UNIVERSITY OF SOUTHERN MINDANAO

System
Administration
Backup Management
Instructor: James P Serquiña

Computer Engineering Department

CEIT, USM

1
 Topic Outline
• Prerequisites
• firewall
• ssh
• Understanding Rsync syntax
• Using Rsync to Sync with a Remote System
• Using other Rsync Options

2
Intended Learning Outcome
By the end of this topic, you should be able to:

• Backup files and directories using Rsync

3
Requirements

• Before you begin, you should have:

• a regular, non-root user with sudo privileges and a
firewall configured on your server.
• In order to practice using RSYNC to sync files between
a local and remote system, you will need two machines
to act as your local computer and your remote
machine, respectively.
• Make ssh can pass through the firewall as it was setup
before. Use ssh to remotely login to the server. Follow
steps 1 through 5 for the Initial Server Setup.

4
 1. Initial Server Setup (setting up ssh)
• If you have previously done this part, skip through step 5.
• Logging in as Root
1. To log into your server, you will need:
• your server’s public IP address
• Password, or private key for the root user’s account if SSH key is installed
2. Connect to the server and login as root (replace the highlighted portion of
the command with your server’s public IP address:

$ ssh root@your_server_ip

If you are using password authentication, provide your root password to log in. If you are
using an SSH key that is passphrase protected, you may be prompted to enter the
passphrase the first time you use the key each session. If this is your first time logging into
the server with a password, you may also be prompted to change the root password.
Note:
The root user is the administrative user in a Linux environment that has very broad
privileges. The power inherent with the root account can make very destructive changes,
even by accident.
5
 2. Creating a New User

• Add the new user account that we will use to log in:

# adduser james

• Enter a strong password and, fill in any of the additional

information you would like (optional). Press enter key in any field
you want to skip.

6
 3. Granting Administrative Privileges

• Set up root privileges for the normal account

• Enable the regular user to run commands with administrative
privileges by putting the word sudo before the command.
• To add privileges to a new user, you need to add the new user to
the sudo group.
• As root, run this command to add your new user to the sudo group:

# usermod –aG sudo james

7
 4. Setting Up a Basic Firewall
• Install and use the Uncomplicated Firewall (UFW) firewall to
help set firewall policies and manage exceptions.
• Use the apt package manager to install UFW. Update the local
index to retrieve the latest information about available packages
and then install the UFW firewall software by typing:

# apt update
# apt install ufw

• OpenSSH, the service allowing us to connect to our server, has a

firewall profile that we can use.
• You can list all available application profiles by typing:
# ufw app list

8
 4. Setting Up a Basic Firewall (cont’n.)
• Allow SSH connections through the firewall so that we can log
back in next time.
# ufw allow OpenSSH

• Enable the firewall by typing:

# ufw enable
• Type y and press ENTER to proceed.
• You can see that SSH connections are still allowed by typing:
# ufw status

• As the firewall is currently blocking all connections except for SSH, if you install
and configure additional services, you will need to adjust the firewall settings to
allow acceptable traffic in.
9
 5. Enabling external access for Regular User
• Verify that you can log in and use sudo with your new user before
logging out the root account.
• The process for configuring SSH access for your new user depends
on whether your server’s root account uses a password or SSH
keys for authentication.
• If it uses Password Authentication:
• If you logged in to your root account using a password, then password
authentication is enabled for SSH.
# ssh james@your_server_ip

• After entering your regular user’s password, you will be logged in.
Remember, if you need to run a command with administrative privileges,
type sudo before the command.

10
 5. Enabling external access for Regular User
(cont’n)
• For better server’s security, it is recommended to use SSH keys instead of
using password authentication when accessing the server remotely. Follow
these steps when Setting up SSH keys (Debian 10):
Step 1. Create the RSA Key Pair. Create a key pair on the client
machine.
# ssh-keygen

• By default ssh-keygen will create a 2048-bit RSA key pair.

• After entering
Generating the command,
public/private you should see the following output:
rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):

• Press enter to save the key pair into the .ssh/ subdirectory in your home
directory, or specify an alternate path. If you had previously generated an SSH
key pair, you may see the already
/home/your_home/.ssh/id_rsa following prompt:
exists.
Overwrite (y/n)?

