Teo En Ming's Guide to Configuring rsnapshot Backup for Linux Servers

Subject: Teo En Ming's Guide to Configuring rsnapshot Backup for Linux Servers

rsnapshot backup for Linux servers is based on rsync.

Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)

Country: Singapore

Date: 18 August 2021 Wednesday Singapore Time

Type of Publication: Plain Text

Document version: 20210818.01

DETAILED INSTRUCTIONS

=====================

=====================================

Click Control Panel > User > Create

====================================

Name: linuxbackup

Password: password

Click Next

Select Users group.

Click Next

For Secret-Backup shared folder, choose Read/Write.

For Secret-UAT-Backup shared folder, choose Read/Write.

Click Next

Under User quota setting, click Next again.

Under Assign application permissions, click Next again.

Under User Speed Limit Setting, click Next again.

Click Apply.

Click Control Panel > File Services

====================================

Check Enable SMB service

Workgroup: WORKGROUP

Uncheck Disallow access to Previous Versions

Check Enable Transfer Log

Click Advanced Settings.

WINS server: empty

Maximum SMB protocol: SMB3

Minimum SMB protocol: SMB2

Transport encryption mode: Auto

Uncheck all the following items.

Click Control Panel > Security

==============================

Firewall tab: Uncheck Enable firewall

Protection tab: Uncheck Enable DoS protection

Account tab: Uncheck Enable auto block

Things to do on the CentOS 7.9 Linux server

============================================

# mkdir /mnt/backup

# chmod 777 /mnt/backup

# mount -t cifs -o username=linuxbackup,password=password //192.168.1.5/Secret-Backup /mnt/backup

mount: mount //192.168.1.5/Secret-Backup on /mnt/backup failed: Connection refused

# yum install samba-client

# smbclient //192.168.1.5/Secret-Backup --user=linuxbackup

do_connect: Connection to 192.168.1.5 failed (Error NT_STATUS_CONNECTION_REFUSED)

# smbclient -L 192.168.1.5

do_connect: Connection to 192.168.1.5 failed (Error NT_STATUS_CONNECTION_REFUSED)

# smbclient \\\\192.168.1.5\\Secret-Backup

do_connect: Connection to 192.168.1.5 failed (Error NT_STATUS_CONNECTION_REFUSED)

Trying to connect to SMB Server ports on the Synology NAS.

# telnet 192.168.1.5 139

Trying 192.168.1.5...

telnet: connect to address 192.168.1.5: Connection refused

# telnet 192.168.1.5 445

Trying 192.168.1.5...

telnet: connect to address 192.168.1.5: Connection refused

Trying to connect to *another* Synology NAS.

# telnet 192.168.1.4 139

Trying 192.168.1.4...

Connected to 192.168.1.4.

Escape character is '^]'.

telnet> quit

Connection closed.

# telnet 192.168.1.4 445

Trying 192.168.1.4...

Connected to 192.168.1.4.

Escape character is '^]'.

telnet> quit

Connection closed.

Found iptables firewall rules blocking outgoing connection to SMB Server on the Synology NAS from the Linux server.

# iptables -S

-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP

-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP

-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP

-A LOGDROPIN -p udp -m udp --dport 445 -j DROP

# iptables -S | grep 445

-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP

-A LOGDROPIN -p udp -m udp --dport 445 -j DROP

# iptables -S | grep 139

-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP

-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP

Add the following lines to /etc/sysconfig/iptables to allow outgoing connection to SMB Server on the Synology NAS.

# nano /etc/sysconfig/iptables

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p tcp -m tcp --dport 135:139 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p udp -m udp --dport 135:139 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p tcp -m tcp --sport 135:139 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p udp -m udp --sport 135:139 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p tcp -m tcp --dport 445 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p udp -m udp --dport 445 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p tcp -m tcp --sport 445 -j ACCEPT

-A OUTPUT -d 192.168.1.5/32 ! -o lo -p udp -m udp --sport 445 -j ACCEPT

Edit /etc/fstab to allow persistent mounts across reboots.

