Noob - protecting my installation from the internet?

Hi

Apologies for the newbie question - I’m just starting out with urbackup…

In the documentation, I see many references to the possibility of backing up / restoring via the internet - however, I’ve not spotted any details of how to ensure that this functionality is turned ‘off’. (As I tend to be a little paranoid about things such as this)

My concern is that I don’t want a client to accidentally back up to a urbackup server over the internet, and likewise, I don’t want anyone over the internet being able to access my backup server.

The server is a docker image (latest) running on linux - and while this is on our own private home network, I’m aware that I’ve had applications that have been able to advertise themselves and respond from the internet.

I’m currently trying out a windows 10 PC client, and about to try a linux client… all items (server and clients) are currently running the default settings.

If you could let me know

• If internet functionality comes initially disabled.
• if its not disabled, then how this should be done without breaking functionality.

Hope that all makes sense… many thanks in advance.
Carl.

Hi Carl, your question makes a lot of sense

I think you are referring to the “internet mode”. This term is a little bit misleading, i.e. has nothing to do with the internet.

By default, your server will try to discover and reach out to clients in your LAN. When you configure “internet mode” then it sits waiting and clients are connecting to the server (still in your LAN). It opens up some ports, but it doesn’t make your server visible or accessible from outside your LAN, that is something you have to configure for example by redirecting traffic on you router.

So just like with any other server you can make use of your host firewall to further restrict who from your LAN can connect to UrBackup.

Hiya

Many thanks for your swift reply - and for the assurance

All the best

Carl.

@Michal is that correct? Admin Manual Section 7: UrBackup is able to backup clients over the internet, enabling mixed LAN and Internet backups. This can be useful e.g. for mobile devices which are not used in the LAN all the time, but are connected to the Internet. It is true that you have to make the correct settings for port forwards in your router to make that happen. Also, OP said he was using all the default settings. The only way to make a LAN connected computer backup through the Internet setting is to enable said setting, which is off by default (Section 8.4).

It is correct that if Internet mode has been set up, but ports not opened, that the server waits for the client to initiate activity even if it is LAN accessible. In the case where Internet mode has not been set, the server is routinely reaching out to active clients to start any activity.

@kuva Yes, everything in my previous post is correct. For the sake of clarity, let me separate it into pieces:

1. You can use “internet mode” for LAN clients if you want, in fact this is what I’m doing on all my servers - every LAN client is connecting over “internet mode” only.
2. You can backup clients from other locations over the internet in the default mode (with “internet mode” DISABLED) if you want. This is a lot trickier to set up correctly because you need broadcasts working. “Internet mode” on the other hand is easy to set up as it requires forwarding only one port (plus web UI for management and restores optionally).
3. Because of point 1 and 2, “internet mode” has nothing to do with internet - it is not exclusive for remote clients, it is not even required for remote clients.
4. Internet mode is disabled by default. Enabling it doesn’t make your server visible or reachable on the internet.
5. Simply installing UrBackup Server opens up ports for you on most popular operating systems - naturally on your host (not on your router). Doesn’t matter if you are using “internet mode”.

EDIT:
You seem to be convinced that you “internet mode” is the only way to backup clients over the internet - would you cite the docs or explain it otherwise? Yes, documentation says “internet mode” is useful for remote clients - this is absolutely the case - but “useful” doesn’t mean “required”.

As so many things, it is not explicitly stated that to backup “over the Internet”, you “must” use “Internet mode”. However, to clarify. To ME, backup over the internet means I am backing up from outside my LAN segment - from an outside real world IP. In order to do that, Admin Manual Section 7:

UrBackup is able to backup clients over the internet, enabling mixed LAN and Internet backups. This can be useful e.g. for mobile devices which are not used in the LAN all the time, but are connected to the Internet. As it causes additional strain on the backup file system this feature is disabled by default. You need to enable and configure it in the settings and restart your server to use it. The minimum you have to configure is the server name or IP on which the backup server will be available on the Internet. As you probably have a Firewall or Router in between backup server and Internet you also need to forward the configured port (default: 55415) to the backup server.

So, to recap: IF you want to backup “over the internet”, you have to physically change the default settings; provide additional information as to how to connect to the server; AND open the port on your router.

If you can “back up over the internet” using some other method NOT listed in the Admin Manual (using broadcasts), good for you. I applaud your prowess. As you mentioned, its “tricky”. If what you are referring to is backing up “over the internet” through an open port, I’d suggest that is not all that tricky. But ymmv.

As long as an insistence for citing the docs is needed, please provide the section and the required setup needed to perform the last sentence in your bulletpoint 3: “…it is not even required for remote clients.” You would seem to imply that if I am NOT in the local LAN, I can backup my computer (client) from anywhere in the world — WITHOUT setting up Internet Mode (including all the necessary check box settings to allow success - there are several).

Finally, you seem to take my comments the wrong way. I am certainly NOT “convinced” of anything - especially as to “my way” is the ONLY way. IF remote clients are not “required” to use “Internet mode”, please expand and provide examples.

To ME, backup over the internet means I am backing up from outside my LAN segment

Exactly, to me as well. Trouble is that the term “internet mode” is confusing you (and not only you), so I will be using “remote clients” for exactly this scenario you laid out. Client in completely different LAN with a different public IP than server, but they are both somehow connected to the internet. When I say “internet mode” I mean the situation when you enabled “internet mode” setting (doesn’t matter where the client is).

If you can “back up over the internet” using some other method NOT listed in the Admin Manual (using broadcasts), good for you. I applaud your prowess.

