[gentoo-amd64] Local network backup

[gentoo-amd64] Local network backup

[Peter Humphrey]

Here's today's problem.

I have a firewall-cum-gateway box between my tiny LAN and the Internet. The 
gateway runs constantly, while the internal boxes run when needed (they're my 
laptop and workstation). I want to use some space on the gateway to store 
backups of the other boxes, and I'd like the backup to run unattended at a 
time when the others are likely to be running. This seems not to be possible 
without security risks.

I've looked through all the Gentoo app-backup packages and found very few that 
are suitable for use out of the box. Ssh figures in them all, which is a good 
thing I suppose - except that I can't find a way to have ssh or scp run 
unattended.

Take rsnapshot, for instance. This looks like just what I need: automation via 
cron, history extending from hours to months, easy restoration and so on. It 
uses rsync, which can run either natively, which I'm not sure is prudent over 
the LAN, or over ssh. So in trying to set rsnapshot up to use ssh, and 
following the admirable guide by Daniel Robbins, I find that in order to 
avoid having to give a password every time a snapshot is taken, I have to 
remain logged in as root. This is not a good idea on a firewall box.

So I seem to have a choice: (i) run my backups manually, (ii) run them without 
ssh. You see my dilemma.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Hamish]

On Friday 14 September 2007 10:22, Peter Humphrey wrote:
> Here's today's problem.
>
> I have a firewall-cum-gateway box between my tiny LAN and the Internet. The
> gateway runs constantly, while the internal boxes run when needed (they're
> my laptop and workstation). I want to use some space on the gateway to
> store backups of the other boxes, and I'd like the backup to run unattended
> at a time when the others are likely to be running. This seems not to be
> possible without security risks.
>
> I've looked through all the Gentoo app-backup packages and found very few
> that are suitable for use out of the box. Ssh figures in them all, which is
> a good thing I suppose - except that I can't find a way to have ssh or scp
> run unattended.

WIth ssh you can use a public/private keypair to do the authentications. The 
sequence is something like

1. Create a keypair on the CLIENT side of the connection
2. Copy the PUBLIC part of the keypair from the client to the server and 
append to the file ~/.ssh/authorised_keys

That's it... Note that directory permissions and ownerships are very much 
required to be correct. And also that if you're doing this as root @ the 
server (Root at the client is fine, in fact usually required :), then (A) you 
shouldn't be (B) you might need to enable root login on sshd (In sshd_config 
on the server side).

Hamish.
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Friday 14 Sep 2007, Hamish wrote:

> WIth ssh you can use a public/private keypair to do the authentications.
> The sequence is something like
>
> 1. Create a keypair on the CLIENT side of the connection
> 2. Copy the PUBLIC part of the keypair from the client to the server and
> append to the file ~/.ssh/authorised_keys
>
> That's it...

Except that now, instead of being asked for a password, I'm asked for the 
pass-phrase that belongs to the ssh key.

> Note that [...] that if you're doing this as root @ the server (Root at the
> client is fine, in fact usually required :), then (A) you shouldn't be

I agree. So far I haven't tried specifying a remote destination to rsnapshot, 
which seems to assume it will be running on the backup host. If that's 
feasible, of course I'd prefer to do so. I'll try it and see.

> (B) you might need to enable root login on sshd (In sshd_config on the
> server side). 
>
> Hamish.

Thanks for your thoughts.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Friday 14 Sep 2007, Peter Humphrey wrote:

> So far I haven't tried specifying a remote destination to rsnapshot, which
> seems to assume it will be running on the backup host. If that's feasible,
> of course I'd prefer to do so. I'll try it and see. 

Nope. Only local paths can be specified as backup destinations 
in /etc/rsnapshot.conf.

Now I'm reduced to contemplating the use of rsnapshot to maintain a local 
backup of the system and using rsync to keep a copy of it on the server. 
Bizarre.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Jordi Molina]

On 9/14/07, Peter Humphrey <prh@gotadsl.co.uk> wrote:
>
> Except that now, instead of being asked for a password, I'm asked for the
> pass-phrase that belongs to the ssh key.
>

Create it w/o passphrase.

It's not a big security risk, just ensure that the access of the user
in the fw machine has restrictive access over its home and that it
can't su/sudo to root.

