Hardening the security of a backup shell script of a web-server with mysql database

Danilo Steps

4/10/24, 1:38 PM

In the case of a simple web-server with a MySQL database, the script has to dump the database, copy the web-server files and tar everything together. Then a NAS server Rsync the tar file via a "ssh-copy-id" done to a user "backup" that can only access it's own home folder where the backups are stored.

I know a feel things like store the credentials in a env file and limit the access to the script and the env file, but I have some doubts too:

1- Is it better to the root to access and execute the script and env file and then give the tar file to the backup user or let the backup user execute the script?

2- Is the Rsync via ssh key to a limited backup user the best way to export the backup file or is there a better way (in terms of security)?

1 + 5

mysql

security

backup

shell-scripting

Mircea Vutcovici

4/11/24, 9:00 AM

What type of attacs are you concerned for?

Danilo Steps

4/11/24, 12:05 PM

Mainly lateral movement, privilege escalation and database credentials leaking, but there may be other dangers that I'm not aware.

Mircea Vutcovici

4/11/24, 9:54 PM

Do you trust the NAS machine? Do you want to limit what the NAS can do to the web server? Sorry i'ts not clear for me.

Danilo Steps

4/13/24, 12:20 PM

I was questioning some methods I use to backup some servers, one being if it's right to let the root execute script that create the backups the other is if this way of Rsync the file is fine too, or if there is another way. But I've being studying about it recently and it looks like it's fine.

Danilo Steps

4/13/24, 12:23 PM

Also I would like to know if there is some bad practice on this methods I'm using because I don't see myself as very experienced in this matter yet.

Score:2

Server

Mircea Vutcovici

4/10/24, 3:02 PM

You could run the rsync from the NAS machine. The NAS will connect over ssh to the web server and run the rsync. In this way your web server has no access to the NAS.

+ 2

Danilo Steps

4/10/24, 3:45 PM

Sorry, I think I wasn't clear, this is the way it run already.

djdomi

4/10/24, 6:08 PM

and micea told you how to improve the quality of security

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Hardening the security of a backup shell script of a web-server with mysql database

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.