You clearly don’t know what you are talking about. Forget about the internet for a moment, it is just the basics of how UrBackup works. When you are using default settings, where the server discovers and reaches out to the clients in your LAN, the process of establishing a connection between the server and LAN client is a bit tricky (point 3.2 in the manual). It requires client listening to the broadcast messages - and this part especially is not trivial to set up for remote clients scenario. There is not much you can do on your router, as the client side must be listening, and quite possible that it will be connected via someone’s else router.

If what you are referring to is backing up “over the internet” through an open port, I’d suggest that is not all that tricky. But ymmv.

Now you are talking about port forwarding for “internet mode” - I specifically said it is easy to set up.

You would seem to imply that if I am NOT in the local LAN, I can backup my computer (client) from anywhere in the world — WITHOUT setting up Internet Mode

Well I’m not implying. The whole point of argument is that I’m trying to clearly and strongly state (not imply) that this is exactly what you can do.
You can have the default mode, where the server reaches out to the clients, working without changing a single setting on UrBackup side. Manual doesn’t cover that as it is not that easy to set up and teaching you network basics is simply out of its scope.The fact you don’t even allow it in your head supports my claim. On the other hand, it has second mode of operation called “internet mode” which is very straightforward to explain and understand.

You see it all comes down to a language and semantics argument, not a technical one. This is why the term “internet mode” is a bit unfortunate - it makes sense most of the time, but sometimes when the details matter it confuses people like you, and results in you thinking that “internet mode” is the only way to backup remote clients. Or that you are not supposed to use “internet mode” for clients within your LAN. Or imply that it somehow puts your server on the wild internet.

Finally, you seem to take my comments the wrong way. I am certainly NOT “convinced” of anything - especially as to “my way” is the ONLY way. IF remote clients are not “required” to use “Internet mode”, please expand and provide examples.

OK I was referring to the fact you said “The only way to make a LAN connected computer backup through the Internet setting is to enable said setting”. Sounds like you are confident, but this statement is simply not true. Yes, enabling this setting makes the whole thing a lot easier (you already understand port forwarding) and this is where it got this name from. As to the examples - without another lengthy post, I will just point you to the solution I have tried and used - ZeroTier overlay network, kind of VPN, but more.

I await for enlightenment. Network mode is NOT enabled in urbackup server. NO default settings are changed. Some “network settings” in your local network (that you have administrative rights to) are changed/enabled/defined. urbackup and a client outside of LAN backs up to server as if it were LAN local, all client/server settings for kinds of backups, times of backups, archiving of backups, etc.

FYI: I am quite network AND server fluent, running my own server for a decade now.

And if you think I am “poking fun” at you, I seriously am NOT. I really would like to know all of the exact settings required to use my client outside of my local LAN without setting up “Internet mode” (which I assume you mean, port forwarding). If I do not have to mess with ANY of the defaults, but have to dig deep into my server and router, I am a happy camper. I am very familiar with their workings. I just do not fully understand all of the concepts as they are laid out in the Admin Manual.

Thanks for any insights you might be able to provide.

My apologies. Something about your post rubbed me the wrong way but on the second reading I realized my reaction is not justified so I retracted and edited that part out. Again, my bad.

OK you also seem to know your ways around (basing on your other posts). But really, this is going so off topic. We can start a new one. But to be concise - the way I got it working is by usingZeroTier as an network overlay. Go and check it out anyways even if you are not interested in using it with UrBackup - it makes magic things.

But I need to go back to one more aspect - the term “internet mode” implies it is for remote clients (from the internet) only. This makes a great disservice to UrBackup in my opinion. Not only you can do all your LAN backups in “internet mode”, in many situations it is a better way i.e. disable “default mode” and use “internet mode” exclusively. The main advantages are - traffic is encrypted, new clients are not silly-willy connecting and sending data to whatever server they find on the network, server is not silly-willy accepting data from any new client on the network. Also, proper firewalling such server is easier in my opinion.

Thank you for the edit. Very sorry if I rubbed you the wrong way. I will look into ZeroTier. Thanks for that.

Regarding using “internet mode” internal to LAN being a “better way”. I guess I have several concerns, coming straight from the Admin Manual. First, I am using v. 2.5.31. Seems to me, at least all of my default settings were set that way, both modes allow encrypted and compressed transfers. (Straight from the settings page, Local/passive clients, both options were default ON for encryption and compression, as well as on the Internet/active clients). Per the manual Section 7: " As it causes additional strain on the backup file system this feature is disabled by default." Digging in further to various sections, it appears as if the backup traffic is different local v internet: RAW v HASHED for full file and image backups; HASHED v BLOCK DIFFERENCE-HASHED for incremental file backups; for incremental image backups - based on last full image v based on last image; for full image backups style - full image backup v synthetic full image.

Although I’d love more power in my server, I don’t have even the close to latest CPU power. I’d hate to bog down the server with all of its other activities, cron jobs, dockers, virtual machines, etc. in the vein of “backups with internet mode are better than local/passive clients”.

Again, thank you for your help. And agreed, it’s become off-topic. I’ll conclude my posts here with this one. Thank you for the tip on ZeroTier and your help. And sorry if we were “talking past each other”.

I missed that, another reason for “internet mode” for me (although you can change the defaults however you want). It makes your client work hard, but it’s something I have learned to appreciate when there are multiple clients with huge files that are changing just a little bit.

In any case it’s on you to know what fits best to your environment. Good thing is that UrBackup gives us options.