[ale] how do I make a virus proof nas?

Jim Kinney jim.kinney at gmail.com
Wed Jan 9 12:05:48 EST 2013 

The layers of complication in this is making a process that's harder to
maintain than just running a decent AV tool.

Setup a Linux system with bacula (that WILL be hard as bacula is
enterprise-class backup) and install the windows bacula clients. Run your
local client AV tool as part of the daily process. Run the backup process
after the AV tool is done.

The issue with all of this is NOT to keep the virus from killing your
Linux-based backups but to have the ability to RESTORE from a virus on the
Windows crap.

Organize the backups as OS, applications, and user data. The OS is a single
full backup. No increments needed other than registry dump after new
application install. Application backup is a single full. User data is a
full with rolling incremental/differential as per usual. If a new
application is installed, run a full AV scan then a new full OS and
application backup.

Have a linux partition than can mount the NTFS partition on each client. If
a virus hits the windwoes client, boot to linux, clean with AV -AND/OR-
restore OS partition.

Spend the time on the prevention and restore capability. Setup and maintain
a squid proxy server with clamAV on every download. Setup and run a mail
server with AV cleaning (and spam and phishing detection).

Many years ago another ALE'r told me about his company backup scheme. Every
night, every system did a new full backup and then restored from that
backup. If a failure occurred, the system would restore from the prior day
full backup.

On Wed, Jan 9, 2013 at 11:22 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> Hi Brian, and Jim, and others,
>
> The technical info you shared is very cool.  I'm trying to get my brain
> around the methodologies you described.  The basic core concept is that the
> client doesn't have write access to the backup system.  I'm trying to
> figure out a method which would work at home with minimal expense and
> complexity.
>
> Here's an idea I came up with, although it would require more hard drive
> space.
>
> Let's assume:
>
> 1) that my clients are running Windows (as they generally, but not always,
> are)
> 2) that I'm using commercial backup software like Acronis, Paragon, or
> Terabyte Unlimited, which is very capable but perhaps not very scriptable
> 3) that the clients are running firewalls which I don't necessarily want
> to open ports in
> 4) that I don't necessarily want the clients sharing their hard drives on
> a peer to peer basis
> 5) that the nas box can make available different folders or partitions to
> the clients with different passwords for each
> 6) that the clients have av running periodically and I will be notified of
> any viri that are detected
> 7) that I want to do a full image backup of the client weekly with
> differential backups daily
>
> The reason for 3) and 4) is that having the clients with open ports or
> shared drives increases the possibility that a virus could spread from peer
> to peer on the network.
>
> I will acknowledge in advance that this could get very complicated with
> more computers.  So, here's what would happen.  Let's say client 1 is set
> to do its image backup on Monday, client 2 on Tuesday, client 3 on
> Wednesday, and client 4 on Thursday.  On Monday, client 1 runs its backup
> software and produces an image file which is, say, 350 GB.  It saves this
> image file in a public folder on the nas which is a staging area.  It would
> be better if that client only has access to that particular folder.  Once
> the image file is saved properly, a process kicks off on the nas box which
> moves that image file to a private folder or partition that only the nas
> has access to.  This is the permanent storage area.
>
> So, every day, each client either uploads an image backup file or a
> differential backup file to the nas.  The nas takes these files and moves
> them to a restricted storage area and deletes them from the staging area.
>  Scripts on the nas would manage the space in the storage area and delete
> old backups when new ones come in sort of like your dvr does with shows.
>
> I specifically want image backups and not just file backups.  If I ever
> have to do a restore, I want to do the restore and have the client computer
> back to it's exact state as of the backup day, without having to reinstall
> and reconfigure the OS and applications.  At the very least, I would want
> one image backup per month, which is what I try to do by hand now.
>
> The main problem I see with this is the storage space.  Let's say that one
> week's image and one week's diff files take up 500 GB.  I have 4 clients,
> so I need 2 TB of storage per week.  If I want to have 4 weeks of extra
> historical backups in case one is corrupted or I back up a virus, etc.,
> then I would need 10 TB of storage.
>
> This appears to be getting complex and expensive fast.
>
> In any case, what do you think?
>
> Sincerely,
>
> Ron
>
>
>
> Brian MacLeod <nym.bnm at gmail.com> wrote:
>
> >On Tue, Jan 8, 2013 at 8:31 PM, Ron Frazier (ALE)
> ><atllinuxenthinfo at techstarship.com> wrote:
> >>
> >> The main concern I've always had about having backup media attached
> >all the time is that, if a virus got into the machine, it could attack
> >and wipe out the backup drive.
> >
> >
> >Always a possibility unless clients have absolutely NO write
> >privileges. That means adding new files, writing to old, or deletions.
> >
> >
> >> So, I need to know how to make a virus proof nas, such that at least
> >one partition on the device is accessible only  to the backup software
> >for write mode.  I don't care if everything can read the backup file,
> >but I only want the backup software to be able to add new files, write
> >to them, or delete them.
> >
> >
> >If it is writeable by the client, it will never be virus proof.  This
> >is part of the reason the massive backup infrastructure that I
> >maintain for the compute clusters at work don't work this way.  The
> >clients have no write capability to the backup servers. Ever. The
> >backup servers call the storage units and get copies of stuff instead.
> > It still means I might be backing up a virus, but that virus on the
> >client will NOT destroy client backups.
> >
> >
> >> I need something that can run while Windows 7 is running and backup
> >using the volume shadow copy service.  I also need it to be able to
> >back up the ext4 Ubuntu partition on the PC's HDD, either by reading
> >the native file system or by using a sector by sector approach.  This
> >way, I can just let the backups run periodically on their own and not
> >worry about malware affecting the backup.
> >
> >
> >Well, can't help you with that then, because I do do Windows anymore,
> >so I'm not exactly sure I know what that shadow copy stuff is.  But I
> >have a feeling it doesn't enable what I described above about a backup
> >server initiating the work.  And frankly, I'd probably would rather
> >remain ignorant of those facts because my recent family/holiday time
> >was so much more enjoyable since I could honestly I don't know how to
> >run these versions of Windows.  I probably could grasp it, but I like
> >being stupid in this case.
> >
> >The Ubuntu thing -- piece of cake.  First ideas are LVM snapshots
> >which your backup machine calls in to get, or, backup machine uses LVM
> >to create daily snapshots of itself after a daily rsync of important
> >filesystems.
> >
> >Oh, and make the backup machine be only a backup machine.  No
> >browsing, no tasking of other things that could get it in trouble.  I
> >don't what other safe guards you have for browsing experience.  Just
> >don't do it.
> >
> >That's the only way you get to "virus proof" (and even then it still
> >isn't). That, or you have machine that never talks to another machine.
> > But that's not exactly useful in this case.
> >
> >bnm
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://mail.ale.org/mailman/listinfo/ale
> >See JOBS, ANNOUNCE and SCHOOLS lists at
> >http://mail.ale.org/mailman/listinfo
>
>
> --
>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity.
>
> (To whom it may concern.  My email address has changed.  Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address.  Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130109/f7ee7b9e/attachment-0001.html>

More information about the Ale mailing list