1

In the case of a simple web-server with a MySQL database, the script has to dump the database, copy the web-server files and tar everything together. Then a NAS server Rsync the tar file via a "ssh-copy-id" done to a user "backup" that can only access it's own home folder where the backups are stored.

I know a feel things like store the credentials in a env file and limit the access to the script and the env file, but I have some doubts too:

1- Is it better to the root to access and execute the script and env file and then give the tar file to the backup user or let the backup user execute the script?

2- Is the Rsync via ssh key to a limited backup user the best way to export the backup file or is there a better way (in terms of security)?

Improve this question
5
  • What type of attacs are you concerned for?
    – Mircea Vutcovici
    Apr 11 at 9:00
  • Mainly lateral movement, privilege escalation and database credentials leaking, but there may be other dangers that I'm not aware.
    – Danilo Steps
    Apr 11 at 12:05
  • Do you trust the NAS machine? Do you want to limit what the NAS can do to the web server? Sorry i'ts not clear for me.
    – Mircea Vutcovici
    Apr 11 at 21:54
  • I was questioning some methods I use to backup some servers, one being if it's right to let the root execute script that create the backups the other is if this way of Rsync the file is fine too, or if there is another way. But I've being studying about it recently and it looks like it's fine.
    – Danilo Steps
    Apr 13 at 12:20
  • Also I would like to know if there is some bad practice on this methods I'm using because I don't see myself as very experienced in this matter yet.
    – Danilo Steps
    Apr 13 at 12:23

1 Answer 1

Reset to default
2

You could run the rsync from the NAS machine. The NAS will connect over ssh to the web server and run the rsync. In this way your web server has no access to the NAS.

Improve this answer
2
  • Sorry, I think I wasn't clear, this is the way it run already.
    – Danilo Steps
    Apr 10 at 15:45
  • and micea told you how to improve the quality of security
    – djdomi
    Apr 10 at 18:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .