Secure rsync setup
Hello, I'm thinking of using rsync for backup purposes. Sadly, the server (alpha) hosting the files I'd like to backup does not allow ssh or rsync connections - but I may execute rsync as a cron job or cgi-script. But I run a server (beta - debian sarge), that may serve as the rsync server, therefore I'd thought, that alpha may call beta to back up his data by using rsync over ssh and ssh-keys. However, this requires alpha having a ssh-key. Furthermore I'm not in charge with alpha's security, thus I've to make sure, that a attacker, who gained access to alpha's ssh-key is not able to compromis beta (well, he might be able to delete / modify the backup'ed data, but this might be circumvented by regularly tar the backed up data). Thus my question is: How should I configure / secure beta to prevent this? I thought of using a new sarge installation in vmware, but this will require a lot of ressources I'm unwilling to spend. I thought of an new sarge installation on Xen - but I don't none whether Xen is ready to be used in a hostile environment. I thought of a sarge installation in a chroot enviroment, but I don't know whether a tight (tightend by grsecurity) chroot would allow ssh / rsync to be called. I thought of just creating a user for that on beta and set appropiate permissions - but what kind of permission would be appropiate? What do you think? Greetz Thorsten. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can ssh host keys be added to a gpg keyring?
On Sat, Dec 16, 2006 at 11:12:36PM -0600, Kenneth Stephen wrote:
I'm trying to design a backup solution where the backups are
encrypted with a key thats specific to the host (rather than to users
on the host). The sshd key seems to be a good fit for this, but ssh
doesnt seem to provide encryption / decryption tools. GPG does, but I
cant figure out how to add the ssh server key to the GPG keyring. Can
this be done? Is there a better alternative that I'm missing?
The short answer to your question is no, but check out 'man
openssl'. You can use 'openssl {command}' to do a lot of the things
that 'gpg' does.
Rob.
signature.asc
Description: Digital signature
Re: Secure rsync setup
On 12/17/06, Thorsten Schmidt [EMAIL PROTECTED] wrote: However, this requires alpha having a ssh-key. Furthermore I'm not in charge with alpha's security, thus I've to make sure, that a attacker, who gained access to alpha's ssh-key is not able to compromis beta (well, he might be able to delete / modify the backup'ed data, but this might be circumvented by regularly tar the backed up data). Thus my question is: How should I configure / secure beta to prevent this? Something that we've done in the past is to run some sort of vpn solution (openswan or openvpn), and then to use straight rsync (rather than rsync over ssh). That pretty much removes the dangers of giving ssh access (which could potentially hand someone a shell). Using ssl keys with your vpn solution means that you get the same private/public key advantages as with ssh. Of course he'd still be able to abuse a hole in rsync, but I think the risk is at least lower. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can ssh host keys be added to a gpg keyring?
In article [EMAIL PROTECTED] you wrote: I'm trying to design a backup solution where the backups are encrypted with a key thats specific to the host (rather than to users on the host). The sshd key seems to be a good fit for this, but ssh doesnt seem to provide encryption / decryption tools. GPG does, but I cant figure out how to add the ssh server key to the GPG keyring. Can this be done? Is there a better alternative that I'm missing? Create one key for each purpose. I.e. as root create a GPG Backup key for each host. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[Byte Support #71152]: [SECURITY] [DSA 1238-1] New clamav packages fix several vulnerabilities
Geachte heer, mevrouw, Bedankt voor uw bericht aan Byte. Dit is geregistreerd onder ticketnummer #71152. We sturen u zo spoedig mogelijk antwoord. Indien u aanvullende informatie heeft, of het probleem al opgelost heeft, wilt u dit ons dan laten weten? Als u antwoordt op dit bericht, wordt dit gekoppeld aan uw eerdere bericht. Alle veelvoorkomende vragen staan uitgewerkt op: http://docs.byte.nl/ -- Uitgebreide documentatie en handleidingen U kunt al uw instellingen doen op: http://service.byte.nl/ -- Alle instellingen voor uw account Actuele meldingen, offerte en algemene informatie: http://www.byte.nl/ -- Voor actuele zaken Vriendelijke groeten, Byte Internet www.byte.nl [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
