Get in Touch
Back to main blog page

Time machine – Back to the future!

13th February 2020 | posted by David Acland

The following are the notes from the presentation given by James Bousfield to the LAA’s community on 13th Feb 2020.

Security Considerations:

  • All data sent over the network should be encrypted from end to end.
  • Data stored on any disk should be encrypted using a minimum of SHA-256 encryption where possible
  • Change the default ports for any known ports, eg: 22 for SSH should be changed before using this.
  • User authentication should only be used when being accessed from known locations and where Authorised SSH Keys are not possible.

The use of rsync to complete backups:

Local machine cloning of files / folders:

This is used to clone a single file / Folder from one area on a machine to another. This wouldn’t classify as a backup, but a clone of information

 rsync -rhlH $source $destination 

Cloning of files / folders over a network:

This would be used to create a clone of the information desired on another machine. This could be classified as a backup but not a great one as there is no history and is a snapshot style backup.

 rsync  -rhlH -e “ssh -p $sshport” $source $username@$server:/$path/

Add the Variable for Date in a pre-defined format:

This is to start building on a snapshot backup solution with some history involved in the backups.

 folder=$(date +%Y-%m%d-%H%M)

Add Hard-Linking of files/ folders to save space:

Again, this builds on the above by being able to link the last backup to a latest file using a symlink that can be referenced later when cleaning up the backups.

 ssh -p $port $UserName@$Server "rm $Path/latest”
 ssh -p $port $username@$Server "ln -s $path/$folder $path/latest”

Combine this with Hard-Linking of files / folders for space efficiency:

rsync --progress -rhlH -e "ssh -p $port" —link-dest=$path/latest "$source" $username@$server:$/path/$folder

Make the backup run a little faster:

By limiting the check to size only, this will limit the amount of checks completed by the rsync process to speed up the backup process.

Add the filter to check only for size differences : —sizeonly

Merge an excluded files list in to the script:

By completing a merge of a list of exclusions, you can specify some files / file types that will be removed from backups. Candidates for this would be files like:

.DS_Store

.afp_deleted

rsync --progress --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" $username@$Server:$path/$folder

Add some integrity checks:

These were added to ensure that if anyone was able to spoof then DNS or repoint the client to a new server, it would check for our SSH Key and confirm the identity of the server that is receiving data.

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == “$fingerprint Key” ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

The complete script:

################################################################################

####                     Check server is the right one                      ####

################################################################################

if [[ $(ssh-keyscan -p $port -t ecdsa-sha2-nistp256 $Server 2>/dev/null | awk '{print $3}') == "$fingerprint" ]]

then

    writelog "Server fingerprint check: PASSED"

else

    writelog "##### ERROR ##### Server fingerprint mismatch.  This isn't the server you are looking for...  Exiting with error code 1"

    exit 1

fi

################################################################################

####                           Run the backup                               ####

################################################################################

writelog "Running sync"

rsync --size-only -rhlH --filter='merge /Library/Backups/exclusions.txt' -e "ssh -p $port" --link-dest=$path/latest "$source" 

$username@$Server:$path/$folder

writelog "Sync complete, creating latest symlink"

ssh -p $port $username@$Server "rm $path/latest"

ssh -p $port $username@$Server "ln -s $path/$folder $path/latest"

Other Articles

How to hide your Desktop icons during a presentation
13th January 2020

If you have ever presented from your Mac and showed the full contents of your…

Jamf Pro and patching
13th September 2019

One of the main elements of Jamf Pro that sets it apart from the competition…

To cloud or not to cloud… that is the question
7th January 2020

For the last few years the only sensible place to host your email services has been…

blog image
Meraki, Apple Classroom and ‘Not-shared’ shared iPads
13th June 2018

Hi all, and welcome to yet-another, “I figured out something for a client and thought…

3rd February deadline for Notarization of non Mac App Store apps
8th January 2020

On the 23rd December, Apple announced an update to the Notarization prerequisites for non Mac…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444

Email: hello@moof-it.co.uk

London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media