Off-site backup server

[ggadrian]

Just realized the pull system may not work as you don't have a static IP... unless you can get a no-ip host setup, maybe that's an option for you. The advantage in your case is security, as the lack of static IP means you can't easily restrict on the backup server what IP connects to it (your business) but by doing pull you do the opposite, open up the business port, and restrict it to the backup server's IP.

Maybe look to see how hard it would be to get a static IP, and then you can stick with the more standard push method. Now that I think of it, this is what I'd do.

I'd also avoid FTP, as it's unencrypted and the password is sent in clear text. You could setup a VPN but that's more complex, but it would work too then FTP would be fine.

So, FTP with VPN would be fine? This would allow me to use my current software and would be easier to manage.

The thing would be: VPN between the servers, FTP transfer protected by 50 characters password, password protected backups (15 characters is the software max.) and all the server's ports closed but the FTP one and SSH to manage the server.

Safe enough?

 

[Red Squirrel]

Yeah, as long as everything is happening inside the VPN tunnel. The server should not have any ports open to the outside, maybe SSH for management (ex: if ssh tunnel drops need to be able to access it). I would also ensure fail2ban is installed to block IPs of anyone who tries to brute force passwords. Use a non standard port as well for SSH. This is more security through obscurity, but it actually does help a bit, just not on it's own.

 

[ggadrian]

Ok, looks like we have a solution; let's see if I'm able to make it work (my linux knowledge is pretty limited).

Thank you.