port 8007 and port forwarding

[Adamg]

I'll admit, I don't understand ports and everything.... But am I crazy? Is forwarding port 8007 to the backup server to make the remote sync option work the best way to do this?

I love the backup server and I love the remote sync thing, but to make it work I have to forward port 8007 to my backup server which makes the GUI login page available to everyone. SO, my fear is that if someone has my root password they can get into my backup server and do all kinds of bad things. I don't know enough but couldn't the remote sync be on a different port so that the remote sync requires the fingerprint thing as well as the root password?

 

[Cookiefamily]

Both the GUI and Remote Sync/Backup Jobs use the API. The API is avaible on Port 8007.

It would probably be best for you to implement a firewall so only authorized IPs can access Port 8007 on your Server.

 

[ph0x]

Or use a VPN. Yes, in this part of the software there is still room for improvement.

 

[Adamg]

yes, adding a firewall rule to only forward port 8007 for my static IP should be the way to go. Unfortunately my firewall doesn't have that option so I have to replace the firewall. I was just wondering if I was way off base by suggesting the GUI and the Remote Sync use different ports... sounds like I'm not way off but maybe programming it that way becomes a lot more difficult? I don't know. thanks for the replies.

 

[ukro]

+1 different port

 

[Dunuin]

Putting the webUI on another port won't help much. PBS uses the API for backups/syncs/restores and all you can do as root in the webUI you can also do using the API as root.

 

[ukro]

One solution would be if it would be not push but pull? That would be more secure? PBS would pull the backup from remote PVE?

 

[Dunuin]

If you want it as secure as possible, route all traffic between PVE and PBS through a VPN tunnel. If that PBS isn't accessible from the internet, it's hard to try to hack it.