Backups become critical when data loss occurs or when you’re hosting third-party information. Here’s a battle-tested approach using rsnapshot, rsync, and SSH.
Key Questions to Answer First
- Why? Data protection and minimizing potential losses
- What? Configuration files (Apache, MySQL, Nginx), www directory, databases
- Where? From same drive to geographically distributed servers
- When? Depends on your data change frequency
Core Principles
- The source server should not control backups - It should only expose data
- Backup servers should pull, not receive pushes - Prevents compromised servers from accessing backups
- Use existing, proven tools - Don’t reinvent the wheel
Step 1: MySQL Backup Setup
Create a dedicated backup user with limited permissions:
GRANT SELECT, LOCK TABLES ON *.* TO 'backup'@'localhost' IDENTIFIED BY 'password';Create a credentials file at ~/.my.cnf:
[mysqldump]
user=backup
password=yourpasswordSecure it:
chmod 700 ~/.my.cnfAdd to crontab for daily 1:10 AM backups:
10 1 * * * mysqldump --all-databases > /backup/mysql/$(date +\%Y\%m\%d).sqlStep 2: SSH Key Setup
Generate a dedicated key pair on the backup server:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/backup_keyOn the source server, add the public key with restrictions:
# In ~/.ssh/authorized_keys
from="BACKUP_SERVER_IP",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAA...Step 3: Rsnapshot Configuration
Install rsync on both servers, rsnapshot on the backup server.
Configure /etc/rsnapshot.conf (use tabs, not spaces!):
snapshot_root /backup/snapshots/
retain hourly 6
retain daily 7
retain weekly 4
retain monthly 12
backup backupper@source:/var/www/ www/
backup backupper@source:/etc/ etc/
backup backupper@source:/backup/mysql/ mysql/Step 4: Sudoers for rsync
Allow the backup user to run rsync with elevated privileges:
# In /etc/sudoers
backupper ALL= NOPASSWD: /usr/bin/rsyncWhy This Works
- Incremental backups - Only changed files are transferred
- Hard-link deduplication - Unchanged files don’t consume extra space
- Pull-based security - Compromised source can’t delete backups
- Proven tools - rsnapshot and rsync are battle-tested
This setup has protected my servers for years with minimal maintenance overhead.