> [snip] > >> The problem with my current push-style layout is that if one of the 3 >> machines is compromised, the attacker can delete or alter the backup >> of the compromised machine on the backup server. I can rsync the >> backups from the backup server to another machine, but if the backups >> are deleted or altered on the backup server, the rsync'ed copy on the >> next machine will also be deleted or altered. > > As a final stage in your backup, could you trigger a 'pull'-style > backup copying the data image to a more secure area? How about setting
Even if I pull a copy of the backup to a separate machine from the backup server, it will pull an altered copy if an attacker compromises one of the systems being backed up and alters that system's backup on the backup server. Am I missing something? - Grant > your backup target on top of lvm, and snapshotting? Some mechanism > could be employed so that the snapshot command is run by a more > restricted user, and done so after, e.g. a certain amount of idle time > in the backup target directory > >> >> If I run a pull-style layout and the backup server is compromised, the >> attacker would have root read access to each of the 3 machines, but >> the attacker would already have access to backups from each of the 3 >> machines stored on the backup server itself so that's not really an >> issue. I would also have the added inconvenience of using openvpn or >> ssh -R for my laptop so the backup server can pull from it through any >> router. > > Check out freenet6. I use it so that my laptop has a static, global IP > address whether it's on my home network or not. It's quite nice. IPv6 > in various applications also solves my other direct-access needs. > >> >> What do you think guys? Are push-style backups flawed and unacceptable? > > I imagine you might still want to 'pull' from your backup server; if > someone gets a key that allows them to manipulate the behavior of a > local process that shouldn't normally be manipulated, your > vulnerability surface goes up. > > -- > :wq
