On Wednesday, 2002-10-30 at 13:07:31 -0500, Sean McAvoy wrote: > I was looking at configuring a few of my VPN/Firewall systems to send me > daily backups of vital config files, and selected log files. I was > wondering what would be the easiest method of accomplishing this? I was > thinking something along the lines of just tar/bzip and then gpg to > encrypt. What other possibilities are there? And has anyone else setup > something similar?
I'm doing something similar on a firewall I set up. It uses find/cpio to make an incremental dump (--newer SOME-MARK-FILE) and encrypts it. The dump is put in a directory that is part of a chroot jail. It gets encrypted with a public key in gpg. I pick it up from an internal machine with scp with a key without passphrase. The account used on the firewall has scponlyc as shell. (If you don't know scponly, it permits only certain ssh operations, and the scponlyc variant puts itself in a chroot jail. Which in my case contains only the scp executables. http://sublimation.org/scponly/ The dump can only be decrypted with a special secret key, and access to it's passphrase is controlled. This is the dump script (BTW, this is a FreeBSD machine, you have to adjust the pathes): #!/bin/sh LD_LIBRARY_PATH=/usr/local/bin export LD_LIBRARY_PATH /bin/rm -f /jail/backup/level1.cpio.gpg && \ /usr/bin/find / /var -xdev -newer /jail/backup/Level0.mark -print0 | \ /usr/bin/cpio --create --format=newc --null --io-size=32768 --quiet | \ /usr/local/bin/gpg --encrypt --output /jail/backup/level1.cpio.gpg --recipient [EMAIL PROTECTED] And this is the "fetch" script (SuSE box): #!/bin/sh LOCALFILE=/data/backup/cabernet/level1.cpio-`date +%Y%m%d-%a`.gpg REMOTEFILE=backup/level1.cpio.gpg KEYFILE=/root/.ssh/cabernet-backup-id /usr/bin/scp -B -q -i $KEYFILE [EMAIL PROTECTED]:$REMOTEFILE $LOCALFILE HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
