Hy -is it possible that you develop a more secure client -server communication ?
In my oppinion it is not really save to open listen ports on every client.
It would be mich more secure if the clients just asks the server if a backup job should be started (for example every hour).
This can be done without opening ports on the client - so the client is save -even if you move your client out of the local lan (for example to home or airport or a foreign country)
Please think of it - in 2 or 3 years you are more happy with this security model.
Think about a company which have for example hundres of clients - every client with open ports - this makes the clients mich more weak to attacks.
If a bug is found the company has no chance to update all clients in a timely fashion.
If you ony have a server which is listening to incoming request - the admin has just to shutdown the server an wait for a update patch.
search with google for
“Security Friendly
Features” and backup - you will find a vendor document which describes my conerns about the security in urbackup.
Yes, this is correct in some cases. Reversing the connection direction would also simplify the administration of the clients.
The risk might be mitigated by the Windows firewall, howevery, if the firewall exceptions for UrBackup are only added for private networks. Windows asks if you want to use the airport network as a public network when connecting to it the first time. If the firewall exception is only for a private or work network, the UrBackup client will not be reachable from outside of the local maschine.
If you want it to be secure you should use the “Internet” mode for all clients, even local ones. In this mode the client connects to the server, the connection is authenticated and optionally encrypted. There is a configuration parameter to put the client into a mode where it only connects to Internet servers and does not bind to local ports (add --internet_only_mode and true to the args.txt).
For the local connections to use the same strategy there has to be a separate port where the server accepts unauthenticated clients, such that new clients can connect to the server.
Since there exists a work around and it might be mitigated by the Windows firewall, I think this should be a lower priority issue.