(___) ( O ) /-------\ / / | ||V * ||----|| ^^ ^^
We’re basically setting up a crontab with two components:
apt install ksh93 lftp openssl version
First, check that you can reach your FTP service e.g. Dedibackup auth based on MAC address (note the ,
and absence of a password afterwards), as long as you enable autologin
lftp -u auto, DEDIBACKUP_SERVER_ADDRESS
and eventually clean your shit up
#glob -a rm -r -f *
gpg --version | head -1 # v1 is fine gpg --version | grep Cipher echo lala | gpg --no-use-agent --symmetric --cipher-algo TWOFISH --passphrase 'KEY_HERE' --output lala.gpg file lala.gpg gpg --no-use-agent --decrypt --cipher-algo TWOFISH --passphrase 'KEY_HERE' < lala.gpg
openssl version openssl enc -ciphers echo lala | openssl enc -aes-256-cbc -e -k 'LALA' -out lala.aes file lala.aes openssl enc -aes-256-cbc -d -k 'SYMMETRIC-KEY-HERE' < lala.aes
Fetch the script templates as root, rename, tune a few variables and set the executable bit
cd /root/ wget https://pub.nethence.com/bin/backup/backup.ksh.txt wget https://pub.nethence.com/bin/backup/upload.ksh.txt mv backup.ksh.txt backup.ksh mv upload.ksh.txt upload.ksh chmod +x backup.ksh chmod +x upload.ksh mkdir /data/backup/ vi backup.conf backupdir=/data/backup/HOSTNAME maxold=5 secret=SYMMETRIC-KEY-HERE #rsync/ftp/none method=ftp # FTP server=FTP-SERVER user=auto pass="" # RSYNC/SSH #rsyncdest=SSH-SERVER:/path/to chmod 600 backup.conf vi backup.lst /root /etc ...
and keep a copy of the key some place outside the server you wanna backup. Also write down your FTP password that you get from the DediBackup console, as you will still be able to reach your backups through normal FTP login if needed from a remote site.
Keep the script up-to-date
curl -s https://pub.nethence.com/bin/backup/backup.ksh.txt | diff -bu - backup.ksh
Run a manual backup
time nice /root/backup.ksh
Look for resulting files and check that this is multi-core capable (>100%
)
ls -lF /data/backup/ top -b | grep ssl top -b | grep gpg
And finally enable the job every night as a priviledged cron job, be it NetBSD
vi /etc/daily
or Slackware
vi /root/DAILY time nice /root/backup.ksh time nice /root/upload.ksh echo
or Ubuntu
crontab -e 51 03 * * * time nice /root/backup.ksh; time nice /root/upload.ksh
Attempt to restore from the encrypted archive (decrypt with -d
instead of -e
)
secret=KEY-HERE bkpfile=2021-01-13-04-00-02.data-www.tar.lz4.aes tarfile=${bkpfile%\.aes} mkdir lala/ file $bkpfile openssl enc -d -aes-256-cbc -k "$secret" -pbkdf2 -in $bkpfile -out $tarfile file $tarfile tar -I lz4 -xpSf $tarfile -C lala/
As for database backups you might add a few mysqldumps to the script or eventually use Mydumper.
another simple way to deal with backups looks like this at panix (netbsd/pv xen host)
vi /etc/inetd.conf rsync stream tcp nowait root /usr/pkg/bin/rsync rsync --daemon --config=/etc/rsyncd.conf vi /etc/rsyncd.conf [BACKUPS] path = / auth users = root secrets file = /etc/rsyncd.secrets uid = root hosts allow = backup.nyc.access.net
lftp user credentials do not work with -e or -c https://unix.stackexchange.com/questions/469787/lftp-user-credentials-do-not-work-with-e-or-c
Mirror copying hidden (dot) files regardless. #251 https://github.com/lavv17/lftp/issues/251 –> or consider yafc instead?
How to use tar with lz4? https://stackoverflow.com/questions/24063846/how-to-use-tar-with-lz4
openssl-enc, enc - symmetric cipher routines https://man.netbsd.org/openssl_enc.1
How to password protect gzip files on the command line? https://superuser.com/questions/162624/how-to-password-protect-gzip-files-on-the-command-line
How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL https://www.tecmint.com/encrypt-decrypt-files-tar-openssl-linux/
How should I change encryption according to *** WARNING : deprecated key derivation used https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat
How to use OpenSSL to encrypt/decrypt files? https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files
Encrypting and decrypting documents https://www.gnupg.org/gph/en/manual/x110.html
Symmetric Key Encryption with GnuPG http://www.savvyadmin.com/symmetric-key-encryption-with-gnupg/
GPG Encryption Guide - Part 4 (Symmetric Encryption) https://www.tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html
Home directory backup - The quick ‘n’ dirty guide https://www.dedoimedo.com/computers/linux-home-dir-backup-tar-gpg-guide.html
Thread: gpg: gpg-agent is not available in this session https://ubuntuforums.org/showthread.php?t=1420156
gpg encrypt file without keyboard interaction [closed] https://stackoverflow.com/questions/9460140/gpg-encrypt-file-without-keyboard-interaction
How can I automate gpg decryption which uses a passphrase while keeping it secret? https://unix.stackexchange.com/questions/400772/how-can-i-automate-gpg-decryption-which-uses-a-passphrase-while-keeping-it-secre
Encrypt tar.gz file on create https://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create
security/netpgp https://netpgp.com/ https://man.netbsd.org/netpgp.1 https://en.wikipedia.org/wiki/Netpgp
Rclone https://rclone.org/
caesar, rot13 – decrypt caesar ciphers https://man.netbsd.org/caesar.6 https://man.netbsd.org/rot13.6