Script to do directory backups

It is usual to carry an external hard disk drive. As a portable device, it is prone to damage, can be stolen or corrupted by a virus. It is a good idea to have a backup of the contents of the portable HD in a laptop. I created a script written in BASH that helps me with this task.
The script does the following:

• identifies the source directory (the original content)
• identifies the destination directory (the place where you want to store the backup file)
• the script stores the last 3 backup files. This means that, if a forth backup file is created, the script will erase the oldest backup file.
• The script is executed manually. This is because the external hard drive is not always connected. Automatic execution may lead to errors because origin directory in not mounted on the filesystem.

The script goes as follows:

#!/bin/bash -x
#date: jun 21 2010
#backup of a directory in an external hard disk into laptop hard drive

BACKUPDIR=/home/EvilCat/WDBackup       

#this is the location where I want to store the backup 

SOURCE2=/media/WD\ Passport/My\ Documents/   

#this is the directory i want to do the backup

BACKUPFILE=backup.`date +%F_%R`.tgz           

#this is going to be the name of the backup file. 

#appends to the name the date and time the file was created

COUNT=`ls $BACKUPDIR/backup.* | wc -l`       

#counts the number of backup files that have been created. 
 
THRESHOLD=3 #the number of backup files to be stored.


if [ $COUNT -le $THRESHOLD ]
then
    tar -czf $BACKUPDIR/$BACKUPFILE "$SOURCE2"
    if [ $? != 0 ]
       then 
           echo problems creating backup file
    fi
else
    OLDFILE=`ls -ltr $BACKUPDIR/back* | cut -f 8 -d " " | head -n 1`
    rm -rf "$OLDFILE"
    tar -czf $BACKUPDIR/$BACKUPFILE "$SOURCE2"

fi


The script's name is backup.sh. In order to become executable, it must have the proper permissions. Your can set the permissions by issuing chmod u+x backup.sh. The script becomes executable.

At the moment, this utility syncs only one directory. Further work will involve a GUI, a way to select several folders to be backed-up and a mechanism to detect when the hard drive is connected and initiate a backup wizard.

Setting up a personal SOHO firewall

I want to create a firewall for my laptop. As you may recall from the previous post, I have a Dell Inspiron 11z, running Fedora 12 64bits. I will use IPtables for this purpose.
A firewall must be configured according to the needs of the home/company. In my case, my network habits involve the following:

• Torrent downloading
• Chat (MSN and GTalk)
• Host a SSH server
• Host SMB server
• Access to SSH in other machines
  

As a network security guy, I have ill concerns about the heath and intrusiveness of my equipment, so I like to include some items in order to guarantee that it is safe:

• Must not send echo-replies, but be able to ping other host
• must not send port-unreachable and host-unreachable messages so services are hidden.

You must remember that functionality is important, so the rules should not be so tight that is difficult to use the equipment and use the services.

The configuration script goes as follows:

#!/bin/bash

#purpose: soho firewall

#pending june 3: do not send mesages to dmesg

#pending june 4: execute at boot


IPTABLES="/sbin/iptables"

# Flush all rules
$IPTABLES -F

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Incoming external traffic##
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ## ICMP
$IPTABLES -A INPUT -p udp --sport domain -j ACCEPT ## DNS
$IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT ## Accept al ESTABLISH incoming traffic
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT ## Accept SSH
$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT ## Accep VNC
$IPTABLES -A INPUT -p tcp --destination-port 6881 -j ACCEPT ## Accept bittorrent
$IPTABLES -A INPUT -j LOG --log-prefix="BAD INPUT: " --log-level 4 ## Log all dropped incoming traffic

# Outgoing external traffic
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ## Accept ICMP Request
$IPTABLES -A OUTPUT -p icmp --icmp-type host-unreachable -j DROP ## Block ICMP host unreachable
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT ## Accept DNS responses
$IPTABLES -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP ## BLOCK ICMP PORT UNREACHABLE
$IPTABLES -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT ## Allow bittorrent traffic to internet
$IPTABLES -A OUTPUT -p tcp -j ACCEPT ## accept all outgoing traffic
$IPTABLES -A OUTPUT -j LOG --log-prefix="BAD_OUTPUT: " --log-level 4 ## log all dropped outgoing traffic


# internal traffic rules
## Accept all internal input traffic
#$IPTABLES -A INPUT -j ACCEPT
## Accept all internal output traffic
#$IPTABLES -A OUTPUT -j ACCEPT

# forwarding packets rules
$IPTABLES -P FORWARD ACCEPT


As you may notice, this scrpt is under development. Among the pending tasks, I must finde a way to execute the script at boot time and avoif syslog messages to go to dmesg and iptables.log, a file I created in the rsyslog.conf file:

kern.warning /var/log/iptables.log

Also, I must define an internal forwarding policy to allow Virtual Machines access services and a tighter Outgoing traffic policies.

Testing the firewall is the next step. I used Backtrack to do so. First of all, I have to execute the script on my machine:



Then I go tho the VM with Bachtrack 4 installed so I can test.


You may notice that services exposed are the ones that are necessary.

Impressions? suggestions? What do you think about it? Your feedback is appreciated.