# nano /etc/fstab

//192.168.1.5:/Secret-Backup /mnt/backup cifs username=linuxbackup,password=password 0 0

Installing EPEL repository on a CentOS Linux and RHEL 7.x (Mandatory)

=====================================================================

# yum -y install epel-release

# yum repolist

Installing rsnapshot

====================

# yum install rsnapshot

# cd /etc

# cp rsnapshot.conf rsnapshot.conf.original

Configuring rsnapshot

======================

# nano /etc/rsnapshot.conf

#################################################

# rsnapshot.conf - rsnapshot configuration file #

#################################################

# #

# PLEASE BE AWARE OF THE FOLLOWING RULE: #

# #

# This file requires tabs between elements #

# #

#################################################

# Configured by Turritopsis Dohrnii Teo En Ming on 18 Aug 2021

#######################

# CONFIG FILE VERSION #

#######################

config_version 1.2

###########################

# SNAPSHOT ROOT DIRECTORY #

###########################

# All snapshots will be stored under this root directory.

snapshot_root /mnt/backup

# If no_create_root is enabled, rsnapshot will not automatically create the

# snapshot_root directory. This is particularly useful if you are backing

# up to removable media, such as a FireWire or USB drive.

#no_create_root 1

#################################

# EXTERNAL PROGRAM DEPENDENCIES #

#################################

# LINUX USERS: Be sure to uncomment "cmd_cp". This gives you extra features.

# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.

