Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Your opinion on my Hetzner rsync backup to Storage Box setup
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Your opinion on my Hetzner rsync backup to Storage Box setup

nqservicesnqservices Member
edited January 2021 in General

Hi,

I bought a dedicated server and also a storage box from Hetzner. And I have setup the storage box in the way I leave below. Can you please see and give me your opinion? Is this a good setup or should I use a different method?

a) Mount Storage Box to server /mnt/storagebox using CIFS as describes at:
https://docs.hetzner.com/robot/storage-box/access/access-samba-cifs since I think is the best option for reliability and speed.

b) I just need to backup 1 folder. So I install rsync and setup the below cronjob:

05 3 * * * /usr/bin/rsync -a --delete /folder1 /mnt/storagebox/folder1

c) Activate on Hetzner Storage box panel, automatic daily snapshots, keeping the last 5 snapshots.

In resume with this setup, my objective is to always have a daily snapshot backup of the last 5 days. Since snapshot access folder is disable, even if my server is hacked, the hacker will not be able to gain access and delete my snapshot backups.

P.S: Server is running Ubuntu 20.04

Any opinion or advice is appreciated. Thanks!

Comments

  • I think your setup is good enough. I did use the same method when I had a hetzner server. I just keep 2 snapshot.

  • Is there a reason you're rsyncing over CIFS rather than directly to the storage box? If you enable SSH access you can use rsync over port 23 and setup ssh keys for auth.
    That said though I imagine maybe CIFS has less encryption overhead compared to ssh? Just curious whether there was a specific reason driving the decision to go that route

    As far as the snapshots go thats definitely the recommended way to get it done and its what I did when I used a storage box before.

  • From memory borgbackup is supported on hetzner storage boxes

  • ErisaErisa Member
    edited January 2021

    @chip said:
    From memory borgbackup is supported on hetzner storage boxes

    Yeah, it goes over their port 23 ssh, same as rsync. At one point I was using restic with it since its just an ordinary ssh endpoint.
    https://docs.hetzner.com/robot/storage-box/access/access-ssh-rsync-borg/
    https://community.hetzner.com/tutorials/install-and-configure-borgbackup/

  • @Erisa said:

    @chip said:
    From memory borgbackup is supported on hetzner storage boxes

    Yeah, it goes over their port 23 ssh, same as rsync. At one point I was using restic with it since its just an ordinary ssh endpoint.
    https://docs.hetzner.com/robot/storage-box/access/access-ssh-rsync-borg/
    https://community.hetzner.com/tutorials/install-and-configure-borgbackup/

    Why don't you configure borgmatic? .... then you don't need snapshots.... borgmatic can keep its own snapshots

    Chip

  • @chip said:

    @Erisa said:

    @chip said:
    From memory borgbackup is supported on hetzner storage boxes

    Yeah, it goes over their port 23 ssh, same as rsync. At one point I was using restic with it since its just an ordinary ssh endpoint.
    https://docs.hetzner.com/robot/storage-box/access/access-ssh-rsync-borg/
    https://community.hetzner.com/tutorials/install-and-configure-borgbackup/

    Why don't you configure borgmatic? .... then you don't need snapshots.... borgmatic can keep its own snapshots

    Chip

    The snapshots that Hetzner creates are read-only - as OP said if for any worst-case reason the server is compromised including its backup credentials then its impossible for the snapshots to be nuked, so you'll always have something to recover from even if the worst thing ever happens. It's not something you need per-se, just an extra layer of defense.
    If you hosted borg yourself you'd use its append-only option to do something similar, I dont think thats possible with storage boxes but truth be told I wouldn't know.

  • @Erisa said:

    @chip said:

    @Erisa said:

    @chip said:
    From memory borgbackup is supported on hetzner storage boxes

    Yeah, it goes over their port 23 ssh, same as rsync. At one point I was using restic with it since its just an ordinary ssh endpoint.
    https://docs.hetzner.com/robot/storage-box/access/access-ssh-rsync-borg/
    https://community.hetzner.com/tutorials/install-and-configure-borgbackup/

    Why don't you configure borgmatic? .... then you don't need snapshots.... borgmatic can keep its own snapshots

    Chip

    The snapshots that Hetzner creates are read-only - as OP said if for any worst-case reason the server is compromised including its backup credentials then its impossible for the snapshots to be nuked, so you'll always have something to recover from even if the worst thing ever happens. It's not something you need per-se, just an extra layer of defense.
    If you hosted borg yourself you'd use its append-only option to do something similar, I dont think thats possible with storage boxes but truth be told I wouldn't know.