Any backup application that sends data unattendedly will have the same
security concerns, from my point of view it'ld be senseless to start
now a discussion about this, again.

-- 
Jordi Molina Casas (warp3r)
mail: warp3r@gmail.com 4BC8 8150 7B1A FC24 FBAD  7B07 FE90 F300 4F36 3BF7
mail: warp3r@2shifted.com 2F91 EF95 229E FC31 18C0  05C3 B320 22DA 8C03 F33E
www: www.warp3r.com
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Etaoin Shrdlu]

On Friday 14 September 2007, Jordi Molina wrote:

> On 9/14/07, Peter Humphrey <prh@gotadsl.co.uk> wrote:
> > Except that now, instead of being asked for a password, I'm asked
> > for the pass-phrase that belongs to the ssh key.
>
> Create it w/o passphrase.
>
> It's not a big security risk, just ensure that the access of the user
> in the fw machine has restrictive access over its home and that it
> can't su/sudo to root.
>
> Any backup application that sends data unattendedly will have the same
> security concerns, from my point of view it'ld be senseless to start
> now a discussion about this, again.

Or, you can use keychain.
Read these articles for a good introduction to keychain (and ssh key 
management):

http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml
http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml
http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml

http://www.gentoo.org/proj/en/keychain/index.xml

HTH
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Jordi Molina]

On 9/14/07, Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:

> Or, you can use keychain.

It's an interesting tool, though it forces you to log in at least once
before the scripts (suposedly located at cron) run. If the scripts are
going to be run directly from the shell then it may be useful.


-- 
Jordi Molina Casas (warp3r)
mail: warp3r@gmail.com 4BC8 8150 7B1A FC24 FBAD  7B07 FE90 F300 4F36 3BF7
mail: warp3r@2shifted.com 2F91 EF95 229E FC31 18C0  05C3 B320 22DA 8C03 F33E
www: www.warp3r.com
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Friday 14 Sep 2007, Etaoin Shrdlu wrote:

> Or, you can use keychain.
> Read these articles for a good introduction to keychain (and ssh key
> management):
>
> http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml
> http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml
> http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml

Those are the articles I said I'd read in my first e-mail. They make it clear 
that ssh is intended for interactive use only.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Etaoin Shrdlu]

On Saturday 15 September 2007, Peter Humphrey wrote:

> On Friday 14 Sep 2007, Etaoin Shrdlu wrote:
> > Or, you can use keychain.
> > Read these articles for a good introduction to keychain (and ssh key
> > management):
> >
> > http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml
> > http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml
> > http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml
>
> Those are the articles I said I'd read in my first e-mail. They make
> it clear that ssh is intended for interactive use only.

They also make clear that, using keychain, ssh can be used from cron jobs 
too (as others have also said) to allow passwordless logins. All you 
have to do is log in once when the box is booted, so that the necessary 
environment is established, and from then the necessary files can be 
sourced from wherever you like, including scripts run from cron jobs.
If the uptime of your system is high enough, this means logging in once 
every several months or so, and forget about the whole thing.

"And because SSH_AUTH_SOCK is recorded in ~/.ssh-agent, our own shell 
scripts and cron jobs can easily connect with ssh-agent just by sourcing 
the ~/.ssh-agent file". Things are a little different with the newer 
versions of keychain, but the fact that cron jobs can do passwordless 
logins usign keychain still is true (also because I use it all the 
time).
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Saturday 15 Sep 2007, Etaoin Shrdlu wrote:
> On Saturday 15 September 2007, Peter Humphrey wrote:
> > Those are the articles I said I'd read in my first e-mail. They make
> > it clear that ssh is intended for interactive use only.
>
> They also make clear that, using keychain, ssh can be used from cron jobs
> too (as others have also said) to allow passwordless logins. All you

In that case, either I'm not reading it straight or I'm doing something wrong 
in setting it up for myself. I'd better have another go.

Thanks for your help.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Etaoin Shrdlu]

On Saturday 15 September 2007, Peter Humphrey wrote:

> In that case, either I'm not reading it straight or I'm doing
> something wrong in setting it up for myself. I'd better have another
> go.
>
> Thanks for your help.

