Securing and Optimizing Linux: RedHat Edition -A Hands on Guide | ||
---|---|---|
Prev | Chapter 33. Why's and When's of Backup and Restore | Next |
Backups allow you to restore the availability and integrity of information resources following security breaches and accidents. Without a backup, you may be unable to restore a computer's data after system failures and security breaches. It is important to develop a plan that is broad enough to cover all the servers you plan to deploy. We must determine what categories of files will be backed up. For example, you may choose to back up only user data files i.e. /home because damaged system files should be reloaded from the original distribution media.
There are common technological approaches to file backups. For network servers, an authoritative version of the informational content of the server is created and maintained on a secure machine that is backed up. If the server is compromised and its content damaged, it can be reloaded from the secure system maintaining the authoritative version. This approach is typically used for public servers, such as Web servers, because the content changes at more predictable intervals.
It is important to ensure that backups are performed in a secure manner and that the contents of the backups remain secure. We recommend that the plan specify that:
The source data is encrypted before being transmitted to the storage medium.
The data remains encrypted on the backup storage media.
The storage media are kept in a physically secure facility that is protected from man-made and natural disasters.
You should make sure that transfer of your backup happens in a secure manner over the network. In the previous sections, we have shown you how to make a backup onto both a tape and files from the same system where you execute the backup procedure, with utilities like tar and dump. These programs tar and dump are capable of making backups over the network as well. To be able to backup over the network you must ensure that the packages named rmt and rsh are installed on your system. The rmt utility provides remote access to tape devices for programs like dump, and tar. To complement this, the rsh package contains a set of programs which allow users to run commands on remote machines, login to other machines and copy files between machines, rsh, rlogin and rcp are this set of programs.
Since rsh can be easily hacked, and rmt depends on rsh to be able to work, we have chosen to not install them in our setup installation, see Installation of your Linux Server for more information, due to security reasons. Therefore, we must find another way to make backups over the network in a secure manner. SSH technology is the solution for our problem Software -Securities, because it also has the ability to copy data across the network with its scp command, through encryption. The following is a method that permits us to use the potential of SSH software to transfer our backups made with tar or dump in a secure manner via the scp SSH utility.
The scp command copies files between hosts on a network. It uses SSH for data transfer, and uses the same authentication, and provides the same security, as SSH. Unlike the rcp utility that comes with the package rsh, scp will ask for passwords or passphrases. In our example below, we transfer a backup file made with the tar archive program. The procedure to transfer a backup file or tape made with dump program is the same. To use scp to copy a backup tape or file to a remote secure system, use the command:
[admin@deep /]# scp <localdir/to/filelocation> <user@host:/dir/for/file> |
The username, user of the person on the remote site that will hold the backup file,
The hostname, host of the remote host where you want to send the backup file,
The remote directory of this host where you want to place the transferred backup file.
Example 33-2. scp SSH command
A real example will look like this:
[admin@deep /]# scp -Cp /backups/deep-01Feb.tar admin@backupserver:/archive/deep/deep-01Feb.tar |
admin@backupserver's password: deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% |
: The C option enables compression for fast data transfer over the encrypted session, the p option indicates that the modification and access times as well as modes of the source file should be preserved on the copy. This is usually desirable. It is important to note that the dir/for/file directory on the remote host, /archive/deep in our example, must be owned by the username you specify in your scp command admin is this username in our example, or you may receive error message like: scp: /archive/deep/deep-01Feb.tar: Permission denied.
To use scp to copy a remote tape or file to the local system, use the command:
[admin@deep /]# scp <user@host:/dir/for/file> <localdir/to/filelocation> |
The username user of the person on the remote site that holds the backup file,
The hostname host of the remote host where you want to get the backup file,
The remote directory of this host where the backup file is kept,
<localdir/to/filelocation> is the local directory on your system where your want to place the backup file that you get from the remote host.
Example 33-3. scp SSH command
A real example would look like this:
[admin@deep /]# scp -Cp admin@backupserver:/archive/deep/deep-01Feb.tar /backups |
admin@backupserver's password: deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% |
: It is important to note that the localdir/to/filelocation directory on the local host, /backups in our example, must be owned by the username you specify in your scp command, admin is this username in our example or you may receive an error message like: /backups/deep-01Feb.tar: Permission denied.
AMANDA Homepage: http://www.cs.umd.edu/projects/amanda/ |
BRU Homepage: http://www.bru.com/ |