Linux Back up and security procedures

[satz]

So i been landed a job interview as a junior IT assistant,

Part of the interview they want to ask me about linux lamp server back up routine and security procedures, I've been googling about and research on this and also got Ubuntu server installed on VMware, i just wanted to know what you guys think

Thanks

[glennda]

Personally I just have a cron job which tar's the /var/www folder to /backup/www which contains all our web files. I also tar all of the /etc directory to /backup/etc/ and then I use backupPC to swoop past to collect those files. I also Dump all the mysql db's to /backup/mysql

With linux as its all run by configs I just back these up rather then a full host backup.

[pete]

rdiff-backup, with automysqlbackup calling the sql backup just before the full backup.

security? only install what you need, use something like ossec for log,file and directory watching (and tune it so you pay attention), keep the thing patched and don't assume the default configs for daemons are sensible for production. Use puppet or something similar for config management, so it's not all over the place, set ssh to require keys + password for access and have firewall rules for who can access management ports.

[CyberNerd]

Personally I just have a cron job which tar's the /var/www folder to /backup/www which contains all our web files. I also tar all of the /etc directory to /backup/etc/ and then I use backupPC to swoop past to collect those files. I also Dump all the mysql db's to /backup/mysql

With linux as its all run by configs I just back these up rather then a full host backup.

As above. I use rsync to backup to /backup/www - this can be an iscsi or NAS.
Also backup /etc and /usr/local as these have configs and locally installed apps.
there are a few mysqlbackup scripts lurking on the internet,

[CyberNerd]

security? only install what you need, use something like ossec for log,file and directory watching (and tune it so you pay attention), keep the thing patched and don't assume the default configs for daemons are sensible for production.

Also keep SELinux on.

[dhicks]

Part of the interview they want to ask me about linux lamp server back up routine and security procedures, I've been googling about and research on this and also got Ubuntu server installed on VMware

Hopefully, any production server these days will be running as a virtual machine (and if it isn't, you should maybe point out in the interview that it should be), so you can use your virtualisation system's snapshot procedure to take a backup of the virtual machine image in question. Failing that, I've never had a problem moving Debian installs from machine to machine by simply tar-ing up the original file system and then untar-ing it again on the target.

For user files, a script on the backup server that first duplicates the previous day's backup folder by replicating the folder structure and filling it with hard links to files followed by running rsync should give you a back of the live file system with un-changed files simply being hard links, saving a wodge of disk space - don't forget to have something periodically delete old backup folders.

[RabbieBurns]

if it is a internet facing server, perhaps something like moving SSH etc to an arbitary port if there is a need to have it open, and using something like fail2ban also?

[satz]

Wow thanks for you feed back guys, i got a fair bit to think about and proccess , also @dhicks thats a good point ill make a note of that.

[cpjitservices]

if it's Linux security your after learning, look at the NSA guide to locking down Red Hat servers - works for any Red Hat based system (Fedora, CentOS), learn it form back to front and you'll have an absolutely secure Linux system that's really hard to break into, it's based on a server that is internet facing.

We HAVE to use the NSA setup guide to adhere to certain regulations.

Here's the link

http://www.nsa.gov/ia/_files/os/redh...guide-i731.pdf

As for backing up, we have 2 CentOS servers! The main web server gets backed up every night at midnight, and the other one has just a Samba share sitting on it which we backup the entire Web Server to using a script on the Samba Share Server - the script uses RSync to pull everything off of the web server and put everything it pulls into it's Samba Share - we use the Samba Primarily because it's easily accessible to Windows and this is also where our Exchange and DC's backup to but not using RSync.

[powdarrmonkey]

I pick and choose from simple snapshots, backintime (I maintain the package of it), duplicity and bacula - in increasing order of complexity. Backintime automates dhicks' hard links trick.

[webman]

I use a similar method myself.

The script uses Rsync to copy changed web files only + some config files, and mysqldump to backup the MySQL databases. All copied over the network using Samba to a NAS box which is part of a D2D2T system running BackupExec.

[CyberNerd]

Should also mention that LVM snapshots are a powerful way of instantly snapshotting a volume to be backed up.

[cpjitservices]

snapshots are handy until your server or VM Host goes down, using Rsync to back everything and I do mean everything up you can't go wrong especially if you are backing up to a completely different system. With Rsync also you can view/edit/restore individual files and it's not uncommon for people to restore and "old" or "outdated" snapshot.

[mister_z]

Backup:
Hmm, depends on standards and the pocket depth. My day job has corporate standards, so NOT using Symantec NetBackup will get people in trouble. So the first question for the interviewer is "Do you have any standard for backup software ? Legato ? TSM ? NetBackup ?"

In my pro bono work -- smalll non-profits, etc, for linux installations with more than 1 server, I recommend AMANDA overall. It takes some setup -- but that's why there are administrators. And iits flexible, resilient, and it just works. You can set it up to use common tape devices, including hand-me-downs. Or your can use SATA docks and dump to disks. Combine with LUKS volumes, and you have encrypted backups as well.

As for MySQL -- one way is to read-lock the database for consistency and LVM snapshot the volume that the data files reside on. Release the read lock and the database can go back to happily accepting transactions while AMANDA backs up the snapshot volume. In earlier versions of MySQL (5.0 and earlier) this was the only way to get an "almost online" backups in a 24x7 environment.


Security procedures ? That can fill a book by itself. And does. The major point about security is this: If it's highly convenient, it's probably insecure.

Lock out root ssh logins ? But it's way more convenient to log in as root directly -- why do I have to use sudo ?
The DBA team needs root access. And then know what they're doing. I'll just give them the password to save time.
Enforcing password changes every 90 days ? What a pain.
If I put in password complexity requirements, everyone will be so annoyed at me.\
Creating a cron.allow ? Are you kidding ? Then every time someone wants to run a cron job, I have to add them to the file.

Understanding and reluctantly embracing the security mindset is much more important than memorizing every rule. If you embrace security, you can google to build an effective security baselin, and you may even enforce it.

Good luck.