Hello everyone.

I have been interested in starting to self-host, and I have just been able to set up the first useful thing for myself (apart from a PiHole that I have running).

Since I am very afraid of making security mistakes, I would like to get feedback from you if my setup is secure or not.

The simple use case: I want to be able to back up files from my main computer to a hard disk, without having the hard disk attached to my main computer.

The setup:

  • A Raspberry Pi 4 running Raspberry Pi OS Lite (64-bit).
  • The Raspberry Pi can only be accessed via ed25519 key.
  • I configured a firewall on the Raspberry Pi with ufw to allow only traffic from the local subnet.
  • I then use sshfs to mount the hard disk connected with the Raspberry Pi to my main computer.
  • I plan to use rsync to back up my files.

Now I need your help: how secure is this setup? Did I make any major mistake? Is there something I could do better?

I’d be happy to get some feedback… 🙂

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    16 minutes ago

    If it’s not connected to the internet, the only way someone could reach it would be if they are already inside your network. If they are inside your network, either they are on one of your devices (and if it’s your computer, you can consider your keys compromised) or they have physical access and they can just take the drive. (Is the data on the drive encrypted?)

  • superglue@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    3 hours ago

    Look into Borg backup you will get encrypted backups you can send over ssh and it will be faster, and you get de duplication

  • Pika@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    edit-2
    5 hours ago

    is there any reason in particular that you are using both SSHFS and rsync? Rsync supports sftp which runs over an ssh connection via rsync -e ssh source dstUser@dstHost:/path

    if you are only using the sshfs system to allow a local ssh directory on your system to use with rsync, you could likely skip that entire part and just use rsync.

    LinuxConfig.org has a pretty decent page on it

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 hours ago

        We were/are all noobs at something at some point in our lives. I’ve had a computer in front of me since the mid 70’s, and I’m still a noob. Learning is one of the bigger draws to this whole scene to me. There is always room to learn, because there are always different approaches to the same problem.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        4 hours ago

        hey everyone gotta learns somewhere, and defo don’t expect you’ll ever stop learning on this adventure. That’s part of what makes this hobby fun!

        • 712@discuss.tchncs.deOP
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          4 hours ago

          Wow, I just used this tutorial. rsync is amazing, and this actually makes everything so much easier. Thanks for pointing me in the right direction!

          • Pika@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            3 hours ago

            you’re welcome, glad it worked for your use case.

            Rsync is an insane tool when you look at it, half the flags you wouldn’t even know existed unless you were looking for them.

  • kevincox@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 hours ago

    It sounds pretty reasonable. As long as you keep SSH patched and keep the key safe it should be quite locked down. Do double-check that password login isn’t allowed (or that all users have a very strong password).

    One non-security note is be careful with rsync backup. Generally rsync isn’t considered a backup as any mistakes made in the source will be propagated to the “backup” on next sync. Although there are ways to use rsync to take good backups (like copying to a new directory for each backup).

    • 712@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 hours ago

      keep the key safe

      This might be a dumb question, but can I assume the keys are safe in the standard .ssh directory on Linux? Is there anything I should explicitly do to secure the private key?

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        4 hours ago

        You should be good with caveats:

        • Permissions on: ~/.ssh: chmod 700 ~/.ssh
        • Permissions on private keys: chmod 600 ~/.ssh/id_rsa or id_ed25519, etc.
        • Permissions on public keys: chmod 644 ~/.ssh/id_rsa.pub

        You can check with: ls -la ~/.ssh/

      • kevincox@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 hours ago

        Generally speaking it will be fine. SSH will also refuse keys with open permissions so you would notice if it was wide-open to other users of the device.

        But you know if you are running random code or AI harnesses as that user it can be at risk. Or if you copy around the key all over the place it is more likely to leak. But generally speaking you are secure by default, just don’t do something dumb with the key and you’ll have no problems.

  • ShimitarA
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 hours ago

    It is as secure as it can be.

    Are you planning to connect to the server from internet? Are you planning to expose services to the internet?

    • 712@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 hours ago

      Thank you. For now, I won’t try to connect to the server from the internet. I want to learn more about VPNs before I try anything like this. I am very paranoid when it comes to security, so I don’t want to risk anything… 😄

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 hours ago

        I am very paranoid when it comes to security, so I don’t want to risk anything… 😄

        Don’t relax that posture. A little paranoia can be a good thing.