FWIW, I use app-backup/backuppc to backup some boxes. It runs as a daemon 
(ie, not from a cron job), can use a variety of transport protocols 
(ssh, rsync, smb - this lets you backup windows boxes), runs as an 
unprivileged user on the server, does not require anything to be 
installed on the clients, is highly configurable, and can be controlled 
using a nice web interface (ie, backups can be automatically initiated 
by the server or clients can request a backup of their box).

Downsides: 
- the portage version is not the latest (2.1.something vs. 
3.0.something), but there is an experimental ebuild for the latest 
version in bugzilla (I have not tried it though);
- if you want passwordless ssh root logins on the clients but your ssh 
key is protected by a passphrase, you have to login as user backuppc and 
start the daemon manually to enter the ssh passphrase (instead of using 
the provided /etc/init.d script), but, as I said, this is a minor 
nuisance, and has to be done only once when the machine is rebooted. If 
your ssh key does not have a passphrase, there are no problems at all.

hth
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Saturday 15 Sep 2007, Etaoin Shrdlu wrote:

> FWIW, I use app-backup/backuppc to backup some boxes. It runs as a daemon
> (ie, not from a cron job), can use a variety of transport protocols
> (ssh, rsync, smb - this lets you backup windows boxes), runs as an
> unprivileged user on the server, does not require anything to be
> installed on the clients, is highly configurable, and can be controlled
> using a nice web interface (ie, backups can be automatically initiated
> by the server or clients can request a backup of their box).
>
> hth

This looks interesting - thanks. One thing - is it possible to install it on a 
box with no Web server? I tried the emerge just now and got fatal errors from 
webapp-config. I'll have a browse of the mailing list archives and see what I 
can turn up.

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Etaoin Shrdlu]

On Sunday 16 September 2007, Peter Humphrey wrote:

> This looks interesting - thanks. One thing - is it possible to install
> it on a box with no Web server? I tried the emerge just now and got
> fatal errors from webapp-config. I'll have a browse of the mailing
> list archives and see what I can turn up.

It probably can be done, but not through portage. My installation uses 
it, so I have no definitive answer. 
However, I guess that, with a manual installation and a considerable 
amount of tweaking, you could make it work that way (even though the 
docs list apache as a prerequisite).
However, consider that, without the web interface, you lose the ability 
to browse through the backups and start backups and restores in a very 
simple way. While backups and restores can still be started running the 
appropriate scripts from the command line, restoring selected files or 
directories and (most impostant) browsing existing backups becomes 
nearly impossible, since the data is saved in a format quite difficult 
to interpret with a normal file manager or using command line tools (ls, 
find, etc.).
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Jack Lloyd]

On Fri, Sep 14, 2007 at 03:34:06PM +0200, Jordi Molina wrote:

> It's not a big security risk, just ensure that the access of the user
> in the fw machine has restrictive access over its home and that it
> can't su/sudo to root.

You can use something like scponly, to keep anyone who steals the key
from getting shell access to your firewall:

http://sublimation.org/scponly/wiki/index.php/Main_Page

You could also limit where logins come from via AllowUsers in your
sshd config.

I had thought OpenSSH had some facility built in for limiting what
particular users could do (so you could create an account that can
only be used for sftp transfers, and sshd would not allow that user to
get a tty or shell), but I can't seem to find anything about that in
the man page, so I may just be imagining this feature.

-Jack
--
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Mike Williams]

On Friday 14 September 2007 17:10:54 Jack Lloyd wrote:
> I had thought OpenSSH had some facility built in for limiting what
> particular users could do (so you could create an account that can
> only be used for sftp transfers, and sshd would not allow that user to
> get a tty or shell), but I can't seem to find anything about that in
> the man page, so I may just be imagining this feature.

man sshd
AUTHORIZED_KEYS FILE FORMAT

Lots of interesting goodies.

-- 
Mike Williams
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Jack Lloyd]

On Fri, Sep 14, 2007 at 05:32:14PM +0100, Mike Williams wrote:

> man sshd
> AUTHORIZED_KEYS FILE FORMAT
> 
> Lots of interesting goodies.

Thanks! I was almost certain I had used that a couple years back but
couldn't find a mention of it anywhere in the ssh_config or
sshd_config man pages so I was becoming doubtful of my memory.