• Warning: If you choose to overwrite the key on disk, you will not be able to
authenticate using the previous key anymore. Be careful when selecting yes,
because this is an irreversible process. 11
 5. Enabling external access for Regular User
(cont’n)
• Next, you should see the following prompt:
Enter passphrase (empty for no passphrase):

• Optionally may enter a secure passphrase, which is highly recommended. A

passphrase adds an additional layer of security to prevent unauthorized users
from logging in.
• You should then see the following output:
Your identification has been saved in /your_home/.ssh/id_rsa.
Your public key has been saved in /your_home/.ssh/id_rsa.pub.
The key fingerprint is:
[Link]
username@remote_host
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+

12
 5. Enabling external access for Regular User
(cont’n)
Step 2. Copy the Public Key to the Server.
• Now that you have a public and private key that you can use to authenticate,
The next step is to place the public key on your server so that you can use SSH-
key-based authentication to log in.
Method 1: Copying Public Key Using ssh-copy-id
• The quickest way to copy your public key to the Debian host is to use a utility
called
ssh-copy-id
• Specify the remote host that you would like to connect to and the user
$ ssh-copy-id
account username@remote_host
that you have password SSH access to. This is the account to which
your public SSH key will be copied.

Output This means that your local

• The may
You authenticity
see the of host '[Link]
following message: You should thencomputer
see the does not recognize the
following
([Link])' can't be established. remote host. This will happen the
output:
ECDSA key fingerprint is first time you connect to a new
[Link].
host. Type “yes” and press ENTER
Are you sure you want to continue connecting
(yes/no)? yes to continue.
13
 5. Enabling external access for Regular User
(cont’n)
Step 2. Copy the Public Key to the Server. (Method 1 cont’n)
• Next, the utility will scan your local account for the id_rsa.pub key that was
created earlier. When it finds the key, it will prompt you for the password of the
remote user’s account:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any
that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it
is to install the new keys
username@[Link]'s password:

• Type in the password (your typing will not be displayed for security purposes) and press
ENTER key. The utility will connect to the account on the remote host using the password you
provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the
remote account’s home ~/.ssh directory called authorized_keys. You should see the
following output:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@[Link]’”
and check to make sure that only the key(s) you wanted were added.

• At this point, your id_rsa.pub key has been uploaded to the remote account. You can continue on to 14
Step 3.
 5. Enabling external access for Regular User
(cont’n)
Step 2. Copy the Public Key to the Server.
Method 2: Copying Public Key Using SSH
• If you do not have ssh-copy-id available, but you have password-based SSH
access to an account on your server, you can upload your keys using a
conventional SSH method.
• Use the cat command to read the contents of the public SSH key on our local
computer and piping that through an SSH connection to the remote server. Make
sure that the ~/.ssh directory exists and has the correct permissions under the
account you’re using. Then output the content you piped over into a file called
authorized_keys
Enter within
the command in one line:this directory. Use the >> redirect symbol to append the
content
cat instead of overwriting
~/.ssh/id_rsa.pub it.
| ssh username@remote_host "mkdir -p ~/.ssh && touch
~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

Output
The authenticity of host '[Link] ([Link])' can't be established.
ECDSA key fingerprint is [Link].
Are you sure you want to continue connecting (yes/no)? yes

• username@[Link]'s password:
Type “yes” and press ENTER to continue.

15
• The content of your id_rsa.pub key will be copied to the end of the authorized_keys file of the
 5. Enabling external access for Regular User
(cont’n)
Step 2. Copy the Public Key to the Server.
Method 3: Copying Public Key Manually
• If you do not have password-based SSH access to your server available, you will have
to copy the Public key manually. Manually append the content of your id_rsa.pub file
to the ~/.ssh/authorized_keys file on your remote machine.
• To display the content of your id_rsa.pub key, type this into your local computer:
cat ~/.ssh/id_rsa.pub
Output
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOO
wxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG
3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1R
fz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/
12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFx
gI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/
zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/
2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/
YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/
lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test

16
 5. Enabling external access for Regular User
(cont’n)
Step 2. Copy the Public Key to the Server.
Method 3: Copying Public Key Manually (cont’n)
• Access to your account on the remote server, then make sure the ~/.ssh directory
exists. This command will create the directory if necessary, or do nothing if it already
exists:
$ mkdir -p ~/.ssh

