I want to offer a backup storage service for some of my friends. I have a QNAP nas and want to make it accessable across the internet so my friends can backup their files on it.
I think rsync is the best protocol for this. But I want to know how to make it secure. I can start the rsync server and configure my router to forward the port, but then the data goes across the net unencrypted. I can use ssh instead. But how do I set things up so that they cannot login to the machine, or at least, not be able to see the files that others have stored on there? I basically want to sandbox them.
I've been searching the net a lot and have found plenty of information about setting up your personal rsync server to backup your personal stuff. But I have not been able to find anything about the usecase I described above.
You don't need to set up an rsync server (rsyncd) - you can just use ssh (which is used by default for rsync) and rsync will be taken care of automatically. Create an account on your server for each user and then they can just backup as as, e.g.
$ rsync -av /path/to/local/files username#your_server:path/to/backups/
So all you need to do other than creating user accounts is to open port 22 for incoming ssh traffic.
Related
before asking this question i looked through google and tried different alternatives none of which were successful for me, sadly. I'm a little above the noob level. What i want is to basicaly host a wordpress site on a google cloud debian machine.
I was doing good installing services through their SSH access until i got to the point where i installed an ftp service and wanted to access it through a remote computer(my own) i only got as far as to:
Status: Waiting to retry...
Status: Connecting to 104.197.183.19...
Response: fzSftp started
Command: open "root#104.197.183.19" 22
Error: Connection timed out
Error: Could not connect to server
I kept on looking and trying new ways until i found the gcloud documentation for ftp but it is not aimed at new ones, so my questions are:
Where do i input the commands for gcloud, on my computer or on the SSH console(Google cloud machine)?
Do i need to use gcloud for ftp remote access or can i do it entirely through my computer and their SSH machine?
Do i really need to add an ssh authorization file to FileZilla or is there a way i can disable that check on my vps so it lets me sign in with just a username and a password?
What i already tried and didn't work for me:
gCloud documentation for ssh and ftp
Google cloud documention for setting up a wordpress site
Many others
Basically what i need in short is to manage to access the vps through ftp so i can continue with my learning.. Been stuck there two days.
To get access to a users public area, ie. public_html
Go to the accounts Cpanel area and under Security > SSH Access you can import a key file.
You can use PuttyGen to make one, you will need both a private and public key.
Past the keys into the box's.
You may get a warning message about the private key, this is ok.
Go to Manage under public key and authorize it.
Or
Make on using the interface in Cpanel and download both Keys.
Then in FileZilla
Host: IP of server
Protocol: SFTP
Logon Type: Key File
Key File: the PPK you made.
(if you asked Cpanel to make the file select the one that does not end in .pub and FileZilla will convert it for you to a .ppk file.
After clicking connect you should be in
If you still have an error make sure the SSH port (22) is open in your filewalls both Google cloud.google.com > Networks and WHM > LDF/CSF plugin
Use SSH File Transfer Protocol.
No need to install ftp service.
Use winscp for connecting with sftp.
The recommended way of transferring files to a Unix-based Google Compute Engine VM is via the gcloud compute copy-files command. For this, please install the Google Cloud SDK. Then, run a command such as the following:
gcloud compute copy-files --zone=<Compute Engine zone>/path/to/local/file.txt <Compute Engine instance name>:/path/to/destination/file.txt
If you'd like to use FileZilla, you'll have to configure it for access. The SSH daemon on Compute Engine VMs is set up for key-based authentication. This forum post indicates how this is possible in FileZilla. The catch is that you need to put your public key on the VM, which can be a little tricky. gcloud compute copy-files and gcloud compute ssh take care of this for you, which is why they are the recommended method.
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
I need to figure out how to easily mirror a client's site, but the mirror needs to sync if the client makes changes on the site.
an example is http://www.nailcotehall.co.uk mirrored here http://nailcotehall-px.rtrk.co.uk/index.html?utm_source=google&utm_medium=cpc&utm_campaign=NailcoteLandingPage
If you have linux/unix servers and have SSH access for both of them you can use rsync to sync modified files/directories from one server to another.
For example:
rsync -a ~/dir1 username#remote_host:destination_directory
See: http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
This can be make periodic with cron
Currently I have a machine setup to send files it generates via a script to a remote server for file storage, where each user has their own folder on the remote server, which they can then SFTP into to get their files.
Currently, when the machine generating the files copies them over, via SCP, it prompts for a password for the user it's sending to.
What I would like to be able to do is enable the machine to send the files to the individual user accounts without prompting for a password. I've read a few ways to do this by creating ssh keys in each user's accounts. However, due to the volume of users, I was wondering if there was a way to enable machine1 to be able to scp files to any user account on the remote file server without prompting for a password each time?
You can set up host-based authentication on the target host to accept connections from the source host. This will work for any kind of SSH access, not just SCP. If you want to limit users to just SCP, there are ways to do that. see this question for example.
Try something like:
sshpass -p scp -o StrictHostKeyChecking=no source dest
I have used it on some linux machine. Don't know if it always work (last day i tried on osX and it refused cause it will break ssh security)
BTW you have to install sshpass
This has probably been asked somewhere but I can't find it for the life of me.
I am currently setting up a server machine, and I want to make it so that only computers which are directly SSH'ing into the server and has an authorized key can get in. I've already gotten the keys to work, but I don't know how I should go about making sure that people can't multi-hop their way into the server machine. I want to know:
Is it even possible to disable multi-hopping by only changing settings on the server machine?
If it is, how do I go about doing it?
If not, what other options do I have to achieve what I'm trying to do?
I don't believe it's possible by only changing settings on the server.
If your server is called server and another machine on your network is called aux, then you need to disallow the following multi-hop methods, probably others as well:
ssh -t aux ssh server
ssh -o ProxyCommand='ssh aux /usr/bin/nc %h %p' server
ssh -N -L 2222:server:22 aux & ssh -p 2222 localhost
So you need to ensure that
ssh when run on any other machine on your network will refuse to connect to server, except when the user is logged in locally (not via ssh)
alternatively, ensure the sshd setting AllowAgentForwarding is set to no on all other machines on your network
the manpage notes that this "does
not improve security unless users are also denied shell access, as they can always install their own forwarders"
netcat and equivalents are not installed on any other machine on your network
the sshd setting AllowTcpForwarding is set to no on all other machines on your network
the manpage notes that this "does not improve
security unless users are also denied shell access, as they can always install their own forwarders"
This may be a bit much.
Perhaps you can keep the private keys embedded on hardware tokens that may not leave the building? This is beyond the limits of my experience, though.
You should get a better answer if you ask at ServerFault.com, and hopefully your question will be migrated there soon.