Hi. I have my own VPS from which I would like to back up to my server which is based on Ubuntu 20.04. What tool can I use to back up to an FTP SSL server? I was looking for scripts or programs but I could not find. There is no desktop installed on the VPS server, only a terminal.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Backup to FTP SSL server
- Thread starter adam23450
- Start date
- Joined
- Feb 2, 2018
- Messages
- 1,401
Any reason you are looking after the worst of all file transfert option possible on the planet ?
You would be million time better to do it over SFTP (file transfert service part of SSH).
On some forum they told me that FTP SSL would be fairly safe. Can I lock a user in a given directory with SFTP so that he cannot escape to another?
- Joined
- Feb 2, 2018
- Messages
- 1,401
You can sure CHRoot your users in their home directories.
Here is a quick link about how to do it all from CLI in a Linux environment. You will have to adapt that to TrueNAS by doing it all from the WebUI (the user and group creation parts, the extra options for the SSH services, ...).
https://www.techrepublic.com/article/how-to-use-sftp-with-a-chroot-jail/
Here is a quick link about how to do it all from CLI in a Linux environment. You will have to adapt that to TrueNAS by doing it all from the WebUI (the user and group creation parts, the extra options for the SSH services, ...).
https://www.techrepublic.com/article/how-to-use-sftp-with-a-chroot-jail/
I understand that SFTP is already an encrypted protocol and nobody should steal data on the way?
Ok, thank you for your help. I'll try to configure it :)
Can I make my user log into the directory immediately and have all rights? When I change the home directory in its settings, it displays "atal: bad ownership or modes for chroot directory" / backup_ "" - this directory / backup_copy has the root user and the root group in it is the directory / copy and there is the owner of the user backup_copy with the backup_copy group. And when I change his home directory, I can't log in, I have to log in first to the / backup_directory and then manually go to the / copy directory.
- Joined
- Feb 2, 2018
- Messages
- 1,401
If your backup is per user, each user should have his own backup in his own home directory.
If your backup is per data, then it should not be done per user...
What exactly are your trying to achieve ? Per user or per data ?
Per data
- Joined
- Feb 2, 2018
- Messages
- 1,401
Then you should not use user accounts for doing this. You should look at backup agents that will authenticate themselves without each users accounts or even better, stop hosting data on the users' devices completely and host all your data server side.
I understand but I'm having a problem with the user's home directory. When it is set to /backup_copy, the user logs in normally, and when it is set to / backup_copy/ backup, then the user refuses to login. Why? He has all the powers.
There are no spaces in the configuration. Spaces are the fault of Google translate :)
- Joined
- Feb 2, 2018
- Messages
- 1,401
Should you need, I also speak French. We can switch this conversation to the French section of the forum
So you said that users can log in backup_copy but not in backup_copy/backup. So just have your users log in the backup_copy directory and in there, put a sub-directory per data type (you said you wish a per-data backup model) with proper ownership and permissions :
backup_copy/data_group1
backup_copy/data_group2
...
Set ownership to each data_groupX folder to Root and backup group BackGroup1 ; BackGroup2 ; BackGroupX as required.
Assign each user to the groups he should be able to backup to : User1 is member of BackGroups 1 and 3, ...
Set permission to 770, so the Root can do it all, so can the appropriate group, but other groups can not do anyting.
Have your users putting their data in the appropriate folder.
This way, all users can log in (you said you achieved that part already)
Once in, they can add stuff only to the proper sub-folder
But honestly, to do per data backup managed on a per user basis does not make much sense... Either you really manage your data at data level and do it with infrastructure components, or if you do it at user level, then you do user-level backups. But trying to do a per-data backup with a per-user approach is not the best way.
I speak Polish so we have to stick to English :)Should you need, I also speak French. We can switch this conversation to the French section of the forum
So you said that users can log in backup_copy but not in backup_copy/backup. So just have your users log in the backup_copy directory and in there, put a sub-directory per data type (you said you wish a per-data backup model) with proper ownership and permissions :
backup_copy/data_group1
backup_copy/data_group2
...
Set ownership to each data_groupX folder to Root and backup group BackGroup1 ; BackGroup2 ; BackGroupX as required.
Assign each user to the groups he should be able to backup to : User1 is member of BackGroups 1 and 3, ...
Set permission to 770, so the Root can do it all, so can the appropriate group, but other groups can not do anyting.
Have your users putting their data in the appropriate folder.
This way, all users can log in (you said you achieved that part already)
Once in, they can add stuff only to the proper sub-folder
But honestly, to do per data backup managed on a per user basis does not make much sense... Either you really manage your data at data level and do it with infrastructure components, or if you do it at user level, then you do user-level backups. But trying to do a per-data backup with a per-user approach is not the best way.
Is it possible to make the user log in to SSH in his home directory, i.e. /backup_copy /user1
- Joined
- Feb 2, 2018
- Messages
- 1,401
Yes but he needs to have access not only to this directory but also to the parent. This is why the standard /home directory in typical Unix system is readable and executable by everybody, so everyone can make it down to the door of their own private directory. Inside that /home, each private home directory is then owned by the corresponding user.
Here, if there is at least one directory between the root directory ( / ) and wherever your backup directory is ( /mnt/pool/dataset/subdirectory ) in which your users have no access, then they can not make it to their own private directory and will fail. So inspect the full path and be sure that permissions are good on the entire path. The user needs at least Read and Execute on every folder down to his own. It can be provided by the permission granted to everyone, to the group, but overall, the user must be able to access and open each directory.
When I give 777 permission to the /backup_directory then I can't log into ssh. The user1 directory also has 777 permissions and is set as the user's home directory.
Code:
Sep 19 18:10:27 ubuntu-NextCloud systemd-logind[1305]: New session 1255 of user kopia_zapasowa. Sep 19 18:10:27 ubuntu-NextCloud sshd[25539]: fatal: bad ownership or modes for chroot directory component "/kopia_zapasowa/" Sep 19 18:10:27 ubuntu-NextCloud sshd[25465]: pam_unix(sshd:session): session closed for user kopia_zapasowa Sep 19 18:10:27 ubuntu-NextCloud systemd-logind[1305]: Removed session 1255. Sep 19 18:10:41 ubuntu-NextCloud sshd[25542]: Accepted password for root from 192.168.0.5 port 54014 ssh2 Sep 19 18:10:41 ubuntu-NextCloud sshd[25542]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 19 18:10:41 ubuntu-NextCloud systemd-logind[1305]: New session 1257 of user root. Sep 19 18:10:50 ubuntu-NextCloud sshd[25605]: Accepted password for root from 192.168.0.5 port 49568 ssh2 Sep 19 18:10:50 ubuntu-NextCloud sshd[25605]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 19 18:10:50 ubuntu-NextCloud systemd-logind[1305]: New session 1258 of user root.
- Joined
- Feb 2, 2018
- Messages
- 1,401
Too much is not better than not enough. 777 is high risk and many system will refuse to work if configured poorly.
Just post the complete path you are using and the actual permission instead of masquerading it under obscure names like /backup.