• Create or modify the authorized_keys file within this directory. You can add the
contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if
necessary, using this command:
echo public_key_string >> ~/.ssh/authorized_keys

• In the above command, substitute the public_key_string with the output from the
cat ~/.ssh/id_rsa.pub command that you executed on your local system. It should start
with ssh-rsa
chmod -R go= AAAA....
~/.ssh
• Ensure that the ~/.ssh directory and authorized_keys file have the appropriate
permissions set:

chown -R james:james ~/.ssh

• If you’re using the root account to set up keys for a user account, it’s also important
that the ~/.ssh directory belongs to the user and not to root: 17
 5. Enabling external access for Regular User
(cont’n)
Step 3. Authenticate to Debian Server Using SSH Keys
• If you have successfully completed one of the previous methods, you should be able
to log into the remote host without the remote account’s password.
$ ssh username@remote_host

• If this is your first time connecting to this host (if you used the last method above),
you may see something like this:
Output
The authenticity of host '[Link] ([Link])' can't be established.
ECDSA key fingerprint is [Link].
Are you sure you want to continue connecting (yes/no)? yes

• This means that your local computer does not recognize the remote host. Type “yes”
and then press ENTER to continue. If you did not supply a passphrase for your private
key, you will be logged in immediately. If you supplied a passphrase for the private
key when you created the key, you will be prompted to enter it now. After
authenticating, a new shell session should open for you with the configured account
on the Debian server.

18
 5. Enabling external access for Regular User
(cont’n)
Step 4. Disable Password Authentication on your Server
• If you were able to log into your account using SSH without a password, you have successfully
configured SSH-key-based authentication to your account. However, your password-based
authentication mechanism is still active, meaning that your server is still exposed to brute-force
attacks.
• Make sure that you either have SSH-key-based authentication configured for the root account on
this server, or preferably, that you have SSH-key-based authentication configured for a non-root
account on this server with sudo privileges. This step will lock down password-based logins.
Ensure that you will still be able to get administrative access. Once you’ve confirmed that your
remote account has administrative privileges, log into your remote server with SSH keys, either
as root or with an account with sudo privileges. Then, open up the SSH daemon’s configuration
$ sudo nano /etc/ssh/sshd_config
file:

• Inside the file, search for a directive called PasswordAuthentication. This may be commented
out. Uncomment the line and set the value to “no”. This will disable your ability to log in via SSH
using account passwords.
• Save
$ sudo
andsystemctl
close therestart ssh
file when you are finished by pressing CTRL + X, then Y to confirm saving the
file, and finally ENTER to exit nano. To actually implement these changes, we need to restart the
sshd service:

$ ssh username@remote_host
• As a precaution, open up a new terminal
Once you window
have verified
andyour SSHthat
test service,
theyou can service
SSH safely close
is all current server
functioning
sessions.
correctly before closing this session:
The SSH daemon on your Debian server now only responds to SSH keys. Password- 19
based authentication has successfully been disabled.
Using Rsync
 What is Rsync
• Rsync is a very flexible network-enabled syncing tool and is
common in Linux and Unix-like systems. Due to its popularity as a
tool for system scripts, it is included on most Linux distributions by
default.
The syntax of Rsync
• The syntax for rsync operates similar to other tools, such as ssh,
scp, and cp.
• Change
$ cd ~ into your home directory by running the following
command:

$ mkdir dir1
• Create a test directory:

$ mkdir dir2
• Create another test directory:
21
 The syntax of Rsync (continued)

Add test files:

$ touch dir1/file{1..100}
• Directory named dir1 was just created with 100 empty files in it.
Confirm by listing out the files:
$ ls dir1
• You will an output similar to this:

22
 The syntax of Rsync (continued)
To sync the contents of dir1 to dir2 on the same system, run rsync
and use the -r flag, which stands for “recursive” and is necessary for
directory syncing:
$ rsync -r dir1/ dir2

• Another option is to use the -a flag, which stands for “archive”.

