I wanted an off-site backup destination for my Synology DS109. I decided to use an ‘old’ NSLU2 which I had lying around. I have installed Debian Lenny on a 2GB USB flash disk, this is a good website for installing Debian on a NSLU2, if you want to try it yourself.
The best method for low-bandwith backups (except for the first one) is the use of rsync. So let’s get a rsync daemon running and worry about security later.
Assuming rsync is installed, let’s create the config file used by the daemon in /etc/rsyncd.conf:
vi /etc/rsyncd.conf
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
read only = yes
uid = root
gid = root
use chroot = no
[synology]
path = /path/to/backuplocation/
comment = NAS rsync backup
read only = no
list = yes
auth users = root
secrets file = /etc/rsyncd.secrets
ESC
:wq
Basically the daemon runs as root and has a backup module “synology” waiting for connections on port 873. To restrict only specific users to connect to the module I used ‘auth users = root’, put the username/password in /etc/rsyncd.secrets:
vi /etc/rsyncd.secrets
root:12345
ESC
:wq
chmod 640 /etc/rsyncd.secrets
/etc/init.d/rsyncd start
Let see if everything is running correctly:
srv> rsync root@192.168.1.2::
synology NAS rsync backup
Now we can use our rsync client or the network backup feature of the synology nas to replicate to the NSLU2 rsync daemon.
all without encryption and using the root account, not too secure, right?
So, what are our options?
1. Use no encryption
2. Use an SSH tunnel
3. Use SSH and a unprivileged user
assuming the first one is not an option, we can create an SSH tunnel with the following command
ssh -f -L 873:192.168.1.2:873 root@192.168.1.2 sleep 10; rsync -avh /path/to/source root@localhost::synology
This will create a tunnel on port 873 of the localhost to port 873 on the remote host to execute a sleep command. The sleep command causes no stress on the remote host. The tunnel will disconnect itself when the sleep command is done, so we need to execute the rsync command to keep the tunnel active. For more information on auto-closing ssh tunnels, check this website.
This still uses the root account, and also cannot be used with the Network Backup of the Synology. It is possible to use it on the Synology with crontab, but this is not really user-friendly, so we need to create an unprivileged user and connect to the rsync daemon via SSH.
First problem, the rsnc daemon will start with the credentials used by the SSH connection, the allready running daemon will not be used. So we need to have the settings from the running daemon transferred to the home folder of the unprivileged user.
First, create the user, i.e. “rsyncbackup”
useradd -d /home/ -m -c "Backup User" -p rsyncbackup
and login as this user.
Create the same rsyncd.conf as we did for the daemon, but focussed on this user:
log file = /home/rsyncbackup/rsyncd.log
pid file = /home/rsyncbackup/rsyncd.pid
lock file = /home/rsyncbackup/rsync.lock
read only = yes
use chroot = no
[synology]
path = /path/to/backuplocation/
comment = NAS rsync backup
read only = no
list = yes
auth users = rsyncbackup
secrets file = /home/rsyncbackup/rsyncd.secrets
Be sure to set te correct permissions for this user to write to the backup destination!
If you start a rsync session using:
rsync -avhe ssh /path/to/source rsyncbackup@192.168.1.2::synology
you will first be prompted for your SSH password and then for the password to access de rsync module “synology”.
Now we have a secure (SSH) connection using an account with no permissions other than write to the backup destination.
If you need to automate this, there are many tutorials on the web explaining how to rsync using SSH public keys, this is a good place to start.