Get in Touch
Back to main blog page

Time machine – Back to the future!

13th February 2020 | posted by David Acland

The following are the notes from the presentation given by James Bousfield to the LAA’s community on 13th Feb 2020.

Security Considerations:

  • All data sent over the network should be encrypted from end to end.
  • Data stored on any disk should be encrypted using a minimum of SHA-256 encryption where possible
  • Change the default ports for any known ports, eg: 22 for SSH should be changed before using this.
  • User authentication should only be used when being accessed from known locations and where Authorised SSH Keys are not possible.

The use of rsync to complete backups:

Local machine cloning of files / folders:

This is used to clone a single file / Folder from one area on a machine to another. This wouldn’t classify as a backup, but a clone of information

 rsync -rhlH $source $destination 

Cloning of files / folders over a network:

This would be used to create a clone of the information desired on another machine. This could be classified as a backup but not a great one as there is no history and is a snapshot style backup.

 rsync  -rhlH -e “ssh -p $sshport” $source $username@$server:/$path/

Add the Variable for Date in a pre-defined format:

This is to start building on a snapshot backup solution with some history involved in the backups.

 folder=$(date +%Y-%m%d-%H%M)

Add Hard-Linking of files/ folders to save space:

Again, this builds on the above by being able to link the last backup to a latest file using a symlink that can be referenced later when cleaning up the backups.

 ssh -p $port $UserName@$Server "rm $Path/latest”
 ssh -p $port $username@$Server "ln -s $path/$folder $path/latest”

Combine this with Hard-Linking of files / folders for space efficiency:

rsync --progress -rhlH -e "ssh -p $port" —link-dest=$path/latest "$source" $username@$server:$/path/$folder

Make the backup run a little faster:

By limiting the check to size only, this will limit the amount of checks completed by the rsync process to speed up the backup process.

Add the filter to check only for size differences : —sizeonly

Merge an excluded files list in to the script:

By completing a merge of a list of exclusions, you can specify some files / file types that will be removed from backups. Candidates for this would be files like:

.DS_Store

.afp_deleted

rsync --progress --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" $username@$Server:$path/$folder

Add some integrity checks:

These were added to ensure that if anyone was able to spoof then DNS or repoint the client to a new server, it would check for our SSH Key and confirm the identity of the server that is receiving data.

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == “$fingerprint Key” ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

The complete script:

################################################################################

####                     Check server is the right one                      ####

################################################################################

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == "$fingerprint" ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

################################################################################

####                           Run the backup                               ####

################################################################################

writelog "Running sync"

rsync --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" 

$username@$Server:$path/$folder

writelog "Sync complete, creating latest symlink"

ssh -p $port $username@$Server "rm $path/latest"

ssh -p $port $username@$Server "ln -s $path/$folder $path/latest"

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

Security Vulnerability with FaceTime
29th January 2019

9to5mac revealed yesterday (https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/) that FaceTime running on iOS has a major security vulnerability.  Using…

3rd February deadline for Notarization of non Mac App Store apps
8th January 2020

On the 23rd December, Apple announced an update to the Notarization prerequisites for non Mac…

Basis Mac IOS Security
Basic MacOS IT Security
4th January 2022

So, apparently, Macs aren’t vulnerable to viruses, right? Well, no – that’s not quite right.…

Mac startup flashing folder
Catalina boot-up issues on some older Macs
19th November 2019

There’s been a number of reports Catalina boot-up issues on some older Macs after running…

MoofPatch from Moof IT - automatic macOS and third-party application patching for Macs
MoofPatch from Moof IT – Automatic MacOS and Third-Party Application Patching for Macs
21st October 2021

Keeping your Macs up to date means your business will have access to the latest…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444

Email: hello@moof-it.co.uk

London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media