In this guide, we will learn how to install BackupPC on Debian 11. BackupPC is a free, high-performance enterprise-grade backup software suite with a web-based frontend that can be used for backing up Linux, Windows and mac OSXs PCs and laptops to a server’s disk.
BackupPC features:
- Clever pooling scheme minimizes disk storage and disk I/O. Identical files across multiple backups of the same or different PC are stored only once resulting in substantial savings in disk storage and disk writes. Also known as “data deduplication”.
- Optional compression provides additional reductions in storage. CPU impact of compression is low since only new files (those not already in the pool) need to be compressed.
- A powerful http/cgi user interface allows administrators to view log files, configuration, current status and allows users to initiate and cancel backups and browse and restore files from backups very quickly.
- No client-side software is needed. On WinXX the smb protocol is used. On Linux or Unix clients, rsync or tar (over ssh/rsh/nfs) can be used
- Flexible restore options. Single files can be downloaded from any backup directly from the CGI interface. Zip or Tar archives for selected files or directories can also be downloaded from the CGI interface.
- BackupPC supports mobile environments where laptops are only intermittently connected to the network and have dynamic IP addresses (DHCP).
- Flexible configuration parameters allow multiple backups to be performed in parallel.
Table of Contents
Installing BackupPC on Debian 11
Update and upgrade your system packages.
apt update
apt upgrade
Once the system update is done, proceed to install BackupPC.
BackupPC is usually available on the default APT repositories:
apt-cache policy backuppc
backuppc:
Installed: (none)
Candidate: 4.4.0-3
Version table:
4.4.0-3 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
As of this writing, BackupPC 4.4.0 is the current release. The above confirms that the default Debian 11 repos provide the latest BackupPC packages.
Install BackupPC
Hence, BackupPC can be installed using the package, backuppc
by running the command below;
apt install -y backuppc
Choose Web Server
During the installation, you will be prompted to choose the web server to be used by BackupPC. Apache web server is used in this guide.
Web Administrator Credentials
A default BackupPC administrative user, backuppc
, and its password is also created during the installation. This user is used to administer various tasks such as access to BackupPC web dashboard, carry out backups etc.
You can choose to copy the password provided or you can proceed and reset the password later by executing the command below;
htpasswd /etc/backuppc/htpasswd backuppc
Configuring BackupPC Server on Debian 11
Define BackupPC Backup User and Backup Protocol
BackupPC uses different protocols to get backup data from devices being backed up:
- smb – used for backing up windows machines
- tar – used for backing up Linux/Unix/MacOSX systems
- rsync – used for backing up Linux/Unix/MacOSX systems. This can also be used to backup Windows systems.
In this tutorial we are going to configure BackupPC to use the rsync protocol as a backup method.
This is customizable per client basis as well.
Also, by default, BackupPC is using root user run backup tasks. However, in this guide, we are going to use a backuppc
user to execute backup tasks.
If you happen to change the backup user, edit BackupPC configuration file, /etc/backuppc/config.pl
and replace the root user with a user you are using for backup under the Rsync/Rsyncd Configuration.
sed -i '/RsyncSshArgs/s/-l root/-l backuppc/' /etc/backuppc/config.pl
Configure BackupPC Apache Authentication
BackupPC uses htpasswd user files to restrict access to web interface.
As such, you require a valid user in order to authenticate.
The Web authentication user and its hashed credential password is stored under the /etc/backuppc/htpasswd
.
You can reset the password by running;
htpasswd /etc/backuppc/htpasswd backuppc
Allow external access to BackupPC, which is set to only allow connections from localhost.
sed -i 's/local/all granted/' /etc/backuppc/apache.conf
This is how the BackupPC Apache config file looks like without comment lines;
<pre class="scroll-box">
Alias /backuppc /usr/share/backuppc/cgi-bin/
<Directory /usr/share/backuppc/cgi-bin/>
AllowOverride None
Options ExecCGI FollowSymlinks
AddHandler cgi-script .cgi
DirectoryIndex index.cgi
AuthUserFile /etc/backuppc/htpasswd
AuthType basic
AuthName "BackupPC admin"
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
</Directory>
</pre>
Next, restart both backuppc and Apache service to apply the changes made above.
systemctl restart backuppc apache2
If UFW is running, allow external access to Apache.
ufw allow WWW
Generate Backup User SSH Keys
For rsync to work, BackupPC requires passwordless SSH login for backuppc user to every client it will be getting backup data from, as per this setup.
This also means that you should create a dedicated backuppc user on the hosts you need to backup, at least using the rsync protocol.
As a result, switch to backuppc user on BackupPC server and generate passwordless ssh keys and copy them to every host you want to backup.
su - backuppc
This will opens up the sh shell. You can run bash command to launch bash shell.
Generate SSH key pair by running the following command;
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/backuppc/.ssh/id_rsa):
Created directory '/var/lib/backuppc/.ssh'.
