John Winters john at sinodun.org.uk
Wed Jun 16 17:41:07 UTC 2021

On the backups front, I have long felt that for secure backups it is 
essential that the backups are driven by the backup server.  The backup 
server establishes a connection to the live server and backs up what it 
is configured to back up.  The live server must have no access to the 
backup server, nor means to establish a connection to it.

If your backups are driven and controlled from your live server, then as 
soon as it is compromised the attacker has the option to modify what 
backups happen, or even prevent them entirely.  If the live server has 
some kind of write access to the backup server then they can go on and 
compromise all your existing backups too.

If the backup server is the one initiating the backup but runs no 
externally accessible services, then it does a backup when it is 
configured to do a backup.  If the live server has been compromised to 
the point where the backup server can't, then it can report the fact. 
No amount of corrupting the files on the live server will affect those 
on the backup server.

Of course you still need a suitable cycle of backups so you can go back 
as far as is necessary to recover.

I have two backup servers in different locations which do fairly 
comprehensive backups each night.  When they're not doing that, they're 
switched off which makes them even harder to crack into.


Xronos Scheduler - https://xronos.uk/
All your school's schedule information in one place.
Timetable, activities, homework, public events - the lot
Live demo at https://schedulerdemo.xronos.uk/

More information about the GLLUG mailing list