1 |
> Sure, but you've noted that rdiff-backup is insecure if the source box is |
2 |
> violated. What you need, then, is a layer of versioning not subject to that |
3 |
> vulnerability. |
4 |
|
5 |
Does it exist? |
6 |
|
7 |
- Grant |
8 |
|
9 |
|
10 |
>> > You identified a flaw in the system as you were using it. You're right, |
11 |
>> > those are flaws. However, you can " fix" those flaws by applying some |
12 |
>> > magic |
13 |
>> > as a sysadmin. That's why several posts in the thread have mentioned |
14 |
>> > versioning your backups in some fashion. I've mentioned lvm a couple |
15 |
>> > times. |
16 |
>> |
17 |
>> I thought versioning meant that you could roll back to a previous |
18 |
>> version. rdiff-backup provides that. |
19 |
>> |
20 |
>> > I think someone else mentioned pulling the backup target's data to |
21 |
>> > another |
22 |
>> > locale, either via a pull from another server, or via something like a |
23 |
>> > traditional incremental tape backup. |
24 |
>> |
25 |
>> So the systems push to the backup server and a second backup server |
26 |
>> pulls from the first backup server? Should the second backup server |
27 |
>> use rdiff-backup against the rdiff-backup repository on the first |
28 |
>> backup server? I think I've read that's not a good idea. |
29 |
>> |
30 |
>> What does everybody else do? I feel like the first person to ever |
31 |
>> attempt secure automated backups. |
32 |
>> |
33 |
>> - Grant |
34 |
>> |
35 |
>> |
36 |
>> > You're getting the data off the original machines to a remote location, |
37 |
>> > which is good. You identified a way the backed-up data could be tampered |
38 |
>> > with, which is good. You just need to put in another (better) barrier to |
39 |
>> > protect the data from being tampered with, or limit how much data is |
40 |
>> > lost in |
41 |
>> > such an event. |
42 |
>> > |
43 |
>> > ZZ |
44 |
>> > |
45 |
>> > On Nov 14, 2011 8:21 PM, "Grant" <emailgrant@×××××.com> wrote: |
46 |
>> >> |
47 |
>> >> > It's out of scope for file transfer protocols; it's a |
48 |
>> >> > daemon/system-local |
49 |
>> >> > problem. Attach pre-event or post-event scripts serverside for any |
50 |
>> >> > special |
51 |
>> >> > munging or protections you'd like to apply. (Such as triggering an |
52 |
>> >> > LVM |
53 |
>> >> > snapshot, for example...) |
54 |
>> >> |
55 |
>> >> I must be going about this the wrong way. Am I the only one using |
56 |
>> >> automated backups? If not, how is it done properly? |
57 |
>> >> |
58 |
>> >> - Grant |
59 |
>> >> |
60 |
>> >> |
61 |
>> >> >> >>>>> And if I pull, none of my backed-up systems are secure because |
62 |
>> >> >> >>>>> anyone |
63 |
>> >> >> >>>>> who breaks into the backup server has root read privileges on |
64 |
>> >> >> >>>>> every |
65 |
>> >> >> >>>>> backed-up system and will thereby "gain full root privileges |
66 |
>> >> >> >>>>> quickly." |
67 |
>> >> >> >>>> |
68 |
>> >> >> >>>> IMO that depends on whether you also backup the |
69 |
>> >> >> >>>> authentication-related |
70 |
>> >> >> >>>> files or not. Exclude them from backup, ensure different root |
71 |
>> >> >> >>>> passwords |
72 |
>> >> >> >>>> for all boxes, and now you can limit the infiltration. |
73 |
>> >> >> >>> |
74 |
>> >> >> >>> If you're pulling to the backup server, that backup server has |
75 |
>> >> >> >>> to |
76 |
>> >> >> >>> be |
77 |
>> >> >> >>> able to log in to and read all files on the other servers. |
78 |
>> >> >> >>> Including |
79 |
>> >> >> >>> e.g. your swap partition and device files. |
80 |
>> >> >> >> |
81 |
>> >> >> >> What if I have each system save a copy of everything to be backed |
82 |
>> >> >> >> up |
83 |
>> >> >> >> from its own filesystem in a separate directory and change the |
84 |
>> >> >> >> ownership of everything in that directory so it can be read by an |
85 |
>> >> >> >> unprivileged backup user? Then I could have the backup server |
86 |
>> >> >> >> pull |
87 |
>> >> >> >> that copy from each system without giving it root access to each |
88 |
>> >> >> >> system. Can I somehow have the correct ownerships for the backup |
89 |
>> >> >> >> saved in a separate file for use during a restore? |
90 |
>> >> >> >> |
91 |
>> >> >> >> - Grant |
92 |
>> >> >> >> |
93 |
>> >> >> > |
94 |
>> >> >> > You could just as well use an NFS share with no_root_squash. It is |
95 |
>> >> >> > really more a question of finding the right combination of tools |
96 |
>> >> >> > to |
97 |
>> >> >> > ensure proper separation of concern for server and client. |
98 |
>> >> >> > |
99 |
>> >> >> > In fact, I think we are intermixing three distinct problems: |
100 |
>> >> >> > 1. (Possible) limitations of rdiff-backup with regard to untrusted |
101 |
>> >> >> > backup servers or clients. |
102 |
>> >> >> |
103 |
>> >> >> The limitation is real unfortunately. All backups created by |
104 |
>> >> >> rdiff-backup more than a second ago can be deleted something like |
105 |
>> >> >> this: |
106 |
>> >> >> |
107 |
>> >> >> rdiff-backup --remove-older-than 1s |
108 |
>> >> >> backup@12.34.56.78::/path/to/backup |
109 |
>> >> >> |
110 |
>> >> >> > 2. The purely technical question which file transfer protocols |
111 |
>> >> >> > protect |
112 |
>> >> >> > against write access from backup server to backup client and |
113 |
>> >> >> > backup |
114 |
>> >> >> > client to older backups on the server. |
115 |
>> >> >> |
116 |
>> >> >> rdiff-backup doesn't provide those sort of protections. Do any file |
117 |
>> >> >> transfer protocols? |
118 |
>> >> >> |
119 |
>> >> >> > 3. The more or less organisational question what level of |
120 |
>> >> >> > protection |
121 |
>> >> >> > backups need and how fast security breaks have to be detected. |
122 |
>> >> >> |
123 |
>> >> >> I think backups should be very well protected and security breaks |
124 |
>> >> >> should not have to be immediately detected. |
125 |
>> >> >> |
126 |
>> >> >> - Grant |
127 |
>> >> >> |
128 |
>> >> >> |
129 |
>> >> >> > I think push vs. pull is just a secondary concern with regard to |
130 |
>> >> >> > the |
131 |
>> >> >> > second question and has practically no relevance to the third one. |
132 |
>> >> >> > |
133 |
>> >> >> > Regards, |
134 |
>> >> >> > Florian Philipp |