How to Backup a Remote Ubuntu VPS via SSH

backupbashremotescpssh

So, as I said I have a VPS, Raspberry Pi and a plan, but I am in need of some advice, so here goes.

I have a VPS with prgmr.com which I ahve up and running nice and smoothly without any issues. I also have a new RaspberryPi sat on my desk, with Raspberrian downloading as I type. My plan is to use the Raspberry Pi as a backup server at home, so my question is this:

How would you go about backing up a remote Ubuntu VPS via SSH?

The VPS is setup as a web server, but I would like to set up a cron job on the Pi so that it can automatically login to the VPS and run then download a backup, just incase I manage to brick the thing or something else happens that results in me losing data. Naturally I want this backup to contain everything so I can quickly restore the whole server, all nicely configured as it is now if things go bad.

How would you go about running this sort of backup? I figured that I would have to write some kind of bash script to SSH in, compress all the relevant files into a tar.gz or similar and the download the images vis SCP.

What are your thoughts on this? What packages etc would you use, and how would you configure it? The VPS has a LAMP stack on, so what files would you aim to backup? It also has lots of other smaller programs such as GIT, and ZendTools installed.

Best Answer

SSH Public Key Authentication

The first thing you want to do is start with ssh public key authentication. This will let your script use SSH without a password.

All that the server needs is SSH installed, and public key authentication set up for the user that will be running the backup script from the RasPi.

Here's a good tutorial for public key authentication: https://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html

Option 1: SSH and Tar

You can compress the tar.gz from the server and transmit it directly over ssh with something like this:

ssh root@remoteserver.example.com "tar -czvf - / 2> /var/log/sshbackup" > vpsbackup.tar.gz

This will make the VPS tar and gzip all files on / and transmit it over SSH to store in vpsbackup.tar.gz on the RasPi. A log of the most recent backup will be kept on /var/log/sshbackup on the VPS.

Option 2: Rsync

Sending an entire .tar.gz over SSH is inefficient... Files that don't change will still be transmitted. A better solution is to use rsync, but this makes it difficult to make a .tar.gz that preserves permissions. If you have enough storage space on the RasPi, you can just store the backup files as plain ol' files. Then you can have a script tar.gz them if you want to keep multiple past backups.

The server needs rsync installed. This will run over SSH, so you still use the public key authentication, and keep the encryption. You will need to run this command as root and have public key authentication and SSH logins for root enabled to preserve permissions. Your destination (or at least a temporary destination) should be a Linux filesystem. If you're storing these backups on a FAT or NTFS partition (e.g. on most external hard drives), you can make a loopback filesystem (see http://www.walkernews.net/2007/07/01/create-linux-loopback-file-system-on-disk-file/) for temporary storage. The tar.gz file can be stored on any partition, because it preserves permissions on its own.

An example rsync command:

rsync -a --delete --exclude=/dev --exclude=/sys --exclude=/proc --exclude=/tmp remoteserver.example.com:/ /path/to/backup/destination/

be careful when using --delete, especially as root! It will delete any files in the destination directory that do not exist on the backup source. You should only use --delete when syncing to a dedicated backup directory being used only for that VPS. You should also make sure there is no possibility of your script syncing to the wrong destination (e.g. if /path/to/backup/destination is determined by a shell variable)

rsync will only transfer files that are different between the source and destination. If you have large files, it will also only transfer parts of the file that have changed (for this to work, you must add the -c flag). This means you are using minimal bandwidth, but it'll use more CPU and slow down re-sync preparation times as both sides need to first checksum files to determine which blocks to transfer. If you do use the -c flag and you have large files (such as database files) and/or a flaky connection, consider adding --partial --append, which enables you to resume transfers after a connection is interrupted.

For further debugging:

1) Check that port 22 (SSH) is open on your server and on the router (port forwarding).

2) Check that the SSH server is running on your server

3) Use ping, ssh -v while connecting and look at /var/log/auth.log to debug any further connection problems.

1) On your router: follow router specific instructions

On your server: sudo ufw status (unless you use another firewall configuration utility) or sudo iptables -L (general method, but complex output)

To open port 22: sudo ufw allow 22

cf https://help.ubuntu.com/12.04/serverguide/firewall.html

2) Check it is installed: dpkg -l openssh-server

Check it is running: service ssh status or ps aux | grep sshd

3) On the connecting client:

ping my.external.ip.address
ssh -v user@my.external.ip.address

On the server:

sudo less /var/log/auth.log

You can check the router logs as well if necessary.

Here's an online port scanner: https://www.grc.com/x/ne.dll?bh0bkyd2

I think you can use tools like nmap or other as well, but I'm not that familiar with them yet.

Dealing with a changing external IP address:

1) Get a dynDNS or similar account: http://dyn.com/dns/

Lists of dynamic DNS providers:

2) Another solution, is to set up a crontab job, which regularly mails you your external IP address or puts in into an online storage service like dropbox.

Here's a script a friend of mine uses:

    #!/bin/bash
    # Bash script to get the external IP address
    MYWANIP=$(curl http://mire.ipadsl.net | sed -nr -e 's|^.*<span class="ip">([0-9.]+)</span>.*$|\1| p')
    echo "My IP address is: $MYWANIP"

    IPold=$(cat /home/USER/Dropbox/test.txt)
    echo "Previous IP Address: $IPold"

    if [[ $IPold != $MYWANIP ]] ;
    then
      echo "New IP"
      rm /home/USER/Dropbox/test.txt
      echo $MYWANIP >> /home/USER/Dropbox/test.txt;
      echo $MYWANIP;
    else
      echo "Same IP";
    fi

    # example crontab entry:
    ## m h  dom mon dow   command
    ## */10 * * * * /home/USER/Dropbox/test_ip.sh

Router port forwarding:

1) First, figure out your router's local IP address by running:

ip route | grep default

It is usually something like 192.168.x.x.

Alternative ways and other OS solutions:

2) Using any computer connected locally to the router, access the IP found previously, i.e. via http://192.168.1.1 for example. This should bring up the router configuration interface.

3) The next steps vary depending on your router. Here is how it is done on a router with OpenWRT for example:

https://newspaint.wordpress.com/2012/08/26/how-to-add-a-port-forward-using-the-web-interface-on-openwrt-10-03-1/