Education

Time machine – Back to the future!

David Acland
02.13.2020
Share

The following are the notes from the presentation given by James Bousfield to the LAA’s community on 13th Feb 2020.

Security Considerations:

  • All data sent over the network should be encrypted from end to end.
  • Data stored on any disk should be encrypted using a minimum of SHA-256 encryption where possible
  • Change the default ports for any known ports, eg: 22 for SSH should be changed before using this.
  • User authentication should only be used when being accessed from known locations and where Authorised SSH Keys are not possible.

The use of rsync to complete backups:

Local machine cloning of files / folders:

This is used to clone a single file / Folder from one area on a machine to another. This wouldn’t classify as a backup, but a clone of information

 rsync -rhlH $source $destination 

Cloning of files / folders over a network:

This would be used to create a clone of the information desired on another machine. This could be classified as a backup but not a great one as there is no history and is a snapshot style backup.

 rsync  -rhlH -e “ssh -p $sshport” $source $username@$server:/$path/

Add the Variable for Date in a pre-defined format:

This is to start building on a snapshot backup solution with some history involved in the backups.

 folder=$(date +%Y-%m%d-%H%M)

Add Hard-Linking of files/ folders to save space:

Again, this builds on the above by being able to link the last backup to a latest file using a symlink that can be referenced later when cleaning up the backups.

 ssh -p $port $UserName@$Server "rm $Path/latest”
 ssh -p $port $username@$Server "ln -s $path/$folder $path/latest”

Combine this with Hard-Linking of files / folders for space efficiency:

rsync --progress -rhlH -e "ssh -p $port" —link-dest=$path/latest "$source" $username@$server:$/path/$folder

Make the backup run a little faster:

By limiting the check to size only, this will limit the amount of checks completed by the rsync process to speed up the backup process.

Add the filter to check only for size differences : —sizeonly

Merge an excluded files list in to the script:

By completing a merge of a list of exclusions, you can specify some files / file types that will be removed from backups. Candidates for this would be files like:

.DS_Store

.afp_deleted

rsync --progress --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" $username@$Server:$path/$folder

Add some integrity checks:

These were added to ensure that if anyone was able to spoof then DNS or repoint the client to a new server, it would check for our SSH Key and confirm the identity of the server that is receiving data.

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == “$fingerprint Key” ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

The complete script:

################################################################################

####                     Check server is the right one                      ####

################################################################################

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == "$fingerprint" ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

################################################################################

####                           Run the backup                               ####

################################################################################

writelog "Running sync"

rsync --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" 

$username@$Server:$path/$folder

writelog "Sync complete, creating latest symlink"

ssh -p $port $username@$Server "rm $path/latest"

ssh -p $port $username@$Server "ln -s $path/$folder $path/latest"

Contact Moof IT to discuss your Mac management needs

  • ISO_27001 logo
  • logo
  • Gcloud logo

Company

Address:
1st Floor, 20 Noel street, London, W1f 8GW
Company Number: 11082827