Re: [Duplicity-talk] Scp calls

[AJ Weber]

Yeah, that would be true (and maybe I should change volsize...I left it at 
the default...), but I would need to edit some of the code -- and would have 
to FIND that code first -- to insert the port-knock just before each scp 
connection.  If it were using one, persistent connection the whole way 
through, then I can put it in my bash script just before the duplicity 
command-line, not have to edit the duplicity source.

Thus, my comment about openvpn was not that it's more-or-less secure, but 
that I could open one tunnel to the target (after one port-knock), run all 
my duplicity backups, then exit the vpn connection, leaving the server with 
zero open ports while it's not consuming backups (or restoring).  But, as 
you said, I'm not sure it's worth the extra setup; it's not _that_ much 
work, but the KISS principle applies with backup/restore scenarios, IMHO.

Thanks again,
AJ

> Port knocking should add very little overhead, one connection every
> 200MB if you set volsize=200.  Besides, its not the guys on the outside
> you need to worry about, most data theft is internal.
>
> ...Ken

> AJ Weber wrote:
> I was considering using port knocking to stealth all ports on the target
> until I open the connection, but that won't work right with that M.O.
>
> Can't be too careful these days.
>
> -AJ
>
> On Jan 3, 2010, at 6:28 AM, Kenneth Loafman <address@hidden> wrote:
>
> > It's as secure as any ssh target, nothing is sent in the clear.  I don't
> > think openvpn would be any more secure.
> >
> > ...Ken
> >
> > AJ Weber wrote:
> > > Hmm.  That seems like a lot of overhead, and I wonder if it increases
> > > the ability of hacking the target server (because the username and
> > > password are sent repeatedly)?
> > >
> > > I wonder if I should setup an openvpn pipe and use straight FTP inside
> > > that instead?
> > >
> > > -AJ
> > >
> > > On Jan 2, 2010, at 8:10 PM, Kenneth Loafman <address@hidden> wrote:
> > >
> > > > Unless you run the --asyncronous-upload option, it's just one
> > > > connection
> > > > at a time, very serial.  With --async, it's 2 at a time.
> > > >
> > > > ...Ken
> > > >
> > > > AJ Weber wrote:
> > > > > I guess I could try to trace this, but figure someone might already
> > > > > know...
> > > > >
> > > > > When using scp URL for target, how many ssh or scp sessions are
> > > > > run?  Is
> > > > > it one per duplicity invocation, or closer to one per 25M archive file
> > > > > transferred (plus sig and other files)?
> > > > >
> > > > > I ask, because I might try to get fancy with firewall rules to protect
> > > > > the target server, and if it's one session, it'll be more
> > > > > straightforward to implement.
> > > > >
> > > > > Thanks!
> > > > > -AJ
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Duplicity-talk mailing list
> > > > > address@hidden
> > > > > http://lists.nongnu.org/mailman/listinfo/duplicity-talk
> > > >
> > > >
> > > > _______________________________________________
> > > > Duplicity-talk mailing list
> > > > address@hidden
> > > > http://lists.nongnu.org/mailman/listinfo/duplicity-talk
> > >
> > >
> > > _______________________________________________
> > > Duplicity-talk mailing list
> > > address@hidden
> > > http://lists.nongnu.org/mailman/listinfo/duplicity-talk
> >
> >
> > _______________________________________________
> > Duplicity-talk mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/duplicity-talk
>
>
> _______________________________________________
> Duplicity-talk mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/duplicity-talk



----- Original Message ----- 
From: "Kenneth Loafman" <address@hidden>
To: "Discussion of the backup program duplicity" <address@hidden>
Sent: Sunday, January 03, 2010 3:23 PM
Subject: Re: [Duplicity-talk] Scp calls


> _______________________________________________
> Duplicity-talk mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/duplicity-talk