    Are you sure about that?... I'm sure I've wandered round the folder as an FTP user and vaguely (and I may be wrong) remember deleting a folder (of course it was some time ago when I've used hetzner storage boxes and I could be completely wrong)

  • @chip said:

    @Erisa said:

    @chip said:

    @Erisa said:

    @chip said:
    From memory borgbackup is supported on hetzner storage boxes

    Yeah, it goes over their port 23 ssh, same as rsync. At one point I was using restic with it since its just an ordinary ssh endpoint.
    https://docs.hetzner.com/robot/storage-box/access/access-ssh-rsync-borg/
    https://community.hetzner.com/tutorials/install-and-configure-borgbackup/

    Why don't you configure borgmatic? .... then you don't need snapshots.... borgmatic can keep its own snapshots

    Chip

    The snapshots that Hetzner creates are read-only - as OP said if for any worst-case reason the server is compromised including its backup credentials then its impossible for the snapshots to be nuked, so you'll always have something to recover from even if the worst thing ever happens. It's not something you need per-se, just an extra layer of defense.
    If you hosted borg yourself you'd use its append-only option to do something similar, I dont think thats possible with storage boxes but truth be told I wouldn't know.

    Are you sure about that?... I'm sure I've wandered round the folder as an FTP user and vaguely (and I may be wrong) remember deleting a folder (of course it was some time ago when I've used hetzner storage boxes and I could be completely wrong)

    It's not even visible by default, you have to enable showing it in the settings. The folder is .zfs and inside .zfs/snapshots youll find read-only virtual folders that map those ZFS snapshots into folders. I can confirm first-hand from both my own ZFS systems and from Hetzner's storage boxes that you simply can't mess with them (edit or delete) without access to the robot dashboard.

    Worth noting also that 1) you can just leave the folder disabled, then the backup user can't ever even access it to begin with (So only the current data is visible, snapshots are handled transparently in the background) and 2) theyre only visible to the "root"/main user of the storage box. If you create a sub-user they will never have access to the snapshots no matter what happens (Or as it happens, the rest of the box, so you can put different server backups in different locations with different sub-users)

    Thanked by 1chip
  • @Erisa said:
    Is there a reason you're rsyncing over CIFS rather than directly to the storage box? If you enable SSH access you can use rsync over port 23 and setup ssh keys for auth.
    That said though I imagine maybe CIFS has less encryption overhead compared to ssh? Just curious whether there was a specific reason driving the decision to go that route

    >

    No reason at all. Did not think on using direct rsync by port 23 SSH. Do not know if CIFS is better vs SSH. Anyone knows?

    Also you said on other post:
    "2) theyre only visible to the "root"/main user of the storage box. If you create a sub-user they will never have access to the snapshots no matter what happens"

    Since the server is hosting just one website that is mine I setup the backups using the root storage box account. Is that a security issue? Meaning with storage box root account a hacker can access the snapshots, even if access is disabled in hetzner control panel? To resume using a sub-account is more secure?

    Thanks

  • @nqservices said: Since the server is hosting just one website that is mine I setup the backups using the root storage box account. Is that a security issue? Meaning with storage box root account a hacker can access the snapshots, even if access is disabled in hetzner control panel? To resume using a sub-account is more secure?

    No, it's not really an issue. The credentials are still independent to your hetzner ones (As you would know) and if you disable access to the snapshots directory then an attacker could not even see those. Even if its on, the worst they can do is view the backups, its impossible to delete them without your hetzner login.

    You can always switch to a sub-user later if the need arises to have multiple backups on your box, just make sure everything is in its own folder and create a sub-user as needed in hetzners panel. So I wouldn't worry about it for now.

  • I haven't used their storage box in a while, but if I remember correctly at least back in the days that storage was bound to a specific user. using rsync in that then cannot mirror/handle multiple different users properly.
    not saying your setup won't work, you might just want to keep that in mind ;-)

    as long as you only backup data, that you can easily readjust the uid/gid after a restore, I think it's fine regardless cifs/ssh/etc.
    however if you would want to mirror the whole system with different services, users and permission pure rsync like that is rather limited and the backup will more likely not be usable for 'simple' backwards restore.

    borg would solve that culprit as it saves permission and stuff internally as well as encrypting/archiving the files in chunks and so on...

  • Yeah use of rsync in these situations is usually just for "dump" backups of a folder or two, I imagine if you wanted something more complex you would pick something like borg (or archive the folders yourself.. if you enjoy suffering). I can't deny though that rsync is simple and works for getting a folder to another place

  • For Borg backup borgbase.com is better - faster and much more features dedicated to Borg like append only mode for given SSH key etc.

  • @lyb9b said:
    For Borg backup borgbase.com is better - faster and much more features dedicated to Borg like append only mode for given SSH key etc.

    I use borgbase with borg after learning about it from someone's signature on here... its actually really easy to use and coupled with borgbase that pretty much tells you what to put where.... you can't really go wrong

Sign In or Register to comment.