Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?

rdiff-backup-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?

From:	Maarten Bezemer
Subject:	Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?
Date:	Tue, 15 Nov 2011 10:19:31 +0100 (CET)


On Mon, 14 Nov 2011, Grant wrote:

Because of this, I think there is a gaping security hole in any
automated rdiff-backup scheme that pushes backups to the server.
Pulling to the backup server eliminates this problem, but if the
backup server is compromised, the infiltrator has root read access to
each system being backed up and can thereby compromise each of those
systems as well.

Is rdiff-backup ill-suited to automated backups?


This topic has been discussed here many a time.
There is always a trade-off between security and ease of use.

If you do push-style backups, having root access on the main system givesan attacker access to the backup system, so the backup has to beconsidered compromised when the main system is compromised. Depending onwhat purpose you keep backups for, this may not be what you want.

If you do pull-style backups, and the backup system is compromised, theattacker indeed has root access to all backed up systems (possibly morethan one). If you do pull-style backups and the main system iscompromised, you could restore from a 'clean' increment.

However, a compromised main system can go unnoticed for weeks or evenmonths. So backups may have become compromised as well, and when keepingless history than this detection period, there would be no way to go backto a clean state after that time. Again, it all depends on the exact useof the backup tool. You could e.g. use rdiff-backup for user's files, andsome other tool for system backups.

All in all, this is not very specific to rdiff-backup. Other push or pullstyle backups have the same 'problems'.

The method I prefer is having a backup server that is not reachable fromthe outside. Currently a box behind a NAT gateway, but could as well be afully firewalled IP address with only outgoing traffic allowed to thehosts that are to be backed up. (Possibly even one at a time.)


Any automated system can be fooled when not supervised properly ;-)


--
Maarten

[Prev in Thread]

Current Thread

[Next in Thread]

[rdiff-backup-users] Prevent rdiff-backup from deleting?, Grant, 2011/11/11
- Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?, Dominic Raferd, 2011/11/14
  - Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?, Grant, 2011/11/14
    - Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?, Maarten Bezemer <=
    - Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?, Grant, 2011/11/15
    - Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?, Sarel Botha, 2011/11/15

Prev by Date: Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?
Next by Date: Re: [rdiff-backup-users] Hash doesn't match recorded hash
Previous by thread: Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?
Next by thread: Re: [rdiff-backup-users] Prevent rdiff-backup from deleting?
Index(es):
- Date
- Thread