How secure is my local backup drive with ssfhs?
from 712@discuss.tchncs.de to selfhosted@lemmy.world on 02 Jul 18:23
https://discuss.tchncs.de/post/63281650

Hello everyone.

I have been interested in starting to self-host, and I have just been able to set up the first useful thing for myself (apart from a PiHole that I have running).

Since I am very afraid of making security mistakes, I would like to get feedback from you if my setup is secure or not.

The simple use case: I want to be able to back up files from my main computer to a hard disk, without having the hard disk attached to my main computer.

The setup:

Now I need your help: how secure is this setup? Did I make any major mistake? Is there something I could do better?

I’d be happy to get some feedback… 🙂

#selfhosted

threaded - newest

kevincox@lemmy.ml on 02 Jul 18:35 next collapse

It sounds pretty reasonable. As long as you keep SSH patched and keep the key safe it should be quite locked down. Do double-check that password login isn’t allowed (or that all users have a very strong password).

One non-security note is be careful with rsync backup. Generally rsync isn’t considered a backup as any mistakes made in the source will be propagated to the “backup” on next sync. Although there are ways to use rsync to take good backups (like copying to a new directory for each backup).

712@discuss.tchncs.de on 02 Jul 18:43 collapse

keep the key safe

This might be a dumb question, but can I assume the keys are safe in the standard .ssh directory on Linux? Is there anything I should explicitly do to secure the private key?

kevincox@lemmy.ml on 02 Jul 18:44 next collapse

Generally speaking it will be fine. SSH will also refuse keys with open permissions so you would notice if it was wide-open to other users of the device.

But you know if you are running random code or AI harnesses as that user it can be at risk. Or if you copy around the key all over the place it is more likely to leak. But generally speaking you are secure by default, just don’t do something dumb with the key and you’ll have no problems.

irmadlad@lemmy.world on 02 Jul 18:49 collapse

You should be good with caveats:

  • Permissions on: ~/.ssh: chmod 700 ~/.ssh
  • Permissions on private keys: chmod 600 ~/.ssh/id_rsa or id_ed25519, etc.
  • Permissions on public keys: chmod 644 ~/.ssh/id_rsa.pub

You can check with: ls -la ~/.ssh/

needanke@feddit.org on 03 Jul 06:06 collapse

And of course encrypting the drive the files are on.

Shimitar@downonthestreet.eu on 02 Jul 18:37 next collapse

It is as secure as it can be.

Are you planning to connect to the server from internet? Are you planning to expose services to the internet?

712@discuss.tchncs.de on 02 Jul 18:40 collapse

Thank you. For now, I won’t try to connect to the server from the internet. I want to learn more about VPNs before I try anything like this. I am very paranoid when it comes to security, so I don’t want to risk anything… 😄

irmadlad@lemmy.world on 02 Jul 18:53 collapse

I am very paranoid when it comes to security, so I don’t want to risk anything… 😄

Don’t relax that posture. A little paranoia can be a good thing.

Pika@sh.itjust.works on 02 Jul 18:58 next collapse

is there any reason in particular that you are using both SSHFS and rsync? Rsync supports sftp which runs over an ssh connection via rsync -e ssh source dstUser@dstHost:/path

if you are only using the sshfs system to allow a local ssh directory on your system to use with rsync, you could likely skip that entire part and just use rsync.

LinuxConfig.org has a pretty decent page on it

712@discuss.tchncs.de on 02 Jul 19:41 collapse

The only reason is that I am a noob 😄 Thanks, I will take at look at this!

Pika@sh.itjust.works on 02 Jul 19:53 next collapse

hey everyone gotta learns somewhere, and defo don’t expect you’ll ever stop learning on this adventure. That’s part of what makes this hobby fun!

712@discuss.tchncs.de on 02 Jul 20:17 collapse

Wow, I just used this tutorial. rsync is amazing, and this actually makes everything so much easier. Thanks for pointing me in the right direction!

Pika@sh.itjust.works on 02 Jul 20:24 collapse

you’re welcome, glad it worked for your use case.

Rsync is an insane tool when you look at it, half the flags you wouldn’t even know existed unless you were looking for them.

bandwidthcrisis@lemmy.world on 03 Jul 04:17 collapse

Rsync can. For instance, rename files instead of deleting them, so that your backup keeps old files in case they need recovering.

It can also make hard links to existing files so they you can create multiple backup directories that share unchanged files to save space.

Also check out rclone, a similar tool with a focus on supporting many target types, plus it can encrypt a remote location, then mount that backup to access the decrypted files.

irmadlad@lemmy.world on 02 Jul 22:04 collapse

We were/are all noobs at something at some point in our lives. I’ve had a computer in front of me since the mid 70’s, and I’m still a noob. Learning is one of the bigger draws to this whole scene to me. There is always room to learn, because there are always different approaches to the same problem.

superglue@lemmy.dbzer0.com on 02 Jul 20:55 next collapse

Look into Borg backup you will get encrypted backups you can send over ssh and it will be faster, and you get de duplication

irmadlad@lemmy.world on 02 Jul 22:07 next collapse

…and you get restoration verifications.

homik@slrpnk.net on 03 Jul 09:09 collapse

torsion.org/borgmatic/ is nice for running a regular manual or automated Borg backup.

apps.gnome.org/en-GB/PikaBackup/ is also pretty neat if you want to clicky backup data as a user.

Both are common in package repos. And there’s probably even more, but I’ll mention those two just to point out that you don’t have to script the raw Borg if you don’t want to.

frongt@lemmy.zip on 02 Jul 23:33 next collapse

If it’s not connected to the internet, the only way someone could reach it would be if they are already inside your network. If they are inside your network, either they are on one of your devices (and if it’s your computer, you can consider your keys compromised) or they have physical access and they can just take the drive. (Is the data on the drive encrypted?)

passenger@sopuli.xyz on 03 Jul 05:46 next collapse

I can recommend duplicati on windows or pika backup (which is a borg backup gui) on linux. Then just make a user on raspberry pi and enter the ssh login in your backup client and you’re set.

Duplicati / Pika / Borg will encrypt the backups for you! So there is no danger of someone reading or changing your backups. You could use even some free cloud storage to store the backups safely. It really doesn’t matter where you store them.

Rsync won’t deduplicate or make archives so you cannot restore a backup from any chosen date. Rsync is sync not backup.

IanTwenty@piefed.social on 03 Jul 07:48 next collapse

You’ve made a great start. How much further you go depends on your needs and threat model.

Rsync is ok as a start but there are dedicated backup tools that will give you access to your files at any point in time. This is important if you delete a file and later need it back after an rsync has already run and deleted it remotely too.

Rsync will not encrypt your backups. If a burglar takes your Pi will they have easy access to all your files too?

With rsync+ssh you are also vulnerable to either yourself (more likely) or a rogue process on your own machine deleting the files over ssh (e.g. ransomware attack).

The answer to that is append-only backups. A backup tool like restic has a backend you can host that does exactly this:

The –append-only mode allows creation of new backups but prevents deletion and modification of existing backups. This can be useful when backing up systems that have a potential of being hacked.

https://github.com/restic/rest-server

Take a look at restic to see what else you gain from switching to a dedicated tool versus rsync:

https://github.com/restic/restic#design-principles

There are others too such as borg.

712@discuss.tchncs.de on 03 Jul 13:05 collapse

Everyone, thank you so much for your helpful comments… ❤️ I have learned a lot these two days.

I looked at rsync and borg, and I have ended up using Pika as a GUI for Borg. I am now backing up my data with Pika to two external hard disks over SSH. Both of these external hard disks are encrypted with Pika/Borg. What a wonderful tool!