-Jack
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Steve Herber]

I use net-misc/keychain to manage my ssh keys.  My backup machine root account has this sequence in the .bash_profile file:

 	keychain ~/.ssh/id_dsa
 	. ~/.keychain/$HOSTNAME-sh

If I reboot the backup machine I need to remember to login as root.
The keychain program checks to see if it has the key in memory and only
asks for the password the first time.

I use this as part of my rsnapshot backup system.


Steve Herber	herber@thing.com		work: 206-221-7262
Security Engineer, UW Medicine, IT Services	home: 425-454-2399

On Fri, 14 Sep 2007, Jordi Molina wrote:

> On 9/14/07, Peter Humphrey <prh@gotadsl.co.uk> wrote:
>>
>> Except that now, instead of being asked for a password, I'm asked for the
>> pass-phrase that belongs to the ssh key.
>>
>
> Create it w/o passphrase.
>
> It's not a big security risk, just ensure that the access of the user
> in the fw machine has restrictive access over its home and that it
> can't su/sudo to root.
>
> Any backup application that sends data unattendedly will have the same
> security concerns, from my point of view it'ld be senseless to start
> now a discussion about this, again.
>
> -- 
> Jordi Molina Casas (warp3r)
> mail: warp3r@gmail.com 4BC8 8150 7B1A FC24 FBAD  7B07 FE90 F300 4F36 3BF7
> mail: warp3r@2shifted.com 2F91 EF95 229E FC31 18C0  05C3 B320 22DA 8C03 F33E
> www: www.warp3r.com
> -- 
> gentoo-amd64@gentoo.org mailing list
>
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Hamish]

On Friday 14 September 2007 12:42, Peter Humphrey wrote:
> On Friday 14 Sep 2007, Hamish wrote:
> > WIth ssh you can use a public/private keypair to do the authentications.
> > The sequence is something like
> >
> > 1. Create a keypair on the CLIENT side of the connection
> > 2. Copy the PUBLIC part of the keypair from the client to the server and
> > append to the file ~/.ssh/authorised_keys
> >
> > That's it...
>
> Except that now, instead of being asked for a password, I'm asked for the
> pass-phrase that belongs to the ssh key.
>

Then generate a keypair WITHOUT a passphrase...

Hamish.
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Wil Reichert]

I'm assuming since you're asking this question your firewall is locked
down pretty tight.  That said, backing up your personal data to it
seems like a not very good idea.  Were you planning on encrypting it
or something?  Anyway...

Who uses your internal network seems to be the variable here.  Is this
at work or home?  Is there a wireless router thrown in there
somewhere?

Wil

On 9/14/07, Peter Humphrey <prh@gotadsl.co.uk> wrote:
> Here's today's problem.
>
> I have a firewall-cum-gateway box between my tiny LAN and the Internet. The
> gateway runs constantly, while the internal boxes run when needed (they're my
> laptop and workstation). I want to use some space on the gateway to store
> backups of the other boxes, and I'd like the backup to run unattended at a
> time when the others are likely to be running. This seems not to be possible
> without security risks.
>
> I've looked through all the Gentoo app-backup packages and found very few that
> are suitable for use out of the box. Ssh figures in them all, which is a good
> thing I suppose - except that I can't find a way to have ssh or scp run
> unattended.
>
> Take rsnapshot, for instance. This looks like just what I need: automation via
> cron, history extending from hours to months, easy restoration and so on. It
> uses rsync, which can run either natively, which I'm not sure is prudent over
> the LAN, or over ssh. So in trying to set rsnapshot up to use ssh, and
> following the admirable guide by Daniel Robbins, I find that in order to
> avoid having to give a password every time a snapshot is taken, I have to
> remain logged in as root. This is not a good idea on a firewall box.
>
> So I seem to have a choice: (i) run my backups manually, (ii) run them without
> ssh. You see my dilemma.
>
> --
> Rgds
> Peter.
> Linux Counter 5290, Aug 93
> --
> gentoo-amd64@gentoo.org mailing list
>
>
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Peter Humphrey]

On Friday 14 Sep 2007, Wil Reichert wrote:
> I'm assuming since you're asking this question your firewall is locked down
> pretty tight.

