It's World Backup Day! Rsync + SSH + Synology For Easy Secure Backup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

BackupPC is an awesome FOSS suite that uses rsync and ssh along with pooling to reduce the overall size of backups when multiple similar machines are being backed up. I've used it for years and it's a great thing to have in your toolbag.

👍︎︎ 2 👤︎︎ u/the_darkener 📅︎︎ Apr 01 2020 🗫︎ replies

Captions

[Music] it's world backup day or pretty much and at these dark times you should make sure you have a backup not for you if for those that come after you a lot of people are familiar with the three-to-one backup rule three copies of the data in two formats with at least one of those off-site and for me well I prefer to have an appliance that's storing my stuff and sort of managing backups but there are a lot of people that will just copy their important data to Google Drive or onedrive or some other cloud service but most cloud services will charge you a lot of money once you move beyond storing a trivial amount of information I mean the temptation from Google it's like I'll just upload everything don't worry about trying to organize it and figure out what's important and what you should pay monthly storage fees for and what you can move on to an external hard drive just pay for an upgrade it's so inexpensive and then your data can be mined because it's it's just you me and Google that can read Google Drive I mean that doesn't set well for me so I like having storage local I like having the important stuff local I like separating concerns so that my Star Trek movie in you know TV episode collection is treated a little differently than personal documents or legal documents or like old photos or like school information like the photos and and school trip stuff and that kind of stuff I mean there's deeds and you accumulate a lot of documentation as you as you get older and it's like okay I should probably have this stuff fairly easy to access but you know not super buried and not completely offline let's say so you can you can sort of pick and choose that but it's nice to have a home server for that and then if you don't want to go through setting up a home server a Synology Nass you can do that so today's video is going to be about using a Synology Nass to store your most important stuff and due back and sort of the flexibility the value proposition that it gives you because I think it's actually a good value proposition for not a lot more than just the hardware the hard drives and what it would cost you to build a machine you can basically buy already made appliance to do it for you that's got a pretty slick point and click interface slick point-and-click do what I did there this video is also sponsored by Synology but I'm gonna show you some cool stuff including some lore some hard one Lord this is you know one of the one of the nuggets of experience that is just really awesome and I'm gonna show it to you and for everybody that understands it already without having to do it you're gonna probably chime in in the comments or come on the level 1 forums and be like holy crap this is you know I knew all of these individual things did this but I had no idea and it's a really cool way to use art sync to backup servers but while also minimizing the attack surface area and that's gonna apply to everything not just Synology and definitely do it with Synology but you can also do it with other stuff even if you want to build your own axe out of a Raspberry Pi you can totally do that or you could you know go the easy button and just do it with Synology one thing that worries me about the cloud-based backup is it doesn't really follow the three to one rule if that's all you have because you know there's that time where if you were watching a particular markiplier stream and you were typing in the chat the algorithm decided that you were a bot and just bandy and so that was a YouTube stream but it banned you from all Google services so you lost access to Gmail and your Google Drive and YouTube and every other Google service that your Google account was tied to like you completely lost your Google account that really would suck a lot so you need that's number three two one that's the one maybe in the in the three two one backup rule although technically you know G Drive that is an off-site backup but something can go horribly wrong and you could lose lose access to G Drive so I just opening that can of worms it just it leaves a bad taste in my mouth let's not actually do that because the that's really good although we can turn it around and I'll explain what I mean by that in just a minute I just think that it's you know I mean it's one thing if it's my Star Trek movie collection you know if I lost access to that all Google will sorting its crap out it's like okay but all my other stuff I'd be like on edge and be like you know screaming and spitting fire and stuff so you don't really have to worry about those kinds of things when you are confident in your own solution and the solutions that I'm most confident in are based on Linux or FreeBSD so much Windows I mean you can if you're if your digital existence can be managed by just copying some files somewhere okay but there's things like bit rot can creep in so it's like I've got all these you know photos from spring break when I was in college and it was like this you know amazing a magical trip let's say not really sort of embellishing here but you know if some corruption shows up in those files you don't necessarily know right away unless you've got a product that it's actually monitoring for that kind of thing false isn't like ZFS to do that you can do that with the hyper backup because it's like hey this file the date didn't change this is this has changed so there are options for sort of dealing with that at a software level