Ubuntu – How to set up an rsync backup to Ubuntu securely

backuprsyncSecurityssh

I have been following various other tutorials and blog posts on setting up a Ubuntu machine as a backup "server" (I'll call it a server, but it's just running Ubuntu desktop) that I push new files to with rsync. Right now, I am able to connect to the server from my laptop using rsync and ssh with an RSA key that I created and no password prompt when my laptop is connected to my home router that the server is also connected to. I would like to be able to send files from my laptop when I am away from home. Some of the tutorials I have looked at had some brief suggestions about security, but they didn't focus on them.

What do I need to do to let my laptop with send files to the server without making it too easy for someone else to hack into the server?

Here is what I have done so far:

  • Ran ssh-keygen and ssh-copy-id to create a key pair for my laptop and server.

  • Created a script on the server to write its public ip address to a file, encrypt the file, and upload to an ftp server I have access to (I know I could sign up for a free dynamic DNS account for this part, but since I have the ftp account and don't really need to make the ip publicly accessible I thought this might be better).

Here are the things I have seen suggested:

  • Port forwarding: I know I need to assign the server a fixed ip address on the router and then tell the router to forward a port or ports to it. Should I just use port 22 or choose a random port and use that?

  • Turn on the firewall (ufw). Will this do anything, or will my router already block everything except the port I want?

  • Run fail2ban.

Are all of those things worth doing? Should I do anything else? Could I set up the server to allow connections with the RSA key only (and not with a password), or will fail2ban provide enough protection against malicious connection attempts? Is it possible to limit the kinds of connections the server allows (e.g. only ssh)?

I hope this isn't too many questions. I am pretty new to Ubuntu (but use the shell and bash scripts on OSX). I don't need to have the absolute most secure set up. I'd like something that is reasonably secure without being so complicated that it could easily break in a way that would be hard for me to fix.

Best Answer

Ok, I think your trying to over architect a bit. SSH is one of the most secure file transfer protocols and if your already rsyncing over ssh then your 90% there. Your router is acting as a basic firewall so you shouldn't need to turn on iptables for a personal backup server.

Stick with port 22. It will make life much easier.

fail2ban is a nice script for public servers, specially where password based logins are enabled. On your server it's going to make more problems then it will fix. I wouldn't recommend running it. Here are my suggestions:

  • Go ahead and get the dynamic IP, it will make it easier, and about the time you go traveling, your ftp script will fail for some really strange reason. Basically KISS.
  • Disable Password logins for ssh. In /etc/sshd_config change PasswordAuthentication yes to PasswordAuthentication no, and make sure challengeresponse is set to no. That will bock any one without your private key from logging in at all.

Other then that your pretty much covered by default. ssh encrypts traffic and verifies the host/client. There not a lot left after that.