# See the README file or the man page for more details.

cmd_cp /usr/bin/cp

# uncomment this to use the rm program instead of the built-in perl routine.

cmd_rm /usr/bin/rm

# rsync must be enabled for anything to work. This is the only command that

# must be enabled.

cmd_rsync /usr/bin/rsync

# Uncomment this to enable remote ssh backups over rsync.

#cmd_ssh /usr/bin/ssh

# Comment this out to disable syslog support.

cmd_logger /usr/bin/logger

# Uncomment this to specify the path to "du" for disk usage checks.

# If you have an older version of "du", you may also want to check the

# "du_args" parameter below.

cmd_du /usr/bin/du

# Uncomment this to specify the path to rsnapshot-diff.

#cmd_rsnapshot_diff /usr/local/bin/rsnapshot-diff

# Specify the path to a script (and any optional arguments) to run right

# before rsnapshot syncs files

#cmd_preexec /path/to/preexec/script

# Specify the path to a script (and any optional arguments) to run right

# after rsnapshot syncs files

#cmd_postexec /path/to/postexec/script

# Paths to lvcreate, lvremove, mount and umount commands, for use with

# Linux LVMs.

#linux_lvm_cmd_lvcreate /usr/sbin/lvcreate

#linux_lvm_cmd_lvremove /usr/sbin/lvremove

#linux_lvm_cmd_mount /usr/bin/mount

#linux_lvm_cmd_umount /usr/bin/umount

#########################################

# BACKUP LEVELS / INTERVALS #

# Must be unique and in ascending order #

# e.g. alpha, beta, gamma, etc. #

#########################################

# hourly backups

#retain alpha 6

# daily backups

retain beta 7

# weekly backups

#retain gamma 4

# monthly backups

#retain delta 3

############################################

# GLOBAL OPTIONS #

# All are optional, with sensible defaults #

############################################

# Verbose level, 1 through 5.

# 1 Quiet Print fatal errors only

# 2 Default Print errors and warnings only

# 3 Verbose Show equivalent shell commands being executed

# 4 Extra Verbose Show extra verbose information

# 5 Debug mode Everything

verbose 5

# Same as "verbose" above, but controls the amount of data sent to the

# logfile, if one is being used. The default is 3.

loglevel 5

# If you enable this, data will be written to the file you specify. The

# amount of data written is controlled by the "loglevel" parameter.

logfile /var/log/rsnapshot

# If enabled, rsnapshot will write a lockfile to prevent two instances

# from running simultaneously (and messing up the snapshot_root).

# If you enable this, make sure the lockfile directory is not world

# writable. Otherwise anyone can prevent the program from running.

lockfile /var/run/rsnapshot.pid

# By default, rsnapshot check lockfile, check if PID is running

# and if not, consider lockfile as stale, then start

# Enabling this stop rsnapshot if PID in lockfile is not running

#stop_on_stale_lockfile 0

# Default rsync args. All rsync commands have at least these options set.

#rsync_short_args -a

rsync_long_args --stats --delete --numeric-ids --relative --delete-excluded

# ssh has no args passed by default, but you can specify some here.

#ssh_args -p 22

# Default arguments for the "du" program (for disk space reporting).

# The GNU version of "du" is preferred. See the man page for more details.

# If your version of "du" doesn't support the -h flag, try -k flag instead.

#du_args -csh

# If this is enabled, rsync won't span filesystem partitions within a

# backup point. This essentially passes the -x option to rsync.

# The default is 0 (off).

#one_fs 0

# The include and exclude parameters, if enabled, simply get passed directly

# to rsync. If you have multiple include/exclude patterns, put each one on a

# separate line. Please look up the --include and --exclude options in the

# rsync man page for more details on how to specify file name patterns.

#include ???

#exclude ???

# The include_file and exclude_file parameters, if enabled, simply get

# passed directly to rsync. Please look up the --include-from and

# --exclude-from options in the rsync man page for more details.

#include_file /path/to/include/file

#exclude_file /path/to/exclude/file

# If your version of rsync supports --link-dest, consider enabling this.

# This is the best way to support special files (FIFOs, etc) cross-platform.

# The default is 0 (off).

#link_dest 0

# When sync_first is enabled, it changes the default behaviour of rsnapshot.

# Normally, when rsnapshot is called with its lowest interval

# (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest

# intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,

# and all interval calls simply rotate files. See the man page for more

# details. The default is 0 (off).

#sync_first 0

# If enabled, rsnapshot will move the oldest directory for each interval

# to [interval_name].delete, then it will remove the lockfile and delete

# that directory just before it exits. The default is 0 (off).

#use_lazy_deletes 0

# Number of rsync re-tries. If you experience any network problems or

# network card issues that tend to cause ssh to fail with errors like

# "Corrupted MAC on input", for example, set this to a non-zero value

# to have the rsync operation re-tried.

#rsync_numtries 0

# LVM parameters. Used to backup with creating lvm snapshot before backup

# and removing it after. This should ensure consistency of data in some special

# cases

# LVM snapshot(s) size (lvcreate --size option).

#linux_lvm_snapshotsize 100M

# Name to be used when creating the LVM logical volume snapshot(s).

#linux_lvm_snapshotname rsnapshot

# Path to the LVM Volume Groups.

#linux_lvm_vgpath /dev

# Mount point to use to temporarily mount the snapshot(s).

#linux_lvm_mountpath /path/to/mount/lvm/snapshot/during/backup

###############################

### BACKUP POINTS / SCRIPTS ###

###############################

# LOCALHOST

backup /backup/ secret.teo-en-ming-corp.com/

backup /bin/ secret.teo-en-ming-corp.com/

backup /boot/ secret.teo-en-ming-corp.com/

backup /data/ secret.teo-en-ming-corp.com/

backup /etc/ secret.teo-en-ming-corp.com/

backup /home/ secret.teo-en-ming-corp.com/

backup /lib/ secret.teo-en-ming-corp.com/

backup /lib64/ secret.teo-en-ming-corp.com/

backup /media/ secret.teo-en-ming-corp.com/

backup /opt/ secret.teo-en-ming-corp.com/

backup /root/ secret.teo-en-ming-corp.com/

backup /sbin/ secret.teo-en-ming-corp.com/

backup /scripts/ secret.teo-en-ming-corp.com/

backup /srv/ secret.teo-en-ming-corp.com/

backup /usr/ secret.teo-en-ming-corp.com/

backup /var/ secret.teo-en-ming-corp.com/

#backup /home/ localhost/

#backup /etc/ localhost/

#backup /usr/local/ localhost/

#backup /var/log/rsnapshot localhost/

#backup /etc/passwd localhost/

#backup /home/foo/My Documents/ localhost/

#backup /foo/bar/ localhost/ one_fs=1,rsync_short_args=-urltvpog

#backup_script /usr/local/bin/backup_pgsql.sh localhost/postgres/

# You must set linux_lvm_* parameters below before using lvm snapshots

#backup lvm://vg0/xen-home/ lvm-vg0/xen-home/

# EXAMPLE.COM

#backup_exec /bin/date "+ backup of example.com started at %c"

