Backing up VPS Server to Raspberry Module or Home Server

I had a Raspberry Pi laying around and I was wondering if I could put it to use. Lately, my web hosting server had been hit by a unpleasant attack that wiped all the data on the server nodes. I was glad that they had backups elsewhere to restore from the attack. They may have backups at different locations, but you never know what will happen next. Just to be safe, I feel that backing up the VPS Server locally will be a good choice as well.

If you are looking to back up to your computer server, it should work the same.

Setting up the Respberry Pi

Installing the os:

Installing the Raspbian “wheezy” OS is the easiest thing to the world. Simply download the iso here. While you are downloading the iso, you will need specific tools required to format your sd card. All instructions are posted on the eLinux.org website for Raspberry Pi here.

Setting up the iptables:

For the iptables, I recommend going to “Simple Iptables Script Generator” and generate the bash shell script for you. However there are some things to change on the generated code.

Here are slight changes from the generated iptables shell script:

#!/bin/sh

# iptables script generated 2013-07-20
# http://www.mista.nu/iptables

IPT="sudo iptables"

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 192.168.1.0/24 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow inbound access to Samba shares
$IPT -A INPUT -p udp -m udp --dport 137 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 138 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT

# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 192.168.1.0/24 -j ACCEPT

# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Allow output
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j DROP

The above iptables allow SAMBA and SSH access only. You may need to add extra filters for other services. You will also need to change the ip address “192.168.1.0/24” to your local ip as in “x.x.x.0/24”.

And finally you will need to save your iptables, so that it will be loaded again on reboot.

iptables-save

Setting up passwordless log in with sshkey:

Setting up a passwordless ssh log in is very useful for the cron job to automate the process as we will not be required to enter the login password every time we do rsync.

#Navigate
cd /~/.ssh

#Generate a public and private SSH key
ssh-keygen

#You should see the following:
############################################
#Generating public/private rsa key pair.
#Enter file in which to save the key (/home/pi/.ssh/id_rsa):

#Enter exactly what they tell you to enter, in this case: /home/pi/.ssh/id_rsa

#Lease the passphrase empty, simply press enter!

#Enter passphrase (empty for no passphrase):
#Enter same passphrase again:

#Your identification has been saved in /home/pi/.ssh/id_rsa.
#Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
#The key fingerprint is:
#97:aa:de:20:40:e7:68:9b:ca:3f:4b:a9:0e:58:4c:7e [email protected]
#The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|  o .            |
| = +       .     |
|  B E   S o      |
|.o =.    o       |
|o oo. . .        |
|o.o. . +         |
|o+.oo.o .        |
+-----------------+

You know should have 2 files in your /~/.ssh.

id_rsa is the private key that you will be required to use when you log into your ssh account. This file is like your password, but in a file format.

id_rsa.pub is the public file that that will be stored within the raspberry pi. In order for the passwordless ssh to work, you will need to rename “id_rsa.pub” to “authorized_keys”.

cat id_rsa.pub > authorized_keys

#Change the permission to 0600 so your user can read it
sudo chmod 0600 authorized_keys

#Now that you had set the authorized_keys, you may remove id_rsa.pub
rm id_rsa.pub

Since we had set the keys for ssh log ins, we will now set ssh to disable password log ins when keys are not provided.

sudo nano /etc/ssh/sshd_config

#Set PasswordAuthentication to no
PasswordAuthentication no

#Ctrl+x and y to save

Installing rsync:

#Simply run
sudo apt-get install rsync

Setting up the external hard drive:

Now you may plugin your external hard drive to the Raspberry Pi.

#Check to see your device location
sudo fdisk -l
#Our device is located on /dev/sda1, but yours might be different

#If you haven't formated your external drive to Ext4, you may do so by:
sudo mkfs.ext4 /dev/sda1 -L untitled

#Mounting the External Hard Drive
sudo mkdir /mnt/usbdrive
sudo mount /dev/sda1 /mnt/usbdrive
sudo chown -R pi:pi /mnt/usbdrive

#Check to see if the drive type and if it is mounted correctly to the directory of your choice
sudo mount -l

#Check to see the drive space and mount directory
df -h

#Now that we had mounted the external drive, we would like it to automatically mount the drive on reboot.
sudo nano /etc/fstab

#Add the following line the config
/dev/sda1  /mnt/usbdrive  ext4  defaults  0  0

Setting up the main server

Installing rsync

#Ubuntu/Debian
sudo apt-get install rsync

#CentOS/RedHat
yum install rsync

Copying Over the private key for the ssh log in we created in the Raspberry Pi

nano /~/raspberrypikey

#you may open up the private key in Raspberry Pi and copy the code to be pasted to your nano editor.

