k3nny
2533b56549
Replace deprecated DSA key support with modern SSH key algorithms, prioritizing Ed25519 as the most secure option. Changes: - Add load_ssh_private_key() helper function in common.py - Support Ed25519 (preferred), ECDSA, and RSA key types - Remove deprecated and insecure DSA key support - Update all SSH key loading across backup drivers: * common.py: do_preexec, do_postexec, run_remote_command * backup_mysql.py * backup_pgsql.py * backup_sqlserver.py * backup_oracle.py * backup_samba4.py - Add ssh_port parameter to preexec/postexec connections - Update README.md with SSH key generation instructions - Document supported algorithms and migration path Algorithm priority: 1. Ed25519 (most secure, modern, fast, timing-attack resistant) 2. ECDSA (secure, widely supported) 3. RSA (legacy support, requires 2048+ bits) Security improvements: - Eliminates vulnerable DSA algorithm (1024-bit limit, FIPS deprecated) - Prioritizes elliptic curve cryptography (Ed25519, ECDSA) - Provides clear error messages for unsupported key types - Maintains backward compatibility with existing RSA keys Documentation: - Add SSH key generation examples to README.md - Update expected directory structure to show Ed25519 keys - Add migration notes in SECURITY_IMPROVEMENTS.md - Include key generation commands for all supported types Breaking change: - DSA keys are no longer supported and will fail with clear error message - Users must migrate to Ed25519, ECDSA, or RSA (4096-bit recommended) Migration: ```bash # Generate new Ed25519 key ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 # Copy to remote servers ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
4.5 KiB
4.5 KiB
TISBackup
This is the repository of the TISBackup project, licensed under GPLv3.
TISBackup is a python script to backup servers.
It runs at regular intervals to retrieve different data types on remote hosts such as database dumps, files, virtual machine images and metadata.
Install using Compose
Clone that repository and build the pod image using the provided Dockerfile
docker build . -t tisbackup:latest
In another folder, create subfolders as following
mkdir -p /var/tisbackup/{backup/log,config,ssh}/
Expected structure
/var/tisbackup/
└─backup/ <-- backup location
└─config/
├── tisbackup-config.ini <-- backups config
└── tisbackup_gui.ini <-- tisbackup config
└─ssh/
├── id_ed25519 <-- SSH Private Key (Ed25519 recommended)
└── id_ed25519.pub <-- SSH Public Key
compose.yaml
Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler
services:
tisbackup_gui:
container_name: tisbackup_gui
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
# SECURITY: Set a unique secret key for Flask session security
# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
- TISBACKUP_SECRET_KEY=your-secret-key-here-change-me
restart: unless-stopped
ports:
- 9980:8080
tisbackup_cron:
container_name: tisbackup_cron
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./ssh/:/config_ssh/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
restart: always
command: "/bin/bash /opt/tisbackup/cron.sh"
Configuration
SSH Keys
-
Generate SSH keys (Ed25519 recommended):
# Ed25519 (most secure, recommended) ssh-keygen -t ed25519 -f ./ssh/id_ed25519 -C "tisbackup@yourserver" # Or ECDSA (also secure) ssh-keygen -t ecdsa -b 521 -f ./ssh/id_ecdsa -C "tisbackup@yourserver" # Or RSA (legacy, minimum 2048 bits) ssh-keygen -t rsa -b 4096 -f ./ssh/id_rsa -C "tisbackup@yourserver"⚠️ Note: DSA keys are no longer supported due to security vulnerabilities
-
Copy public key to remote servers:
ssh-copy-id -i ./ssh/id_ed25519.pub root@remote-server
Configuration Files
-
Setup config files in the
./configdirectory -
SECURITY: Generate and set a secure Flask secret key:
# Generate a secure random secret key python3 -c "import secrets; print(secrets.token_hex(32))"Then add it to your
compose.ymlas theTISBACKUP_SECRET_KEYenvironment variable
tisbackup-config.ini
[global]
backup_base_dir = /backup/
# backup retention in days
backup_retention_time=90
# for nagios check in hours
maximum_backup_age=30
[srvads-poudlard-samba]
type=rsync+ssh
server_name=srvads.poudlard.lan
remote_dir=/var/lib/samba/
compression=True
;exclude_list="/proc/**","/sys/**","/dev/**"
# Use Ed25519 key (recommended), or ECDSA/RSA (DSA not supported)
private_key=/config_ssh/id_ed25519
ssh_port = 22
tisbackup_gui.ini
[general]
config_tisbackup= /etc/tis/tisbackup-config.ini
sections=
ADMIN_EMAIL=josebove@internet.fr
base_config_dir= /etc/tis/
backup_base_dir=/backup/
Run!
docker compose up -d
NGINX reverse-proxy
Sample config file
server {
listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name tisbackup.poudlard.lan;
ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9980/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
About
Tranquil IT is the original author of TISBackup.
The documentation is provided under the license CC-BY-SA and can be found on readthedoc.