Xavier Brochard wrote: > Le jeudi 30 juillet 2009 00:47:10, Keith Lofstrom a écrit : > >> On Wed, Jul 29, 2009 at 11:18:16PM +0200, Xavier Brochard wrote: >> >>> Hello >>> >>> I need to backup a client without a fix IP (it change randomly 2 or 3 >>> times per week). The backup server is on the internet. >>> >>> I was wondering what is the best solution (regarding security, network >>> load and dirvish run): >>> - a push backup but mounting the backup disk with sshfs, dirvish on the >>> client - a pull backup, dirvish on the backup server, using dyndns.com or >>> no-ip.com - something else ? >>> >> Your remote clients should probably be talking to "home base" with >> an encrypted vpn tunnel to your firewall. Then you pull backups >> through the tunnel. Yes, it means more computation to do the tunnel >> encryption at both ends (and I run dirvish/rsync with ssh, so I am >> encrypting twice!). I have dynamic IP addresses on both ends, but >> my firewall establishes its external URL with dyndns (using one of >> the free subdomains), and remote clients talk to that. I have five >> remote clients, one is 3000km away. >> >> I use a small ALIX computer (from PC Engines) for my firewall, see >> http://wiki.keithl.com/index.cgi?SL5Alix >> Cheap, fast, low power, X86, runs my favorite distro, and has three >> 100Mbit ethernet ports, WAN/DMZ/LAN . It has built-in encryption >> hardware which works with SSL/OpenVPN, but my main site has only >> a 4Mbps connection. The ALIX CPU is fast enough for that, so I >> haven't made the kernel patch. >> >> Security is easy. When I detect something going wrong, I pull out >> the WAN connector. >> >> The one remaining issue is that user laptops move between the >> inside network and outside vpns. It is possible to tweak internal >> DNS so the backup server can always find them, but I haven't taken >> the time to implement that. If your remote clients are always on >> the same side of the firewall, this is not a problem. >> > > I thought about VPN at first and... forget it when I discovered sshfs. Looks > like I was wrong... what is the advantages compare to sshfs (in this case)? >
One of the primary benefits of using Dirvish for network backups is it's use of rsync and rsync's network protocol for efficiently transferring updates over the network. When a remote filesystem is mounted locally whether using NFS, CIFS, sshfs, or something else, that benefit is lost. For rsync to compare two files means that it must read the remote file in it's entirety over the network before it can determine what's changed. Whatever solution you choose, you should be running rsync from point A to point B. My preferred solution is to just use SSH as a pseudo VPN. You could use a Dynamic DNS service on the client and run Dirvish (rsync+ssh) to connect to that DNS address. It would be secure since SSH verifies the host key before connecting. You could also run a second SSH tunnel form the client to the backup server which the first SSH connection will piggy back on. This eliminates the need for the client to run Dynamic DNS or otherwise be known or visible on the Internet. Something like this command: while true; do ssh -o ServerAliveInterval=150 -R 8022:localhost:22 -N notr...@backupserver; sleep 60; done Will keep a constant connection to the backup server allowing the backup server to connect to port 8022 on localhost which will be forwarded to sshd on the client. If the connection is interrupted it will retry every 60 seconds. The above command does not need to be run as a privileged user on the client and does not need to connect to a privileged user on the server. The user notroot can be restricted on the backupserver to only be allowed to do remote port forwarding and not have shell access. > Thankyou for you help anyway. > > > Xavier > [email protected] > _______________________________________________ > Dirvish mailing list > [email protected] > http://www.dirvish.org/mailman/listinfo/dirvish > > -- Loren M. Lang [email protected] http://www.alzatex.com/ Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
begin:vcard fn:Loren M. Lang n:Lang;Loren org:Alzatex, Inc. adr:;;6400 SW 213th Ave.;Aloha;Oregon;97007;USA email;internet:[email protected] tel;work:503-642-9693 x-mozilla-html:FALSE url:http://www.alzatex.com/ version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dirvish mailing list [email protected] http://www.dirvish.org/mailman/listinfo/dirvish