it's just by default most things don't do that most things don't look for bit rot and some when I say I trust Linux well the Synology has a nice soft linux underbelly so it's so knology but they've built their product on top of the Linux kernel and a lot of Linux utilities so all of the stuff that I expect to be there and work correctly it was there and works correctly because of the Linux underbelly the problem comes in backing up the system for the Internet the options are allow an incoming connection with full access to the machine or have the remote machine make an outgoing connection to a secure account on a local device like the Synology knacks for example or another Linux box working dump its backup so I'm gonna start running the Internet and I can allow somebody it can allow the back of the appliance to connect with you know like full root privileges to the server so if you've got several machines that somebody compromises the backup appliance that's bad or I can let the backup process run with full system privileges on that machine out on the Internet and then connect to a limited account a sandboxed account on a storage device for backup and so I generally like the latter option if I can possibly help it and that's what we're gonna go through and setting up on the on the Synology today and this would this would apply you know pretty much on a Raspberry Pi all the way through anything although hyper backup and some of those utilities that you have with a nice point click GUI they're not gonna be there on the right spot you got it you gotta sort of do it yourself if you're gonna go the Raspberry Pi route or like freenas FreeNAS is another good option for DIY but yeah Synology wins on ease of use I think user interface the plug-in system you gotta try the other thing I like to think about is like failure modes so we've got that server out of the Internet and let's say something really bad happens to it and it crashes horribly and all the files are corrupted and deleted but it crashes horribly and the backup is still running you'd be surprised how often something like this happens so the backup runs and it copies all the terrible files and overrides all of the files that are stored on the remote storage device so I've got an internet server it's gonna connect back to err Synology and it's just filled with garbage files because it's lost its marbles and it has no idea and somehow the backup process is still running that actually happens a lot like that's a common failure mode then all of the stuff that it copied is gonna overwrite all of the good stuff oh no but wait if you're using snapshots on the Synology or with buggy ZFS or something like that then you can maintain a week or a month or whatever worth of snapshots point-in-time snapshots so if you don't notice it for a few days you can go a few days back in time so even though it's copied the whole system full of bad files you can say well just throw all of that out let's go back to two days ago and look at those files the Synology gives you a really slick GUI for browsing those so that you can just point and click individual files and it supports you know ext Linux file systems and NTFS windows for your individual machines that you're backing up as well as your virtual machines you get a lot of flexibility there but you can look at those corruptions that say okay yeah this fall changed and it should not have changed that machine's just wipe and reload we're back to the wife and reload scenario but you've got you know that sort of failure mode covered in your mind when you're thinking through okay you know if somebody gets into the systems I'm running a wordpress blog and you know WordPress is just dangerously insecure and somebody manages to get in WordPress because it's WordPress and they delete all the content and the backup runs you know maybe that was intentional or maybe they're trying to do something bad to the backup systems like they got access to WordPress can they move laterally into the backup system and so you have to sort of take steps to harden that and uncover that use case it's a little different when you're using the backup options for backing up an individual machine so like with the the active backup stuff in Sinhala G you can just install the client on a Windows machine and it's gonna back up and then the Synology still it doesn't give the Windows machine full access if really malicious software gets on the Windows machine and it waits for you know you to make a bad backup or lies to the backup software and says okay you've made the backup all the files are good the files aren't actually good it's trying to ransomware here and so it doesn't want you to have backups the windows she doesn't actually have enough access to the Synology to overwrite those previous snapshots like it will mess up last night's backup for sure but you know not before last which is still maintained on the Synology you still have access to so in much the same way where you've got systems connecting you want to sort of harden that if you're gonna take the DIY approach to backup a machine up in the Internet and if you can't use the built-in utilities on this analogy then rsync is my go-to for backing up files but arcing can also be hardened especially when you're running it through an SSH connection so there's a how-to on the forum that sort of talks a little bit more about that I'm assuming that you're basically able to point click your way through the GUI and if you decide to go off the reservation a little bit there's a guide on the level 1 forum that will show you how to do the arcing thing so what it is is it's a Perl script stick with me here it's it's a good thing it's a Perl script that locks down our sink so our sink basically can only operate inside a folder you can still do full machine root privileges that can restore