Simple Backup Server using ftp

January 8, 2010

At work I had to set up as fast as possible a server to be acting as a backup for some of our main servers.

So this post is about setting up a “poor mans” backup server using FTP.

  1. Grab your favourite OpenBSD distro
  2. add the ftp user and group account:
    backup:*:1000:1000:Ftp Backup Account:/backup:/sbin/nologin
  3. add the account to /etc/ftpchroot
  4. Add the new class for setting the file creation mask for this account:
    backup:\
    :umask=0777:\
    :tc=default:
  5. add the login class to /etc/master.passwd  (with vipw) for the account
  6. create the $HOME directory for the user
    mkdir /backup
    chown backup:backup /backup
  7. create the different directories for the backup
    mkdir /backup/machine1
    mkdir /backup/machine2
    chown -R backup:backup /backup
    chmod -R 300 /backup
  8. Apply the following patch to ftpd :

    diff -Naur /usr/src/libexec/ftpd/ftpcmd.y ./ftpd/ftpcmd.y
    --- /usr/src/libexec/ftpd/ftpcmd.y      Thu Nov  5 16:43:15 2009
    +++ ./ftpd/ftpcmd.y     Tue Nov 10 16:50:04 2009
    @@ -82,6 +82,7 @@
    extern int portcheck;
    extern union sockunion his_addr;
    extern int umaskchange;
    +extern  int no_dele;

    off_t  restart_point;

    @@ -394,10 +395,16 @@
    }
    | DELE check_login SP pathname CRLF
    {
    –                       if ($2 && $4 != NULL)
    –                               delete($4);
    –                       if ($4 != NULL)
    –                               free($4);
    +                        if (no_dele) {
    +                                reply(550,
    +                                    “No permission to delete files”);

    +                        }
    +                        else {
    +                                if ($2 && $4 != NULL)
    +                                        delete($4);
    +                                if ($4 != NULL)
    +                                        free($4);
    +                        }
    }
    | RNTO check_login SP pathname CRLF
    {
    diff -Naur /usr/src/libexec/ftpd/ftpd.c ./ftpd/ftpd.c
    — /usr/src/libexec/ftpd/ftpd.c        Thu Nov  5 16:43:16 2009
    +++ ./ftpd/ftpd.c       Tue Nov 10 16:51:13 2009
    @@ -154,6 +154,7 @@
    #endif
    mode_t defumask = CMASK;               /* default umask value */
    int    umaskchange = 1;                /* allow user to change umask value. */
    +int     no_dele = 0 ;          /* disallow ftp delete */
    char   tmpline[7];
    char   hostname[MAXHOSTNAMELEN];
    char   remotehost[MAXHOSTNAMELEN];
    @@ -252,13 +253,13 @@
    return (guest ? path+1 : path);
    }

    -char *argstr = “AdDhnlMSt:T:u:UvP46”;
    +char *argstr = “AdDhnlMSt:T:u:UvP46p”;

    static void
    usage(void)
    {
    syslog(LOG_ERR,
    –           “usage: ftpd [-46ADdlMnPSU] [-T maxtimeout] [-t timeout] [-u mask]”);
    +           “usage: ftpd [-46ADdlMnPSUp] [-T maxtimeout] [-t timeout] [-u mask]”);
    exit(2);
    }

    @@ -371,7 +372,9 @@
    case ‘6’:
    family = AF_INET6;
    break;

    +                case ‘p’:
    +                        no_dele = 1;
    +                        break;
    default:
    usage();
    break;

  9. start ftpd in inetd.conf with the new option:
    ftp             stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -USnp -u 0777

I put the permission of all folders as d-wx—— so that the user can create the necessary files but not being able to list the files that already exist. FTP is not an encrypted protocol, and even if all the tranfers are done in the local network I have the paranoia that someone might sniff the username/password. Being unable to list the files just gives a smaller surface of attacks. All the files created have mode 000 , so that after the file creation the file cannot be tampered. Finaly the purpose of the patch is to prevent someone from sniffing the password and logging in to the backup server and removing all the backup files (not much for a backup solution, is it then?? 😉 ).

After setting up the “backup server”, i installed scripts to the servers in order to push there their backup data.

Not the best solution, but having this ready in < 1 hour, was really ok 🙂

Advertisements

One Response to “Simple Backup Server using ftp”


  1. […] this post what was left was to create a “automatic” method to remove old backups. The […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: