[lug] Hosting Question
bgiles at coyotesong.com
Sat Sep 30 17:20:21 MDT 2006
dio2002 at indra.com wrote:
> Any thoughts on securing rysync over the public nw?
> Or maybe there is another nw backup method/service i could/should be using
> other than rsync?
I'm becoming a fan of OpenVPN instead of SSH tunnels. Several reasons:
1) you don't have TCP-over-TCP issues when there's packet loss. OpenVPN
uses the OpenSSL library but manages to run it over UDP instead of TCP.
Someone even said it's basically a variant of IPSEC, although I don't
know enough to know if that's a fair characterization.
2) you don't have to figure out how to set up quasi-static connections
for port forwarding. VPNs are just there.
3) you don't have to provide public root access to the services. In
many cases you can bind to the VPN address alone. In other cases you can
run two instances -- one with root access on the VPN, the second without
root access on the public IP address.
4) firewall rules can be greatly simplified since you move some services
entirely onto the VPN. (Unrestricted VPN access can be provided with a
single line in the iptables configuration file.) E.g., your mail server
must be public, but there's no reason for the POP/IMAP server to be.
Finally, there are security issues that you'll run into when people
start using SSH forwards to get past firewalls. The problem isn't the
port forwarding per se, it's that the connections are open to everyone
once they've been established. Suddenly people can get access far
beyond what they could get through VPNs.
More information about the LUG