#backup root@example.com:/home/ example.com/ +rsync_long_args=--bwlimit=16,exclude=core

#backup root@example.com:/etc/ example.com/ exclude=mtab,exclude=core

#backup_exec ssh root@example.com "mysqldump -A > /var/db/dump/mysql.sql"

#backup root@example.com:/var/db/dump/ example.com/

#backup_exec /bin/date "+ backup of example.com ended at %c"

# CVS.SOURCEFORGE.NET

#backup_script /usr/local/bin/backup_rsnapshot_cvsroot.sh rsnapshot.cvs.sourceforge.net/

# RSYNC.SAMBA.ORG

#backup rsync://rsync.samba.org/rsyncftp/ rsync.samba.org/rsyncftp/

Running rsnapshot

=================

Below command is equivalent to rsnapshot daily.

# rsnapshot beta

/var/www/

/var/www/cgi-bin/

/var/www/html/

/var/www/html/400.shtml

/var/www/html/401.shtml

/var/www/html/403.shtml

/var/www/html/404.shtml

/var/www/html/413.shtml

/var/www/html/500.shtml

/var/www/html/cp_errordocument.shtml

/var/www/html/index.html

/var/www/html/.well-known/

/var/www/html/.well-known/pki-validation/

/var/www/html/.well-known/pki-validation/test.txt

/var/yp/

sent 2,315,708,777 bytes received 702,694 bytes 6,608,877.24 bytes/sec

total size is 2,312,450,042 speedup is 1.00

rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1179) [sender=3.1.2]

WARNING: Some files and/or directories in /var/ only transferred partially during rsync operation

/usr/bin/logger -p user.err -t rsnapshot[25575] WARNING: Some files and/or \

directories in /var/ only transferred partially during rsync operation

touch /mnt/backup/beta.0/

rm -f /var/run/rsnapshot.pid

/usr/bin/logger -p user.err -t rsnapshot[25575] WARNING: /usr/bin/rsnapshot \

beta: completed, but with some warnings

Sending email notification after backup job has completed

==========================================================

Linux command:

mail -s "Daily Backup for Teo En Ming Corporation Secret Linux Server Completed. Please check for any backup errors." -r ceo@teo-en-ming-corp.com ceo@teo-en-ming-corp.com

Installing rsnapreport.pl

===========================

# find / -name rsnapreport.pl

/usr/share/doc/rsnapshot-1.4.3/utils/rsnapreport.pl

# cp /usr/share/doc/rsnapshot-1.4.3/utils/rsnapreport.pl /usr/local/bin/

# chmod +x /usr/local/bin/rsnapreport.pl

# which rsnapreport.pl

/usr/local/bin/rsnapreport.pl

# cat /usr/local/bin/rsnapreport.pl

#!/usr/bin/env perl

# this script prints a pretty report from rsnapshot output

# in the rsnapshot.conf you must set

# verbose >= 4

# and add --stats to rsync_long_args

# then setup crontab 'rsnapshot daily 2>&1 | rsnapreport.pl | mail -s"SUBJECT" backupadm@adm.com

# don't forget the 2>&1 or your errors will be lost to stderr

Installing crontab (aka scheduled task)

=======================================

Runs at 9 PM every night.

# crontab -e

0 21 * * * /usr/bin/rsnapshot beta 2>&1 | /usr/local/bin/rsnapreport.pl | mail -s "Daily Backup for Teo En Ming Corporation Secret Linux Server Completed. Please check for any backup errors." -r ceo@teo-en-ming-corp.com ceo@teo-en-ming-corp.com

# crontab -l

Checking the progress of rsnapshot backup

==========================================

# tail -f /var/log/rsnapshot

Configuring iptables firewall on ANOTHER UAT/Testing Linux Server

=================================================================

# iptables-save > /etc/sysconfig/iptables

Add the following lines to /etc/sysconfig/iptables.