Copying files between systems security is very easy thanks to SSH. With SSH comes the SCP command designed for copying files across the network securely. This video also covers using rsync with SSH for a more powerful way of copying files. Lastly the author talks about piping any data from a command through an encrypted tunnel to another host using SSH.
- [Instructor] There are several different ways of transferring files from one host to another using an encrypted tunnel. The easiest being SCP or secure copy. SCP acts like the local CP command, but the arguments are a bit more complex as you'll see. The Syntax for SCP is scp, space, options, space, source file, space, destination file. At first glance, the syntax looks the same as a CP command. However, the source and destination files may include the hostname or IP address. For instance, to copy the local/etc/hostfile to a remote server, you might type in scp, space, /etc/host, space, the IP address, :/tmp.
The source file was the local path, and the destination file is an IP address and remote path SCParated by a colon. We can also copy a remote file to a local location by reversing the arguments. Now the source is the remote host, and the destination is the local path. This copies the remote/etc/hostfile to the local/tmp directory. by default, SCP uses the standard SHH port number of 22. If the remote server uses a non-standard port, you'll need to specify it with -P.
This is slightly different than SSH which uses a lowercase p. With SCP, the lowercase p is used to preserve missions. We can copy recursive as well by providing the -r option. This will copy all files and directories in the remote/etc directory to the local/tmp directory. Since speed may be of interest, we might want to change a cipher. We can do this by passing the -c option. In this example, we are copying the contents of the remote/etc directory, but with the RC4 cipher, instead of the default AES.
The RC4 cipher is an insecure cipher, but much faster than AES when copying large amounts of data. I only use the cipher when copying non-sensitive data, or if I'm copying on a local trusted network. For very slow networks, we can also turn on compression using the -z option. Although this only makes sense on very, very slow networks, and on data that is not already compressed. If we're backing up file systems, we'd probably want to add the -p option to preserve permissions as well. Note that this preserves file ownership, timestamps, and permissions, but not file ACLs or SELinux security context.
Even though SCP will copy files recursively through an encrypted tunnel, it's probably not the best tool for doing more complex copy jobs. A more powerful tool that still uses an SSH tunnel is rsync. The syntax for rsync is more complex and the behavior is a bit different, but worth the effort to learn. SCP will copy every file every time it's run. Rsync will get a list of files needed to be copied, and only copy the missing files, even if a file is partially copied and thus not complete, it is smart enough to recopy it.
To copy all files in the local etc directory to the remotehost/tmp directory, we'd use this syntax. The -a option copies recursive and preserves permissions, ownership, and symbolic links, but does not copy hard links, preserve ACLs, extended attributes or SELinux security context. For those items, we need to add -H for hard links, - A for ACLs, and -X for extended attributes, which includes SELinux security context. This is a pretty good set of options for system backups.
I also like to add --progress for very good visual progress information. There's one thing I need to address about file paths with rsync. With CP or SCP, the paths /etc and /etc with a trailing slash are the same. If you copy this path, either tool will attempt to copy to /etc directory. Rsync is a bit different. /etc copies to the /etc directory, whereas /etc/ copies the contents of the directory. Keep this in mind.
Rsnc has a dry-run option to test your command line before actually copying anything. Just add --dry -run to the option string. Because of how rsync paths work, I recommend doing a dry-run first to ensure the files get copied where you want. Since rsync is using SSH, we can pass any SSH options to it, such as different port number or cipher. However, the syntax is a bit complex. to use port 1022, we would need to pass the entire SSH command and option inside of quotes. Feel free to add other options inside the double quotes, like -cr4 for the RC4 cipher.
Rsync also has the ability to mirror two directories and delete files on the destination, if they don't exist in the source, or vice versa. For these options, you'll want to reference the rsync man page as it's beyond the scope of this video. We can also transfer files securely by piping them through an SSH tunnel. This command uses cat to view the id_rsa.pub file, and then pipes it into SSH which logs into the remote host, and executes the command inside of double quotes on the remote host. In this case, cat we've standard in, and redirects the output and appends to the authorized_keys file.
This is very useful when you want to send any stream from host to another You would use this to do a bit by bit copy of one drive to another across the network using DD and SSH. You can also copy files from one host to another securely using SFTP. SFTP is an FTP-like client that uses an SSH encrypted tunnel, but we won't cover it in this course.
Instructor Grant McWilliams covers network and internet services administration, kernel management, and intrusion prevention. He shows how to make your systems more efficient with virtualization, manage users and groups, and lock everything down with SELinux mandatory access control. Plus, get access to 25 PDF "cheat sheets" and 100 practice questions so you can solidify and test your knowledge.
- Installing Linux on a physical machine
- Managing systemd services
- Managing reoccurring jobs with cron
- Limiting system access
- Configuring networking
- Creating, editing, and moving files and directories
- Analyzing text with grep and regular expressions
- Installing software and packages
- Managing the kernel
- Managing users, accounts, and groups
- Setting permissions
- Using access control lists
- Securing Linux with SELinux
- Accessing Linux remotely
- Configuring local storage