I've been using rsync for decades, and had never come across its cousin rrsync, until a google search put it on my map. I was revisiting the inherent security problem in rsync backups: if you've given ssh access to a server, it can typically do a lot more than just rsync.
To limit the damage, I'd already set up a 'pull' backup so the backup server grabs the files from the production server. If you do it the other way around, an attacker gaining access to your production server can delete that, plus all the remote backups! So I'd already taken one step in the right direction, but it wasn't enough. Which is where rrsync comes in.
Its installed along with rsync, and resides in /usr/bin/rrsync (on Ubuntu at least). Its basically a wrapper that limits access for a remote rsync server to named directories, and can additionally specify that they're read only.
/usr/bin/rrsync -ro /backups/You've probably already added the ssh key to the user's authorized_keys file on your production server, so …
# Change this
ssh-rsa AAAAAAgasaofasdfndsfasdfablahblah
# To this
command="/usr/bin/rrsync -ro /backups",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAAAgasaofasdfndsfasdfablahblahOn your backup server you might already be running rsync to pull a directory over from your production server. So,
# Change this
rsync -avz -e ssh [email protected]:/backups/ /local/backups/production/
# To this
rsync -avz -e ssh [email protected]: /local/backups/production/
It looks wrong, like it will backup the whole server, but basically on the production server end it will only let the backup server 'see' the single directory you specified in authorized_keys. Any other command you try to run from the backup server on the production server will fail.
Limitation: As far as I can see, you can only specify a single directory. To do two directories, you'd need to connect with two separate ssh keys and do one directory each time.