Testing rsync

#Lets just create a test file.
nano /~/testfile

#rsync that testfile to your Raspberry Pi
rsync --progress -avhe "ssh -i /~/raspberrypikey" --delete-after /~/testfile [email protected]:/mnt/usbdrive
#user - is the user id of your raspberry pi, the default is pi
#X.X.X.X - is your ip address

#If things went well, you should able to see the testfile in your Raspberry Pi located at /mnt/usbdrive

 Setting up the cron job

#Setting the cron job to automatically back up your vps server
crontab -u root -e

#This will bring you to vim editor. Press "i" to start editing. Input the following:
0 4 * * 1 rsync --progress -avhe "ssh -i /~/raspberrypikey" --delete-after /home /etc /root /var [email protected]:/mnt/usbdrive/backup

#The first 5 numbers sets the time and dates for the cron job to execute, see the chart bellow:
###############################
# *    *    *    *    *  command to execute
# ┬    ┬    ┬    ┬    ┬
# │    │    │    │    │
# │    │    │    │    │
# │    │    │    │    └───── day of week (0 - 6) (0 to 6 are Sunday to Saturday, or use names)
# │    │    │    └────────── month (1 - 12)
# │    │    └─────────────── day of month (1 - 31)
# │    └──────────────────── hour (0 - 23)
# └───────────────────────── min (0 - 59)

 

**Setting up the mySQL backup script

The above back upp only deals with local files only. It will not back up your databases. For databases, you may want to have a bash script to do updates daily.

I have found twhiting9275 script at the cpanel.net forum very useful.

 

Everything is now set to back up your VPS server to your Raspberry Pi.

Any questions and corrections, feel free to commend below.

Author: Jason Lin

How to Setting Up VPS/Dedicated Server for the First Time on CentOS 6.x LEMP Version

I just signed up for this great deal at ChicagoVPS.net for a 2GB RAM, 2TB/Month, 50GB space at $40 + Tax (NY) / Year. (Check the deal at SlickDeals.net, as of March 09)

I thought that the deal was great and wanted to give them a try.

ChicagoVPS was cheap, but it did not stand for what it was worth. I had many down time doing the month. I finally got a new dedicated server for my websites.

I am writing for blog for my own reference, I think the information I gathered over the internet will be helpful to you as well when you are setting up your VPS servers. Therefore I set up this blog on my unused web domain name. If there is any mistake or comments, please feel free to post your comment.

Requirements:

Updating

First time when you run the server, you should always update the system.

yum update

Firewall

Firewall is always and will be number one thing to do before starting anything, I had found a good script online that will set your firewall. (Need to find where I got it from to give credit)

Save the below iptables to iptables.sh. Please note that I had opened port 8080 for varnish tests. You may disable it by removing the line.

#!/bin/bash
# A sample firewall shell script 
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
BLOCKEDIPS="/root/scripts/blocked.ips.txt"

# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1

echo "Starting IPv4 Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# interface connected to the Internet 
PUB_IF="eth0"

#Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT

# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 8080 -j ACCEPT

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
#$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
##$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
##$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open port 110 (pop3) / 143
#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT

##### Add your rules below ######
#
# 
##### END your rules ############

# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT

# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

exit 0

Saving the iptables for next reboots

iptables-save

Backing up

What every you are on VPS or dedicated with managed or unmanaged hosting, you should always backup and backup and backup your backups. Hey, things happen and I learned that from buying cheap hosting at ChicagoVPS (move away from them).

Click here to check the “How to Backup to Raspberry Pi

Nginx, PHP, and mySQL – LEMP Web Server

 

Security

Skipfish

yum install skipfish -y (More info about skipfish will be posted)