SFTP (SSH File Transfer Protocol) โ
Store backups on any server with SSH access.
Overview โ
SFTP uses the SSH protocol for secure file transfer. Benefits:
- ๐ Encrypted transfer (SSH)
- ๐ฅ๏ธ Works with existing servers
- ๐ Multiple authentication methods
- ๐ Standard filesystem access
Configuration โ
| Field | Description | Default |
|---|---|---|
| Name | Friendly name | Required |
| Host | Server hostname or IP | Required |
| Port | SSH port | 22 |
| Username | SSH username | Required |
| Auth Type | Authentication method | password |
| Password | SSH password | Conditional |
| Private Key | SSH key (PEM format) | Conditional |
| Passphrase | Key passphrase | Optional |
| Path Prefix | Remote directory | Optional |
Authentication Methods โ
Password Authentication โ
Simplest setup:
- Select Auth Type:
password - Enter username and password
SSH Key Authentication โ
More secure:
- Select Auth Type:
privateKey - Paste your private key (PEM format)
- Enter passphrase if key is encrypted
Example key format:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHI...
-----END OPENSSH PRIVATE KEY-----Or older RSA format:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----SSH Agent โ
For environments with SSH agent:
- Select Auth Type:
agent - Mount SSH socket in Docker:
yaml
services:
dbackup:
volumes:
- ${SSH_AUTH_SOCK}:/ssh-agent:ro
environment:
- SSH_AUTH_SOCK=/ssh-agentServer Setup โ
Create Backup User โ
bash
# Create user
sudo useradd -m -s /bin/bash backupuser
# Create backup directory
sudo mkdir -p /backups
sudo chown backupuser:backupuser /backups
# Set password (if using password auth)
sudo passwd backupuserSSH Key Setup โ
bash
# Generate key pair (on your machine)
ssh-keygen -t ed25519 -f ~/.ssh/dbackup_key
# Copy public key to server
ssh-copy-id -i ~/.ssh/dbackup_key.pub backupuser@server
# Or manually add to authorized_keys
cat ~/.ssh/dbackup_key.pub | ssh backupuser@server "cat >> ~/.ssh/authorized_keys"Restrict User (Optional) โ
For security, limit the backup user:
bash
# /etc/ssh/sshd_config
Match User backupuser
ChrootDirectory /backups
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noRestart SSH: sudo systemctl restart sshd
Directory Structure โ
After backups, your server will have:
/backups/
โโโ mysql-daily/
โ โโโ backup_2024-01-15T12-00-00.sql.gz
โ โโโ backup_2024-01-15T12-00-00.sql.gz.meta.json
โ โโโ ...
โโโ postgres-weekly/
โโโ ...Storage on NAS Devices โ
Synology โ
- Enable SFTP in Control Panel โ File Services
- Create user with access to backup folder
- Note: Use IP address, not hostname
QNAP โ
- Enable SFTP in Control Panel โ Network Services
- Create backup user with folder permissions
TrueNAS โ
- Enable SSH service
- Create user and dataset for backups
- Configure permissions
Troubleshooting โ
Connection Refused โ
connect ECONNREFUSEDSolutions:
- Verify SSH is running:
systemctl status sshd - Check firewall allows port 22
- Verify hostname/IP is correct
Authentication Failed โ
All configured authentication methods failedSolutions:
- Verify username is correct
- Check password or key
- Verify key format (must be PEM)
- Check server allows auth method
Permission Denied (Writing) โ
Permission deniedSolutions:
- Check user owns backup directory
- Verify write permissions:
chmod 755 /backups - Check SELinux/AppArmor policies
Host Key Verification โ
Host key verification failedSolutions:
- DBackup auto-accepts host keys
- If persistent, server may have changed
- Check for MITM attacks
Key Format Issues โ
Unsupported key formatSolution: Convert to PEM format:
bash
# Convert OpenSSH to PEM
ssh-keygen -p -m PEM -f ~/.ssh/id_rsaPerformance โ
Optimize for Large Backups โ
- Enable compression in DBackup (reduces transfer)
- Use faster ciphers:
# Server /etc/ssh/sshd_config Ciphers chacha20-poly1305@openssh.com,aes128-ctr
Network Considerations โ
- Use gigabit connection for large backups
- Consider local network over internet
- Monitor bandwidth usage
Security Best Practices โ
- Use SSH keys instead of passwords
- Disable root login via SSH
- Restrict backup user to SFTP only
- Use non-standard port (security by obscurity)
- Enable fail2ban for brute-force protection
- Regular key rotation
- Firewall rules to limit source IPs
Firewall Example โ
bash
# UFW
sudo ufw allow from 10.0.0.0/8 to any port 22
# iptables
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPTComparison with Other Destinations โ
| Feature | SFTP | S3 | Local |
|---|---|---|---|
| Setup complexity | Medium | Easy | Easiest |
| Self-hosted | โ | โ | โ |
| Encryption in transit | โ | โ | N/A |
| Scalability | Limited | High | Limited |
| Cost | Server cost | Pay-per-use | Free |