Not particularly, but it seems silly to take needless risks. It has shorewall 
to manage iptables, but I still let it run squid, ntpd, dnsmasq and a few 
other little goodies. I suppose I rely on shorewall to keep me safe.

> That said, backing up your personal data to it seems like a not very good
> idea. Were you planning on encrypting it or something?

I see what you mean, but really the main use of the backup would be to recover 
a working system to a damaged box (I can be just as clumsy in admin as anyone 
else), rather than spending a week or more rebuilding it from source. User 
data could perhaps be backed up elsewhere - I have a handy little USB disk 
that would do nicely.

> Who uses your internal network seems to be the variable here. Is this at
> work or home?

The clue was in "my tiny LAN" which means my own  :-) 

> Is there a wireless router thrown in there somewhere? 

The one wireless link is between the laptop and an access point; the WAP is 
connected to an Ethernet switch which lives between the workstation and the 
gateway. Why do you ask?

-- 
Rgds
Peter.
Linux Counter 5290, Aug 93
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Wil Reichert]

On 9/14/07, Peter Humphrey <prh@gotadsl.co.uk> wrote:
> On Friday 14 Sep 2007, Wil Reichert wrote:
> > I'm assuming since you're asking this question your firewall is locked down
> > pretty tight.
>
> Not particularly, but it seems silly to take needless risks. It has shorewall
> to manage iptables, but I still let it run squid, ntpd, dnsmasq and a few
> other little goodies. I suppose I rely on shorewall to keep me safe.
>
> > That said, backing up your personal data to it seems like a not very good
> > idea. Were you planning on encrypting it or something?
>
> I see what you mean, but really the main use of the backup would be to recover
> a working system to a damaged box (I can be just as clumsy in admin as anyone
> else), rather than spending a week or more rebuilding it from source. User
> data could perhaps be backed up elsewhere - I have a handy little USB disk
> that would do nicely.
>
> > Who uses your internal network seems to be the variable here. Is this at
> > work or home?
>
> The clue was in "my tiny LAN" which means my own  :-)
>
> > Is there a wireless router thrown in there somewhere?
>
> The one wireless link is between the laptop and an access point; the WAP is
> connected to an Ethernet switch which lives between the workstation and the
> gateway. Why do you ask?

Shorewall is good =)

If its your own private LAN with no (few?) external users, why bother
with ssh & encrypting traffic?

Wil
-- 
gentoo-amd64@gentoo.org mailing list

[gentoo-amd64] Re: Local network backup

[Duncan]

Peter Humphrey <prh@gotadsl.co.uk> posted
200709141303.46235.prh@gotadsl.co.uk, excerpted below, on  Fri, 14 Sep
2007 13:03:46 +0100:

>> That said, backing up your personal data to it seems like a not very
>> good idea. Were you planning on encrypting it or something?

This is what disturbed me about the idea as well.  Ideally, you keep 
everything personal off the firewall, and at a slightly less priority, 
don't depend on it for anything you might run that could be rooted (thus 
killing the idea of system backups).

> I see what you mean, but really the main use of the backup would be to
> recover a working system to a damaged box (I can be just as clumsy in
> admin as anyone else), rather than spending a week or more rebuilding it
> from source. User data could perhaps be backed up elsewhere - I have a
> handy little USB disk that would do nicely.

Well, keeping user data elsewhere is a good first step, but consider what 
happens if you have to use that system backup and it has been rooted.  
Are you willing to risk the integrity of that data any more than your 
personal data?  What will have been the value of storing the personal 
value elsewhere if you now restore it to a system rebuilt from possibly 
rooted data?

>> Is there a wireless router thrown in there somewhere?
> 
> The one wireless link is between the laptop and an access point; the WAP
> is connected to an Ethernet switch which lives between the workstation
> and the gateway. Why do you ask?

