Saturday, May 8, 2010

Backing up Linux system using BackupPC

Following is performed on Fedora 12 Linux on an Acer 3935 Notebook. This note is related to backing up a personal/office system using BackupPC software.

> Installation

simply issue the below command to instruct yum to download and install the required RPMs.

[amar@amar ~]$ sudo yum install backuppc

The installation process created a folder /etc/BackupPC/ for configuration files.
/var/lib/BackupPC - For runtime data folder. I modified this link to an external USB disk, details later.
/var/log/BackupPC - For logs.  I modified this link to an external USB disk, details later.
/usr/share/BackupPC - For scripts, libraries and documentation.

It also added a configuration file, BackupPC.conf,  for the Apache server under /etc/httpd/conf.d. This will allow BackupPC CGI interface for monitoring, accessing and configuring the software using a browser.

> New OS Users

It also created an OS user and group with the name "backuppc". The home directory is set as /var/lib/BackupPC/. Default user "apache" is also added to this new group (so apache user will have access to Backup PC system files). This user has "/sbin/nologin" set as login shell and Local password is locked, so no one can login with this user. the login will be used internally by the BackupPC tool.

[root@amar bin]# su backuppc
This account is currently not available.

Force logging is possible by explicitly providing the "-s" option. This may be required for running scripts for testing purpose.

[root@amar ~]# su -s /bin/bash backuppc
bash-4.0$ pwd

> Apache Configuration for the BackupPC tool
>> To allow access to the tool, a password file needs to be created for Apache login prompt. This is mentioned in the Apache server file created by the Backup PC. I issue the below command as root to create a web browser user called "backuppc".

[root@amar ~]# cd /etc/BackupPC/
[root@amar BackupPC]# ll
total 88
-rw-r-----. 1 backuppc backuppc 80952 2010-02-28 21:47
-rw-r--r--. 1 backuppc backuppc  2209 2010-02-28 21:47 hosts
drwxr-xr-x. 2 backuppc backuppc  4096 2010-02-28 21:47 pc
[root@amar BackupPC]# htpasswd -c /etc/BackupPC/apache.users backuppc
New password:
Re-type new password:
Adding password for user backuppc
[root@amar BackupPC]# ll
total 92
-rw-r--r--. 1 root     root        23 2010-04-30 13:20 apache.users
-rw-r-----. 1 backuppc backuppc 80952 2010-02-28 21:47
-rw-r--r--. 1 backuppc backuppc  2209 2010-02-28 21:47 hosts
drwxr-xr-x. 2 backuppc backuppc  4096 2010-02-28 21:47 pc

>> To allow access on URL from a name/IP that is other than the local IP, add it to the "allow" line /etc/httpd/conf.d/BackupPC.conf file. Changes are reflected without a service restart.

allow from

>> Set the following parameters to grant admin access to the above created user, in /etc/BackupPC/ file.

$Conf{CgiAdminUserGroup} = 'backuppc';
$Conf{CgiAdminUsers}     = 'backuppc';

>> Restart the BackupPC Service after this change.
/etc/init.d/backuppc restart

>> To access the front-end using web browser, open Firefox and type in the local access URL with the BackupPC Alias. For me it is http://amar.padhi/BackupPC (note the alias is case sensitive).

> Moving my backup folder to external Linux disk

- Open the BackupPC URL in the browser and navigate to "Edit Config" menu from left side panel. Locate "TopDir" and "LogDir" parameters and modify these to point to the external USB disk folder.

- Next open command prompt and copy the all subfolder and files in /var/lib/BackupPC folder to the external disk location.

[root@amar ~]# cp -rpv /var/lib/BackupPC /media/PersoBKP/

- Note, the external hard disk cannot be on an NTFS or FAT32 File system as these are not supported for backup.

> sudo access for backuppc user

BackupPC Software on my system is prevented from using "root" user, it will use the dedicated backuppc user only. As backuppc user does not have access to read the complete file system, sudo access should be granted to allow this user to copy files. As root issue visudo command and add the following line in sudoers file. My preferred mode of copy on Linux is using "rsync" command.

backuppc  ALL=NOPASSWD: /usr/bin/rsync

Also comment out the below line in sudoers file (visudo)
#Defaults    requiretty

> Create a node for backup

Fire up the URL (mentioned above) to view the BackupPC administration page.  Click on "Edit Hosts" link and add your PC information there.
host = name of the local PC (or IP)
dhcp = click this if you are not having a static IP address on your machine
user = Name of the person who uses this machine, this is just reference data.

Click on the "Save" button to ensure that the data is committed. Once hosts are defined, the drop down list under the "Hosts" Panel entry will show them. Host specific setup can now be done by selecting the host from the drop down list. Select the local host name that was defined and click on "Edit Config" option. The displayed page will show subheadings such as - Xfer, Email, Backup settings and Schedule. Each of these can be modified to suite ones need.

>> Changing the Local PC backup calls
Click on "Xfer" button and change the required settings. I did the below for my local machine backup. Note, I am making use of sudo call to do the backup.

XferMethod  = rsync
RsyncClientPath = /usr/bin/rsync
RsyncClientCmd = /usr/bin/sudo $rsyncPath $argList+
RsyncClientRestoreCmd = /usr/bin/sudo $rsyncPath $argList+

> Folders that can be excluded

I exclude the following folders from backup, restoring these can actually create havoc on a running system.


> Access from Command line

Login from root to backuppc user using following option

[root@amar ~]# su -s /bin/bash backuppc

Refer BackupPC documentation to identify commands that can be used in shell. For me, I prefer the browser access as it is convenient to manage multiple clients.

> First backup
From the browser, navigate to the host machine link and click on the "Star Full Backup" button. The first full backup may take lot of time if there is lot of data to be copied. The existing default schedule does a full backup every 7 days and an incremental backup every day, this can be changed if need be.

> Referred sites

> Next

- Backing up Windows PC data on network.
- Restoration scenarios

Thursday, May 6, 2010

Massachusetts Data Privacy/Security Law basic points

Massachusetts state, USA, has enacted a new data privacy and security law which puts the burden on all database owners and custodians. Mentioned below are some facts that I could make out from their published document. This actually acts as a good input regarding some basic points that should be covered for security hardening.

- Any database or system that owns or licenses personal information about a resident of Massachusetts should be encrypted. Even the transmission of such data should be in encrypted form. This is regardless of what your business line is, if you store personal information you are legally obligated to protect that information. Failure to comply results in heavy fines.

- All laptop and portable devices carrying personal information should be encrypted. Some portable devices do not support industry standard encryption, these should be avoided. Password protecting data when storing it on the laptop and transmitting it wirelessly does not satisfy the encryption requirement ! Data must be altered into unreadable form and password protection only does not alter the condition of the data as required.

- Backup Tapes also have to encrypted.

- For systems holding personal information and connected to Internet, there must be a reasonably up-to-date firewall protection and operating system security patches.

- It is not best practice to send unencrypted personal information in an email. Alternative method should be used, such as establishing a secure website that requires safeguards such as a username/password to conduct transactions involving personal information.

- Onus lies on the business to ensure that enough education and training is provided to employees on the proper use of the computer security system and the importance of personal information security.

- Access to personal information should be authorized and monitored.

References :