The rsync utility has a lot of great uses, such as keeping servers in sync with one another, but sometimes you want it to run unattended. So how do you securely and automatically sync between servers?
Because rsync and ssh work so well together, it’s easy to set up an encrypted, rsync-only link. There are a few different pieces that have to be put in place, so be sure to follow along closely.
First, understand that the method I’m describing is a “pull” rather than a “push”. The backup server connects to the production server to pull the most recent copies of the files. I prefer this method because it reduces the attack surface of the backup servers – they don’t need to accept ssh or rsync connections. They only need to connect to ssh on the production servers. The production servers are also well protected from outside/malicious ssh connections, as you’ll see below.
Production Server Configuration
On the production server, you need to ensure the backup user has permissions to read all the files you wish to sync. This is probably best done by adding the user to a group which has such permissions. To protect the server, we install a script which refuses any SSH connections except for rsync. Log in as the backup user and execute the following:
mkdir -p ~/.ssh cd ~/.ssh wget http://www.6by9.net/wp-content/uploads/2012/07/automatic_rsync__validate.txt -O validate-rsync chmod 700 validate-rsync
Backup Server Configuration
On the backup server, you will use the same username to create the proper host authorization files in that user’s
mkdir -p ~/.ssh cd ~/.ssh ssh-keygen -t rsa -N "" -f rsync-key echo 'from="192.168.1.1",command="'`echo -n ~`'/.ssh/validate-rsync"' `cat rsync-key.pub` | ssh `whoami`@production-server "cat - >> ~/.ssh/authorized_keys"
In the commands above, you need to replace
production-server with the name of your production server. The IP address
192.168.1.1 must be replaced by the IP address of the backup server.
To schedule a periodic rsync of the files, cron is most useful. Almost all Linux distributions provide script directories in
/etc/cron.* to run scripts hourly, daily, weekly, etc. Log in as root, choose the frequency of backups you prefer and then install the script:
cd /etc/cron.weekly wget http://www.6by9.net/wp-content/uploads/2012/07/automatic_rsync__production-server.txt -O rsync-production-server chmod 755 rsync-production-server
rsync-production-server script and specify the proper values for
backup-directory. Remember that rsync differentiates between directories that are specified with or without the trailing
With these steps complete, try manually running the
rsync-production-server script. Remember that it won’t be making any changes on the production server; it will only be syncing the state of the backup server to that of the production server.
If you have any issues, you should add
-v flags to the rsync and ssh calls inside the
rsync-production-server script. It may also be helpful to examine the sshd logs on the production server to see if the connections are getting through.
If the script runs successfully you will see no output. Cron will automatically run the script from now on.
Multiple production servers may be backed up in a similar fashion. There is no need to generate multiple rsync-key ssh authorization keys, but you will need to create a unique cron backup script for each server.