Copyright (c) 2012 Nic Jansma http://nicj.net
These scripts allow you to easily and securely backup your Windows computers to a Synology NAS via rsync over SSH.
- Uses rsync over ssh to securely backup your Windows hosts to a Synology NAS.
- Each Windows host gets a unique SSH private/public key that can be revoked at any time on the server.
- The server limits the SSH private/public keys so they can only run rsync, and can't be used to log into the server.
- The server also limits the SSH private/public keys to a valid path prefix, so rsync can't destroy other parts of the file system.
- Windows hosts can backup to the Synology NAS if they're on the local network or on a remote network, as long as the outside IP/port are known.
NOTE: The backups are performed via the Synology root user's credentials, to simplify permissions. The SSH keys are only valid for rsync, and are limited to the path prefix you specify. You could change the scripts to backup as another user if you want (config.csv).
Synology NAS Setup
Enable SSH on your Synology NAS if you haven't already. Go to Control Panel - Terminal, and check "Enable SSH service".
Log into your Synology via SSH.
Create a /root/.ssh directory if it doesn't already exist
mkdir /root/.ssh chmod 700 /root/.ssh
Upload server/validate-rsync.sh to your /root/.ssh/validate-rsync.sh. Then chmod it so it can be run:
chmod 755 /root/.ssh/validate-rsync.sh
Create an authorized_keys file for later use:
touch /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys
Ensure private/public key logins are enabled in /etc/ssh/sshd_config.
You want to ensure the following lines are uncommented:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
You should reboot your Synology to ensure the settings are applied:
Setup a share on your Synology NAS for backups (eg, 'backup').
Client Package Preparation
Before you backup any clients, you will need to make a couple changes to the files in the client/ directory.
First, you'll need a few binaries (rsync, ssh, chmod, ssh-keygen) on your system to facilitate the ssh/rsync transfer. http://www.cygwin.com/ can be used to accomplish this. You can easily install Cygwin from http://www.cygwin.com/. After installing, pluck a couple files from the bin/ folder and put them into the client/ directory.
The binaries you need are:
chmod.exe rsync.exe ssh.exe ssh-keygen.exe
You may also need a couple libraries to ensure those binaries run:
cygssp-0.dl cygcrypto-0.9.8.dll or cygcrypto-1.0.0.dll cyggcc_s-1.dll cygiconv-2.dll cygintl-8.dll cygpopt-0.dll cygspp-0.dll cygwin1.dll cygz.dll
NOTE: These libs may change in future versions of Cygwin. If you get a popup saying 'The program can't start because of X', then fetch X from the Cygwin distribution.
Next, you should update config.csv for your needs:
rsyncServerRemote - The address clients can connect to when remote (eg, a dynamic IP host) rsyncPortRemote - The port clients connect to when remote (eg, 22) rsyncServerHome - The address clients can connect to when on the local network (for example, 192.168.0.2) rsyncPortHome - The port clients connect to when on the local network (eg, 22) rsyncUser - The Synology user to backup as (eg, root) rsyncRootPath - The root path to back up to (eg, /volume1/backup) vcsUpdateCmd - If set, the version control system command to use prior to backup up (eg, svn up)
The version control update command (%vcsUpdateCmd%) can be set to run a version control update on your files prior to backing up. This can be useful if you have a VCS repository that clients can connect to. It allows you to make remote changes to the backup scripts, and have the clients get the updated scripts without you having to log into them. The scripts are updated each time start-backup.cmd is run.
For example, you could use this command to update from a svn repository:
If you are using a VCS system, you should ensure you have the proper command-line .exes and .dlls in the client/ directory. I've used Collab.net's svn.exe and lib*.dll files from their distribution (http://www.collab.net/downloads/subversion/).
During client setup, you simply need to log into the machine, checkout the repository, and setup a scheduled task to do the backups (see below). Each time a backup is run, the client will update its backup scripts first.
The client package is now setup! If you're using %vcsUpdateCmd%, you can check the client/ directory into your remote repository.
For each client you want to backup, you will need to do the following:
Generate a private/public key pair for the computer. You can do this by running ssh-keygen.exe, or have generate-client-keys.cmd do it for you:
If you run ssh-keygen.exe on your own, you should name the files rsync-keys-[computername]:
ssh-keygen.exe -t dsa -f rsync-keys-[computername]
If you run ssh-keygen.exe on your own, do not specify a password, or clients will need to enter it every time they backup.
Grab the public key out of rsync-keys-[computername].pub, and put it into your Synology backup user's .ssh/authorized_keys:
You will want to prefix the authorized key with your validation command. It should look something like this
command="[validate-rsync.sh location] [backup volume root]" [contents of rsync-keys-x.pub]
command="/root/.ssh/validate-rsync.sh /volume1/backup/MYCOMPUTER" ssh-dss AAAdsadasds...
This ensures that the public/private key is only used for rsync (and can't be used as a shell login), and that the rsync starts at the specified root path and no higher (so it can't destroy the rest of the filesystem).
Copy backup-TEMPLATE.cmd to backup-[computername].cmd
Edit the backup-[computername].cmd file to ensure %rsyncPath% is correct.
The following DOS environment variable is available to you, which is set in config.csv:
%rsyncRootPath% - Remote root rsync path
You should set rsyncPath to the root remote rsync path you want to use. For example:
%rsyncRootPath% is set in config.csv to your Synology backup volume (eg, /volume1/backup), so %rsyncPath% would evaluate to this if your current computer's name is MYCOMPUTER:
You can see this is the same path that you put in the authorized_keys file.
Edit the backup-[computername].cmd file to run the appropriate rsync commands.
The following DOS environment variables are available to you, which are set in start-backup.cmd:
%rsyncStandardOpts% - Standard rsync command-line options %rsyncConnectionString% - Rsync connection string
set cmdArgs=rsync %rsyncStandardOpts% "/cygdrive/c/users/bob/documents/" %rsyncConnectionString%:%rsyncPath%/documents echo Starting %cmdArgs% call %cmdArgs%
Copy the client/ directories to the target computer, say C:\backup.
If you are using %vcsUpdateCmd%, you can checkout the client directory so you can push remote updates (see above).
Setup a scheduled task (via Windows Task Scheduler) to run start-backup.cmd as often as you wish.
Create the computer's backup directory on your Synology NAS:
The client is now setup!
v1.0 - 2012-01-04: Initial release