the permissions and the extended attributes and everything but it makes it so that your our sink command can only run with a limited set of options I know what you're thinking it's like okay we're going to setup SSH we're going to have a saved key so the remote machine can connect password lessly to the local Synology they're gonna be able to run other SSH commands and by default yes if you've got the key authentication setup which is off by default on the cetology there's a how-to for that on the forum as well and you'll have to go through some steps to enable that and set up home directories that kind of thing but if you if you do that then any enable the key based authentication the keys are much more secure than a password even if you save a password in the remote system if you know somebody gets a hold of that password they would be able to connect to your backup around arbitrary commands well SSH secure shell you know they thought of that in like 1573 when this thing was designed so with secure shell you can say this key is only allowed to run this command there's an example of that sin taxes when you add that SSH key to your authorized keys file with that format then you will only be able to run the one command that basically receives backup files into a specific folder that is actually in your SSH configuration so much like the hyper backup software client on Windows is kind of locked down in that the Windows client can't delete previous snapshots this is the same type of lock down for arsing so even though you're going off the reservation a little bit and allowing you know SSH access to your backup appliance that key that's associated with that user on the system can only run very very limited commands or in this case one command and that is the only change that they're allowed to make on the system and then of course you know that user on the Synology is a limited user it's not an administrative user it's not allowed to login to the web go it's literally only allowed to log in and access the one folder so you just step by step through the GUI to do that and you're good to go and this technique for SSH lockdown it works on pretty much any machine with SSH it doesn't even matter if it's Linux you can also do this on FreeNAS or FreeBSD or literally anything else this is a great way to allow a remote system to backup to a local system with SSH keys in a reasonably safe way I've done a lot at you so let's summarize backing up pcs and VMs that's active backup and that works even with the free version of VMware you go back in time and restore from certain days there's snapshot capabilities etc etc but that three to one backup plan you have to backup the NASS itself so the first sort of backup ish mechanism is snapshot some snapshots are not a true backup of the NASS but snapshots allow you to restore file on the Nats from a certain point in time so that whole corrupt backup scenario where you made a backup but the backup is actually bad snapshots will help you recover and especially recover if you don't notice in time because usually you maintain a week or two weeks or a month or two months or whatever you know your space requirements are up snapshots then there's a hyper backup which augments active backup by allowing you to back up the entire nass somewhere else and then of course our sink which I've been talking about which allows you to copy from literally any source in a Linux source raspberry pi's you know your Internet of Things devices configuration whatever you want to do machines on the Internet safely the way that I showed you it's a very very safe way that I showed you how to use our sink you can copy those from the source device directly to the Synology and then when you have things like hyper backup on top of that then you get your you know tertiary copy that's off side the one and the three to one backup in other words it's a lot to throw out there's a lot to unpack there but you know this is the best strategy for managing your very important files so now I've got my sort of oddball use cases covered you know at home I've got a half-a-dozen real physical machines and then like five or six virtual machines that are doing different things and then I've got some machines out in the internet machines like the level 1 forum itself all this stuff and I want to be able to sort of back it up and handle it on one appliance or have one physical device that's managing that well the Synology addresses that we've got active backup for all of the completely ordinary and pedestrian things with a really slick GUI and for anything that the really slick gooey doesn't handle then I can do things from the command line if I wanted to if I were running say a VMware virtual machine out in the cloud active backup integrates with VMware so I can actually log into VMware and backup appliances directly from VMware if I were running VMware at home even the free versions now the free version a lot of people start with the free version of VMware and they're really excited and then they go to do a backup and it's like oh the backup is really hobbled in the free version it doesn't support a lot of stuff and it tries to make you do a full export of the VM every time well the Synology software integrates with vmware the VMware aware but you will have to enable SSH on the free version of VMware but in much the same way it will be able to pull backups from VMware even the free version competently and that work well so that is a big deal a lot of people run VMware ESXi the free version at home or in their small business and this will work really well so yeah I mean my home set up is more complicated than you know even like a 15 or 20 person office just because of the number of physical machines and the number of you know virtual machines and all of the the duties and stuff that those different