronjob to another RPi for the backups?
Video for that and further suggestions :wink:

Hey @wendell, the SSH lock down tip is a cracker. I remember doing it on a project about 15 years ago but had forgotten how to do it. Lost to the ages, indeed…

I checked sshd(8), and see that all the no-agent-forwarding options can be replaced with just restrict. The man page makes the point that it’s future proof, as restrict will be updated should other relevant options be added to the config.

So I was wondering a) had you seen restrict?, and b) if you had, were they listed explicitly for backwards compatibility perhaps? My manpage is from version 8.2p1.

1 Like

Nice. I was aware of restrict, but had forgotten about it and was “less sure” of what all it did vs explicitly killing everything.

1 Like