Network backup
-
This touches a bit on the crytpoware talk we were having yesterday.
Apparently there is newish ransomware that will find network shares that it has write permissions to and hit them up as well.
I guess in that case SSH would be best. And creating a dedicated backup user who is the only user who has write access to the volume would be another layer of protection.
-
@Dashrender said:
This touches a bit on the crytpoware talk we were having yesterday.
Apparently there is newish ransomware that will find network shares that it has write permissions to and hit them up as well.
I guess in that case SSH would be best. And creating a dedicated backup user who is the only user who has write access to the volume would be another layer of protection.
Ya none of the users have a mounted network share. It's all done through links via their libraries. However, as fast as this stuff changes that may not help tomorrow.
I was leaning towards SSH, I just wanted to make sure that's what the consensus was. Thanks!
-
That's just it, apparently they don't need to be mapped anymore.
They only need to have write access. The virus will seek out any network it can find by scanning the network.
Assuming the virus is limited to the access the user who got infected has, there would be no way for the virus to write to a share that is limited to the backup user, even if the virus got did a privilege escalation, that should only effect the local machine, not at a domain level, you'd still be safe.
-
@Dashrender said:
That's just it, apparently they don't need to be mapped anymore.
They only need to have write access. The virus will seek out any network it can find by scanning the network.
Assuming the virus is limited to the access the user who got infected has, there would be no way for the virus to write to a share that is limited to the backup user, even if the virus got did a privilege escalation, that should only effect the local machine, not at a domain level, you'd still be safe.
Oh wow, I didn't see that one. This is getting insane.
-
@johnhooks said:
@Dashrender said:
That's just it, apparently they don't need to be mapped anymore.
They only need to have write access. The virus will seek out any network it can find by scanning the network.
Assuming the virus is limited to the access the user who got infected has, there would be no way for the virus to write to a share that is limited to the backup user, even if the virus got did a privilege escalation, that should only effect the local machine, not at a domain level, you'd still be safe.
Oh wow, I didn't see that one. This is getting insane.
Frankly that was security through obscurity, it was just a matter of time before it happened.
-
@Dashrender said:
@johnhooks said:
@Dashrender said:
That's just it, apparently they don't need to be mapped anymore.
They only need to have write access. The virus will seek out any network it can find by scanning the network.
Assuming the virus is limited to the access the user who got infected has, there would be no way for the virus to write to a share that is limited to the backup user, even if the virus got did a privilege escalation, that should only effect the local machine, not at a domain level, you'd still be safe.
Oh wow, I didn't see that one. This is getting insane.
Frankly that was security through obscurity, it was just a matter of time before it happened.
Ya I knew that finding a way around mapping wasn't going to last long, but it does seem a little quicker for some reason.
-
@johnhooks said:
Is it better to backup by mounting a network share or is it better to backup via SSH to the remote host?
SSH can be a way to mount a share, SSHFS. So it's mostly six of one, half dozen of another. I'd say "it depends." SSH is often more secure, SSH is generally quite a bit slower.
-
@johnhooks said:
@DustinB3403 said:
I prefer SSH to backup.
What are you looking to backup?
From our server to our synology. Shop files, cad drawings, documents. Only about 200 gigs worth of stuff.
I'm going to use rsnapshot, just didn't know if it was better over SSH or NFS. Thanks!
RSnapShot is Rsync. That's very different than just SSH vs. NFS. Use SSH as it is natively part of the Rsync connection process. Both will work and it is a good question to ask, but SSH works really well in that instance.
-
@Dashrender said:
This touches a bit on the crytpoware talk we were having yesterday.
Apparently there is newish ransomware that will find network shares that it has write permissions to and hit them up as well.
I guess in that case SSH would be best. And creating a dedicated backup user who is the only user who has write access to the volume would be another layer of protection.
In theory SSH could be hit in a similar fashion, but it is definitely far less likely and would be much slower for something to leverage that.
-
Sure it could, hopefully if you're SSH instead of NFS you're using a dedicated account for the SSH, not the same as the user itself.
-
@StrongBad said:
@johnhooks said:
@DustinB3403 said:
I prefer SSH to backup.
What are you looking to backup?
From our server to our synology. Shop files, cad drawings, documents. Only about 200 gigs worth of stuff.
I'm going to use rsnapshot, just didn't know if it was better over SSH or NFS. Thanks!
RSnapShot is Rsync. That's very different than just SSH vs. NFS. Use SSH as it is natively part of the Rsync connection process. Both will work and it is a good question to ask, but SSH works really well in that instance.
Ya sorry, I forgot to mention rsnapshot over ssh or nfs. I apologize.
-
@Dashrender said:
Sure it could, hopefully if you're SSH instead of NFS you're using a dedicated account for the SSH, not the same as the user itself.
But you have to store the key or password somewhere which poses a risk if the system is compromised.
-
@StrongBad said:
@Dashrender said:
Sure it could, hopefully if you're SSH instead of NFS you're using a dedicated account for the SSH, not the same as the user itself.
But you have to store the key or password somewhere which poses a risk if the system is compromised.
True, but hopefully you aren't just surfing around on your backup server, so it's chances of being compromised is low.
-
@Dashrender said:
True, but hopefully you aren't just surfing around on your backup server, so it's chances of being compromised is low.
Assuming he is doing backups from a backup server. Using RSnapShot suggests that he is backing up from the server in question directly.
-
Is remote backup something that is even an option in Linux? it probably is, but I have to ask.
And I'm not talking about just a file level backup, I'm talking system level or block level.Oh and I'm referring to a free tool - I know Unitrends can do this (is there an agent involved for Linux?)
-
@Dashrender said:
Is remote backup something that is even an option in Linux? it probably is, but I have to ask.
And I'm not talking about just a file level backup, I'm talking system level or block level.Oh and I'm referring to a free tool - I know Unitrends can do this (is there an agent involved for Linux?)
What do you mean by remote backups? You just take a snapshot and send it wherever you want. Is that what you mean? If so, every one else's ability to do this is pretty much based on Linux from long ago.
-
If I understand what you are asking... you just take a normal system image on Linux. And use Rsync or whatever tool you want to place it remotely.
Unitrends cannot do this for Linux, only VMware, HyperV and XenServer guests. StorageCraft can do this with an agent. But it is a normal feature of Linux.
-
@Dashrender said:
And I'm not talking about just a file level backup, I'm talking system level or block level.
LVM Snaps, RSnapShot, ZFS... lots of options on Linux.
-
My question is more about how to you backup a bare metal Linux install while not using a SSH/NFS mount point.
-
@Dashrender said:
My question is more about how to you backup a bare metal Linux install while not using a SSH/NFS mount point.
Is that really your question? That sounds like a proximate question. What is the goal question?
My guess is you want to decouple storage and wondering how to do that.