How to backup from one server to another using rsync/ssh

Updated article on 1/8/2017: Removed references to authorized_keys2 and changed to authorized_keys.

How to backup via rsync/ssh from one server to another

Required: You need to have rsync and ssh installed

Part of this documentation was taken from http://jms1.net/ssh.shtml and also http://www.qmailinfo.org/index.php/ExampleRsyncScripts

The server in this document is the box that has all files needed to backup
The client in this document is the box the files are being backed up to

Setting up the ssh keys on the server

On the server, Open up /etc/ssh/sshd_config and add PermitRootLogin without-password. Then you will want to restart sshd by running killall -HUP sshd. You will get kicked out of your terminal. If all is well, You should be able to login again. Root is now allowed to login only via a ssh key. Don't worry, there is some added security in the document as well.

Generating the key on the client

The first thing we will want to do is generate the key on the backup machine. Run the following command:


# ssh-keygen -t ed25519 -b 1024 -f id_dsa_backup -C 'Some comment'

When you see 'Enter passphrase (empty for no passphrase):' Just hit enter and then when you see the confirmation that says 'Enter same passphrase again:' just hit enter again. After a few seconds, it should give you an output similar to the following:


Your identification has been saved in id_dsa_backup.
Your public key has been saved in id_dsa_backup.pub.
The key fingerprint is:
88:da:e8:4c:50:5d:c5:95:b9:1e:6e:8f:96:82:c0:19 Some Comment

Now, the id_dsa_backup.pub is the file we need to ssh over to your server. Here are the steps you will want to follow to get this over to your server to allow root logins via ssh:

This part you will want to do on the Server:


# scp user@backup:/path/to/id_dsa_backup.pub .
user@server's password:
id_dsa_backup.pub |********************| 0 0:00
# cat id_dsa_backup.pub >> ~root/.ssh/authorized_keys
# chmod 600 ~root/.ssh/authorized_keys
# exit

This is not the only way to get the public key file into place. You could also copy it on a floppy disk, or email it to the system administrator and have them install it for you (remember this is the PUBLIC key, there is no security risk in sending it via normal email.)

Note that you can have multiple keys listed in the .ssh/authorized_hosts file - this is why the public keys have comments at the end, so you can easily tell which line in the file corresponds to which key.

To add a bit more security on the server, will will want to change the /root/.ssh/authorized_keys to look like so:


command="/root/.ssh/rsync-key" ssh-dss AAAAB3NzaAAA4fobEeQMoC6vRInbeNy5PukQ5fAkCc+Vr...

Then this is what is in the /root/.ssh/rsync-key file:


#!/bin/sh
logger -t ssh-command "$SSH_ORIGINAL_COMMAND"
echo $SSH_ORIGINAL_COMMAND > /tmp/work.$$
if ! grep -q '^rsync --server ' /tmp/work.$$
then
logger -t rsync-key INVALID COMMAND ""$SSH_ORIGINAL_COMMAND""
exit 1
fi
rm /tmp/work.$$
exec $SSH_ORIGINAL_COMMAND

Then we need to chmod it properly so it runs:


chmod 755 /root/.ssh/rsync-key

Backing up files

Now that we have the keys in place for rsync via ssh to work, we can now setup a script to automate this for us and then we can put it into cron. Here is my script for this. I will call this backup.sh and in this example I will be backing up vpopmail:


#!/bin/sh
echo `date` starting >> /var/log/backup.log
rsync -aS --delete -e /path/to/backup-ssh root@HOST:/usr/home/vpopmail/ /backup/vpopmail/location
echo `date` done >> /var/log/backup.log

The '/path/to/backup-ssh' in the above file has this in it:


#!/bin/sh
unset SSH_AUTH_SOCK
exec /usr/bin/ssh -i /path/to/id_dsa_backup $*

Now we want to setup the chmod for the following files:


# chmod 755 backup.sh
# chmod 755 backup-ssh

Now lets give it a test!


# ./backup.sh

If all goes well, It should pause there for a minute (Or more depending on the size of vpopmail) and then it will come back to the prompt. Check your backup log in /var/log/backup.log and see if it started and stopped correctly.