Backup using SSH

[jsdrexel]

Hey guys, I'm new to FreeNAS and newer to some Linux stuff, but what we're wanting to do is backup some of our Windows servers via SSH/RSync?
What I'm most concerned about these days, like everyone else is Ransomware attacks. I'm super paranoid, so I was wondering this --

If we rsynced our servers over the Internet via SSH/Rsync and used the key exchange method, is the private key that would be on the Windows server visible to anyone who gained access to that server? Or is it also encrypted so they really couldn't do anything with it? Just wanted to make sure that the key would only be available to the Rsync application to sync the local data with the remote NAS?

Sorry if it's s dumb question but trying to be as safe as possible these days!!

Also, is that the quickest method of backing up over the Internet? Or firewall will only allow this one-to-one connection so it will block out any other outside connection attempts.

Thanks again!!

 

[Chris Moore]

I have not made any direct compairisons but I would think the best / fastest way would be to establish a secure VPN between the two sites. With the two servers on the same logical network that is encrypted and protected from the internet, you would not need to use SSH for the transfer. Eliminating SSH from the servers on both ends will allow the transfer to go faster, as long as the networking gear that is running the VPN can handle the data.

 

[jsdrexel]

Yes sir -- we tried that and the speeds from the firewall vendors was way too slow!!

 

[jsdrexel]

We have a 300MB pipe, and the best we got between us and them was around 8-10MB. Talked with the vendor and no luck on getting any better speeds. Crazy. Thought SSH would be much faster.

 

[Yorick]

Not sure it is “the quickest way”, it’s certainly decent if you use -z compression. You could also tunnel 139 and 445 and backup to an smb share via veeam for Windows agent free. https://superuser.com/questions/311658/make-a-network-drive-available-over-the-internet , sorta.

That’s crazy that you’re topping out at 10Mb for an IPSEC VPN. You say 300MB pipe ... did you mean 300 Mb, as in MBit/s?

If you have some budget in future, an entry level FG60E can handle 2Gb/s IPSEC as long as the traffic is accelerated. These are inexpensive, and about 100/year for maintenance each. Two of those give you an IPSEC tunnel that can grow with your bandwidth. I’d get them without UTM license if all you’re using them for is IPSEC. https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf

 

[jsdrexel]

Thanks for the info --- yes sir 300Mb sorry. We are currently using Watchguard firewalls, and some pretty decent ones. They were just stating with the overhead of IPSec that we would probably not getting any faster than that. Seems kinda crazy to me as well. When we pushed out FTP over a one-to-one mapping thru the firewall, we got much faster speeds!

We use Veeam for Windows free agent locally to backup workstations to a NAS and it works great. But our ideals situation is to have data available immediately remotely in the event of an emergency.