Strictly speaking, anything transmitted over the air should be considered 
the same as transmitting it over the Internet in general -- IOW, keep the 
AP outside the firewall, or in a DMZ behind an initial firewall/router 
and an inside one protecting the wired network upon which you put 
anything you'd not want exposed to the Internet in general.  *OR* encrypt 
anything transmitted over the wireless to the same level you'd feel 
comfortable with were it transmitted over the Internet.  If you are sure 
you trust the WEP or whatever of the wireless to the same level you'd 
trust your encrypted banking session, well, you can send your banking 
info over it, otherwise...  Because once it's on air the wise thing is to 
simply assume that someone's listening in, just as is the case with the 
Internet.  If it's encrypted to your satisfaction, great, if not, assume 
it's now publicly exposed info, because it's possible it is.

...

For system rebuild scenarios, I use FEATURES=buildpkg here, and then 
periodically backup my packages dir (which is also on my main system's 
RAID-6, for a bit of redundancy at that level, tho that won't of course 
protect from fat-fingering or the kernel-rc I decide to try that has a 
bugged md/raid that scribbles gibberish all over my previously working 
RAID).  That gives me binary packages of everything should I need to 
rebuild, so it shouldn't take a week, tho it'll take a few hours.  Of 
course, a backup of /etc and other INSTALL_PROTECT dirs should be made as 
well, so you don't have to reconfigure everything.  Private data backups 
are a bit different.

For the reasons explained above, I'd not be comfortable putting backup 
data on a firewall machine -- at least not unless I had it checksummed or 
signed to detect tampering (which handily detects in-transit and in-
storage corruption as well =8^), with those checksums stored elsewhere, 
say on a USB key or the like.

What I'd suggest these days would be backing up the config and anything 
private from the laptop onto the desktop, then using an eSATA (external 
SATA, the connection's about the same but the connectors speced to be a 
bit more robust, but you could use standard SATA if you were careful) 
drive attached to it to backup its private data and config, plus the 
shared package data (you don't need to backup the laptop's data from it 
however, as one would hope you don't lose both the laptop and the desktop 
at once).  Keep the external drive unplugged except for the once weekly 
or whatever that you do the backup.  If you are really paranoid, do the 
two separate sets thing, alternating full backups so you have the 
previous week's backup if you lose both the machine and the external disk 
during a backup session.

The beautiful thing about hard drive media backups is that you can pretty 
much simply copy all your data over just as it is, not worrying about 
fancy backup formats or whatever.  To restore, you just copy it back, and 
if you have it setup right and you chose your hardware and kernel etc 
config with this in mind as well, you can even boot the backup itself and 
have a fully working system to work in while doing the restore.

I recommend SATA/eSATA because the bus speeds are higher than USB 2.0 and 
Firewire 400 (Firewire 800 is getting there, of course the drive itself 
may not be any faster than USB 2.0 anyway, but it doesn't hurt), and they 
don't incur the protocol transfer overhead that the USB/FW stuff does -- 
depending on the hardware you choose for implementation, you may be able 
to use the same kernel hardware drivers you use for your standard 
internal storage, yet they have all the convenience of pluggable external 
drives! =8^)

Here, I'm actually looking at the possibility of plugging in external 
eSATA based 5:1 port-multiplier-ed boxes for my next RAID upgrade, tho 
it's wish-list more than anything else at this point.  The other 
alternative is to remain internal, but switch to 2.5" drives using 
available 4/5.25" drive bay multiplexers.  I've four such bays available 
for hard drive use in my full-tower, which would allow for 16 such drives 
(I'd obviously use port multipliers there as well).  If I reserve two as 
hot-swap and use RAID-6 with its two parity-stripes, that'll give me a
12-way data striped RAID array, which should be reasonably fast even at 
the slower speeds of 2.5" drives.  Still wish-list, tho, and I expect 
it'll be another couple years before it moves off wish-list status.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Local network backup

[Volker Armin Hemmann]

On Freitag, 14. September 2007, Peter Humphrey wrote:
> Here's today's problem.
>
> I have a firewall-cum-gateway box between my tiny LAN and the Internet. The
> gateway runs constantly, while the internal boxes run when needed (they're
> my laptop and workstation). I want to use some space on the gateway to
> store backups of the other boxes, and I'd like the backup to run unattended
> at a time when the others are likely to be running. This seems not to be
> possible without security risks.

so you want to store your most sensible data on the box most exposed to 
attacks?

Doesn't that sound strange, when you think about it?
-- 
gentoo-amd64@gentoo.org mailing list