Backing up a server on the DMZ

backup best-practices dmz

Use RSync over SSH, or another appropriate and secure method of file transfer, to get the files from the production DMZ machine to your internal network. Then back that up.

Depending on your security stance, you'll need to determine if you can open up the port(s) for the transfer in both directions. If it's only one, your security stance will determine which direction. Is it more secure for the DMZ machine (your production website) to initiate and push these files into your internal network? Or, would it be more secure for your internal network to initiate and pull the files from the DMZ machine?

Either way, the account being used should have the least privileges necessary to perform the transfer, so that if the account is compromised, it can't do much more damage than just delete the files, and maybe fill a disk.

-With all that said, how different is this from allowing the BE protocol and data to move this data anyway?

Related

Exchange 2010: Log in to another user's mailbox with an admin user that does not have a mailbox
nginx with Memcache Vs Varnish
Best practices for NTP updating in VirtualBox virtual machines without guest additions?
Is it possible to have multiple subdomain levels with DNS and Nginx?
How to migrate an EC2+EBS standard instance to spot instance?
apache2 - how to exclude alias from rewrite rules?
Esxi with iSCSI SAN slows down with many multiple VMs running
CentOS verify backported PHP and Apache fixes
Check ChangeLog of FreeBSD port before upgrading
mod_fcgid: read data timeout errors
rsyslog: How do I direct messages from all remote machines to one file?
pam_krb5: Error Guessing Name of Local Host Principal