I am performing a review of my MIAB security setup and noticed a hole with regards to rsync backups.
Currently, the backup user that logs in to the rsync backup server (using the native MIAB backup function) has full ssh shell access using passwordless login. The key for the passwordless login is /root/.ssh/id_rsa_miab only accessible by root.
If an attacker were to gain access to root on the MIAB server they could then gain access to the backup server. This creates a possible total-loss scenario where the MIAB server and backups could be destroyed; and also creates a vector for further attacks once the backup server is compromised.
Does anyone have any best practices to mitigate this potential problem or done this already? I was thinking of a couple of different approaches:
- limit ssh command execution to just the rsync commands that duplicity issues (using sshd command= function). This approach seems like it might be fragile since all the “allowed” commands need to be predefined.
- setup the backup server as a staging area and pull the backups off regularly to the “real” backup location (or take daily snapshots on shared storage array).
Any additional thoughts welcome.