This flag syncs recursively and preserves symbolic links, special
and device files, modification times, groups, owners, and
permissions. It is commonly used than -r and is the recommended
flag to use. Run the same command as the previous example, this
$time
rsyncusing
-a dir1/the
dir2-a flag:
23

• The trailing slash (/) at the end of the first argument in the syntax
of the -a
$ rsync previous
dir1/ dir2two commands and highlighted here:
 The syntax of Rsync (continued)
• The trailing slash as shown in the previous slide signifies the
contents of dir1. Without the trailing slash, dir1, including the
directory, would be placed within dir2. The outcome would create
a~/dir2/dir1/[files]
hierarchy like the following:

• Another method is to double-check your arguments before

executing an rsync command. Rsync provides a method for doing
this by passing the -n or --dry-run options. The -v flag, which
means “verbose”, is also necessary to get the appropriate output.
You’ll combine the a, n, and v flags in the following command:
$ rsync -anv dir1/ dir2

24
 The syntax of Rsync (continued)
• The output to the one you receive when removing the trailing
slash, like the following:
$ rsync -anv dir1 dir2
• This output now demonstrates that the directory itself was
transferred, rather than only the files within the directory.

25
 Using Rsync to Sync with a Remote System
• To use rsync to sync with a remote system, you only need SSH
access configured between your local and remote machines, as
well as rsync installed on both systems. Once you have SSH
access verified between the two machines, you can sync the dir1
folder from the previous section to a remote machine by using the
following syntax. Please note in this case, that you want to transfer
the actual directory, so you’ll omit the trailing slash:
$ rsync -a ~/dir1 username@remote_host:destination_directory

• The above process is called a push operation because it “pushes”

a directory from the local system to a remote system. The opposite
operation is pull, and is used to sync a remote directory to the
local system. If the dir1 directory were on the remote system
instead of your local system, the syntax would be the following
$ rsync -a username@remote_host:/home/username/dir1
(source first then destination): dir_to_sync_on_local_machine
26
 Using Other Rsync Options
• Rsync provides many options for altering the default
behavior of the utility, such as the flag options you learned
about in the previous section. If you’re transferring files that
have not already been compressed, like text files, you can
reduce the network transfer by adding compression with the -
z$ option:
rsync -az source destination

• The -P flag is also helpful. It combines the flags --progress and --

partial. This first flag provides a progress bar for the transfers, and
the second flag allows you to resume interrupted transfers:
$ rsync -azP source destination

• Output is shown on the next slide.

27
 Using Other Rsync Options (continued)

• If you run the command again, you’ll receive a shortened output since
no changes have been made. This illustrates Rsync’s ability to use
modification times to determine if changes have been made:

28
 Using Other Rsync Options (continued)
• Say you were to update the modification time on some of the files
with a command like the following(for example changes were
made to files 1 to 10):
$ touch dir1/file{1..10}

• Then if you were to run rsync with -azP again, you’ll notice in the
output how Rsync intelligently re-copies only the changed files:
$ rsync -azP source destination
 Using Other Rsync Options (continued)
• In order to keep two directories truly in sync, it’s necessary to
delete files from the destination directory if they are removed from
the source. By default, rsync does not delete anything from the
destination directory.
• You can change this behavior with the --delete option. Before using
this option, you can use -n, the --dry-run option, to perform a test
to prevent unwanted data loss:
$ rsync -an --delete source destination

• If you prefer to exclude certain files or directories located inside a

directory you are syncing, you can do so by specifying them in a
wild
$ rsynccard following the --exclude=
-a --exclude=pattern_to_exclude option:
source destination

• If you have a specified pattern to exclude, you can override that

exclusion for files that match a different pattern by using the --
$ rsync -a --exclude=pattern_to_exclude --include=pattern_to_include source destination
include= option:
 Using Other Rsync Options (continued)
• Finally, Rsync’s --backup option can be used to store backups of
important files. It is used in conjunction with the --backup-dir
option, which specifies the directory where the backup files should
be stored:
$ rsync -a --delete --backup --backup-dir=/path/to/backups /path/to/source destination
 Summary

• Rsync can streamline file transfers over networked connections and

add robustness to local directory syncing. The flexibility of Rsync
makes it a good option for many different file-level operations.

• A mastery of Rsync allows you to design complex backup

operations and obtain fine-grained control over how and what is
transferred.

32
 Notice

This work is protected by copyright and other intellectual property rights and is provided solely
for the use of instructors in teaching their course and assessing student learning. Dissemination,
duplication or sale of all or part is not permitted. Electronic or print copies are for your own
personal, noncommercial use and shall not be passed to any other individual. No quotation may
be published without proper acknowledgement. For any other use, or to quote extensively from
the work, permission must be obtained from the copyright holder/s.

33