Enter passphrase (empty for no passphrase): PRESS ENTER
Enter same passphrase again: PRESS ENTER
Your identification has been saved in /var/lib/backuppc/.ssh/id_rsa
Your public key has been saved in /var/lib/backuppc/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:MjPsb8texAqx1uc0u2X3Pk7kJRftu4KiJPeoD4RnNcQ [email protected]
The key's randomart image is:
+---[RSA 3072]----+
| .. |
| .E .|
| .o ..|
| ...+.. ..|
| . +X S * ..+|
| +o * * o ooo|
| o.o. + + .+ |
| =o+o = o.o.|
| .o**oo o++|
+----[SHA256]-----+
Create Backup User Account On Clients
Next, login to the system servers you want to backup and create an account on the client dedicated for backup purposes for example, create a backuppc user account on remote client and copy the public key to that user.
useradd -m backuppc
passwd backuppc
Copy BackupPC Server SSH Keys
Now logout from client host and copy the SSH public key for backuppc user on BackupPC server to backuppc user on the client. Copy the keys while logged as backuppc user.
ssh-copy-id [email protected]
Where 192.168.43.214 is my client IP address. Once you copy the key, you should be able to login without being prompted for a password.
Now, test the login to client with the backup user to ensure user can successfully login to client. You can use root user if you didn’t make the changes above.
su - backuppc
ssh -l backuppc client_IP whoami
Sample output;
backuppc
or
ssh -l root client_IP whoami
Sample output
root
If you changed you backup user to non-root user, Login to the client host as an administrative user and allow the non-user to run the rsync command without being prompted for password by adding the user to sudoers list. backuppc
user is used in this case.
ssh admin@client_IP
Run the command below to find the absolute path of rsync.
which rsync
If rsync command is not installed, run the following commands to install it.
apt install rsync -y
yum install rsync -y
Next, update the sudoers file.
echo "backuppc ALL=NOPASSWD: /usr/bin/rsync" | sudo tee /etc/sudoers.d/backuppc
You may also want to disable ssh agent-forwarding, port-forwarding or even the pty for backuppc user logging in to the client from BackupPC.
To do this, login to client, edit the ssh authorized key file and add the line below before the ssh-rsa
keyword.
from=”backuppc_server_ip”,no-agent-forwarding,no-port-forwarding,no-pty
Replace the backuppc_server_ip
with the IP address of the backuppc server.
vim /home/backuppc/.ssh/authorized_keys
from="192.168.43.154",no-agent-forwarding,no-port-forwarding,no-pty ssh-rsa AAAAB3NzaC1SSSc2EAAAADAQABAAABAQDYuDSNIPxQL6hNh6FeW4wj3hYJ+p42SD9BGVg5Rn6HuzIAi1zrU2pRceQ5VDRj5nXxSjs+oJJ4lXZ/HTaUQDBFysVyIe9Sc4Z9Z5nmmmGWIJnKWfuvzSYbV2JbSJjcTfUPjH32DOvU+4PMdil/4GjKW7pr8fyywl4XuhZMU6RfVw0LgzYuqzUQX5D6Q4MsgIN4HGqBsnVIBvSz2TcPc0hovtfKQMmUBQvp7L9Ob3AKuG01ZZznQ8Q6+eGL7EJHnS30h/FLM8rKBxsvI6El8xog2E0/ALnNGKWsg2NTEqWqQ3xpUDEnA6exgHEm+2xCuKAy1sAuSJHJHScUMLZIUE36t2+nB0Vn [email protected]
Next, you can also configure ssh logins to backuppc user accounts on clients hosts from the BackupPC server only. This can be done by editing sshd_config
file on the client and configuring as shown below;
sudo vim /etc/ssh/sshd_config
Add the line below to SSHd configuration to allow login to the client as backuppc from the BackupPC server only.
Match Host 192.168.43.154
AllowUsers backuppc
Reload SSH configurations
systemctl reload ssh
Accessing BackupPC Web User Interface
Once the configuration is done, login to BackupPC via browser using the address, http://backuppc_server_IP or hostname/backuppc
.
You are prompted to authenticate before accessing the dashboard.
Use the backuppc
web user credentials set above.
When you login, you will land on BackupPC dashboard.
Backup Hosts using BackupPC
If you noticed, the localhost, which is the server running backuppc is already added as one of the backup hosts.
The backup tried to run but failed, due to some default backup protocol (tar) errors.
Since we are using rsync as a backup protocol in this guide, you need to update this for the localhost backup to run.
Hence, click on hostname (localhost for example) > edit config > Xfer > XferMethod > Rsync.
Update RsyncShareName
Click Save.
Reset the local account password for backuppc user.
passwd backuppc
Keep the password save.
Install rsync and allow BackupPC user to execute rsync with sudo without password.
apt install rsync
echo "backuppc ALL=NOPASSWD: $(which rsync)" | sudo tee /etc/sudoers.d/backuppc
su - backuppc
Copy the password generated above to server itself.
ssh-copy-id backuppc@localhost
Initiate localhost backup.
Once the backup is running, you can see status under status menu.
You can now add more hosts to backup.