Koozali.org formerly Contribs.org

Contribs.org Forums => SME Server 9.x => Topic started by: Michail Pappas on April 25, 2019, 08:12:36 AM

Title: Secure SME backup to a NFS/SSH-accessible NAS
Post by: Michail Pappas on April 25, 2019, 08:12:36 AM
I've got a WD Mycloud EX4100 NAS, which provides some "plain" (ie no kerb5 encryption) NFS. It also provides SSH access and has rsync installed. This NAS is not on my location, so my problem is to avoid eavesdropping when backing up my SME box?

AFAIK, the built-in backup functionality does not provide any way to encrypt the files. If it did, I would backup via NFS.

Any idea on what could be used here? Something that could utilise SSH (and rsync perhaps) for the transfer?

EDIT: I've seen something mentioning a SSHFS. From what I've read, it requires nothing apart some changes on the SME box (wiki at https://wiki.contribs.org/FUSE_-_Filesystem_in_Userspace but not sure if it is current).
Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: mmccarn on April 25, 2019, 12:05:39 PM
You can use Affa (https://wiki.contribs.org/Affa) to manage a backup system using rsync and ssh.

If Affa looks like overkill, or the remote NAS does not support hardlinks, or if you want to roll your own, you can get a list of the files and folders that SME includes by default when it does a restore:
Code: [Select]
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'
If you need the data to be encrypted at rest on the remote NAS you may want to create encrypted backup files locally then send those to the remote NAS.

Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: mmccarn on April 25, 2019, 12:28:08 PM
I forgot to mention - if you roll your own you should:

* run signal-event pre-backup before doing the backup to generate mysqldump backups of your databases in /home/e-smith/db
(Affa will do this if you have 'SMEServer=yes' in your job config)

* include /opt if you have installed any contrib that uses it (PHP or Mysql software collections, for example)
(Affa will do this if you have 'Include=/opt' in your job config)
Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: ReetP on April 25, 2019, 05:54:58 PM
I'd agree that unless you seriously want to reinvent the wheel or have some specific reasons why you can't use it, then Affa is one of the neatest bits of code at contribs.

It hides its light under a bushel :-)

Worth spending a bit of time testing it.
Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: Michail Pappas on April 25, 2019, 06:20:44 PM
No contribs apart from some let's encrypt hacks. So Affa it will be then, thanks!
Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: ReetP on April 25, 2019, 06:31:40 PM
No contribs apart from some let's encrypt hacks. So Affa it will be then, thanks!

Good decision IMHO :-)

Shout if you get stuck....
Title: Re: Secure SME backup to a NFS/SSH-accessible NAS
Post by: brianr on April 29, 2019, 11:20:43 AM
The other option might well be rclone:

https://wiki.contribs.org/Rclone