Marco van Beek mvanbeek at supporting-role.co.uk
Thu Jun 17 09:07:00 UTC 2021

We have a different methodology where the live server initiated the 
backup, but once each set is completed completed sets a flag on the 
backup server and the backup server then takes a copy using hard links, 
so that allows us to have a whole bunch of historical copies that cannot 
be accessed via the live server. Also, the live server only has a 
restricted shell on the backup server so can only run a limited set of 
commands, and is chrooted to it's own home directory.

Pros and cons to both methods, but both have the same end result as far 
as ransomware access is concerned.



On 16/06/2021 18:40, John Winters via GLLUG wrote:
> On the backups front, I have long felt that for secure backups it is 
> essential that the backups are driven by the backup server.  The 
> backup server establishes a connection to the live server and backs up 
> what it is configured to back up.  The live server must have no access 
> to the backup server, nor means to establish a connection to it.
> If your backups are driven and controlled from your live server, then 
> as soon as it is compromised the attacker has the option to modify 
> what backups happen, or even prevent them entirely.  If the live 
> server has some kind of write access to the backup server then they 
> can go on and compromise all your existing backups too.
> If the backup server is the one initiating the backup but runs no 
> externally accessible services, then it does a backup when it is 
> configured to do a backup.  If the live server has been compromised to 
> the point where the backup server can't, then it can report the fact. 
> No amount of corrupting the files on the live server will affect those 
> on the backup server.
> Of course you still need a suitable cycle of backups so you can go 
> back as far as is necessary to recover.
> I have two backup servers in different locations which do fairly 
> comprehensive backups each night.  When they're not doing that, 
> they're switched off which makes them even harder to crack into.
> John

More information about the GLLUG mailing list