machines are doing but you know one of one of these with a bunch of 10 or 12 terabyte hard drives it can store copying upon copy upon copy upon copy of all of the other devices if you want to learn more about active backup I did a whole separate video on active backup you should check that out but this is you know sort of the whole enchilada because this is world backup day and this is sort of the strategy the mindset that you need to get in to be able to do these kinds of things so yeah snapshotting an entire machine or anything else like the other people you know if in your family you have Leon Hall like you your kids laptop and then you've got your work laptop and some other laptops and you need to back all those up but you also need to be sure that you know when when you're when your kids are going to restore a file they act deleted they can't get into your work stuff let's all handle that's all handled really well I've got everything on the Synology you know I've got my VM and I've got my physical machines and I've got my oddball Internet machines out there doing the arts and heck I could even be backing up my IOT raspberry pies without our sync command but it would be nice if I could replicate that so in case there's a fire or tornado or something that the information is stored locally in this analogy is also available somewhere else so you can replicate that you can just pick up another analogy if you have you know a bunker and in your vacation home you can just you know set up another Synology there and as long as the internet connection this technology will replicate to the other Synology there's no monthly fees the Synology will also back up to like Amazon s3 and glacier but all of those services are fantastically expensive so Knology has their own online backup service which is pretty good see - and that will also be optionally encrypted so we're talking about you know Google can look at your documents into your stuff you pick a password you set a password and then that password is used to generate an encryption key and Synology doesn't have that password so if you lose that password you can't get your backups back that's kind of how Amazon glacier works as well you set up a key and then you need to take steps to store that key on a couple of different USB flash drives maybe put one in the bank vault something like that so if you do the encryption option make sure if something happens to you especially in these dark times so the people that come after you need to get your stuff back that you've got a way to actually decrypt it so the Synology online service works pretty well but you don't have to use it you could set up your own cetology somewhere else you can set up for your technology in the datacenter you could set up something on the node and back it up there but I got news for you Lenovo is gonna be a lot more expensive for a VM that's just used for that kind of stuff then something else although well no it has that new object storage I gotta check that out and that might be a thing but I think that I would generally recommend just stick with a Synology stuff it's pretty easy it's pretty point-and-click if you want to go off the reservation like I did with the whole art sync file lockdown / script think which dates from even before 2004 check out the forum link on level 1 is really awesome I mean it's a piece of Internet lore that is basically forgotten but you've strung together SSH and rsync and you know Linux Synology and you've really put together something beautiful from three relatively simple components like I'm betting a lot of you knew that you know with SSH you can't lock it down so that you can only run certain commands or in our case just one command and some of you knew about our sink and some of you know about the whole off-site backup thing but see we've sort of combined these things in a creative way and now we've got a really amazing backup appliance on top of an already really amazing backup appliance and it is world backup day so you should back up your stuff or at least make plans to do a backup any always mentioned in G Drive and the markiplier thing there's a thing in the GUI in this analogy so if you have G suite for business and you need to backup your company's Google Mail and drive and all that crap you can you just plug in your credentials in the G suite backup or set up an account that has backup permissions in your G suite plug it into your Synology and then it will connect to your G Drive and pull everything down Gmail the calendar files the whole nine yards it's it's a pretty slick GUI going click you don't have to figure it out you don't have to do all this command line paste the script configure SSH you know SSH into the Machine and do stuff you don't have to do any of that that's all it's all point-and-click if anything it's an argument for you know making it as simple as possible to like looking at the stuff that I'm doing with our sink and it's like well I had a particular itch they required a particular scratch and just because I went with the package to clients like a Synology I didn't lose that functionality so that's really awesome so that's it in a nutshell or is it a Z show or fish all right no it's in a nutshell on the level one forum I'm Wendell this is level one we're on backup day manage your backups thanks to Synology for sponsoring this video definitely take a look at your backups if you have any questions about the setup or the particulars or anything like that let me know on the level in forums I'm signing out and i'll see you there you

Info

Channel: Level1Techs

Views: 27,559

Rating: undefined out of 5

Keywords: technology, science, design, ux, computers, hardware, software, programming, level1, l1, level one

Id: BVJ3CBaTkYM

Channel Id: undefined

Length: 22min 32sec (1352 seconds)

Published: Tue Mar 31 2020