[ale] how do I make a virus proof nas?
gcs8
gcsviii at gmail.com
Wed Jan 9 15:54:41 EST 2013
I have a odd system of, scratch drive > freenas > crashplan. It works for
me, lets me be lazy.
On Wed, Jan 9, 2013 at 3:46 PM, Scott Plante <splante at insightsys.com> wrote:
> Perhaps you could do two different types of backups. An image backup once
> a month (or whatever) to a second hard drive mounted inside the PC, and a
> file copy of the files you care about to a NAS.
>
> I helped a friend setup a Buffalo TeraStation for his little 2,
> ocassionally 3, person office. It runs Linux under the covers but you set
> it up via a web interface. You can setup users and shares for each user, or
> share for multiple users. You can also setup backup partitions and
> schedules backups. It might do LVM snapshots for different backups, or it
> might do a cp -l + rsync snapshot scheme like this one.
> http://www.mikerubel.org/computers/rsync_snapshots/
>
> The backups are read-only and you can choose to make them available as
> read-only mounts for clients, or not. If the same file is unchanged on 10
> backups, it only uses 1x the space, not 10. I don't think this will work
> for image backups. I've heard of some binary diff schemes being used for
> mass backups but I doubt the Buffalo is doing anything like that. If you
> did both, you could restore the image from last month, but get files from
> any day over the last however many days. Also, image backups might not be
> that useful if you lose the computer unless you can replace it with an
> identical hardware combination. I don't know anything about those
> commercial packages you mentioned, but you should check into your ability
> to restore individual files from their image backups, anyway. Plus, you
> might not want to revert the whole machine to get one file you didn't know
> you clobbered two weeks ago.
>
> Scott
> ------------------------------
> *From: *"Ron Frazier (ALE)" <atllinuxenthinfo at techstarship.com>
> *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Wednesday, January 9, 2013 11:22:53 AM
> *Subject: *Re: [ale] how do I make a virus proof nas?
>
>
> Hi Brian, and Jim, and others,
>
> The technical info you shared is very cool. I'm trying to get my brain
> around the methodologies you described. The basic core concept is that the
> client doesn't have write access to the backup system. I'm trying to
> figure out a method which would work at home with minimal expense and
> complexity.
>
> Here's an idea I came up with, although it would require more hard drive
> space.
>
> Let's assume:
>
> 1) that my clients are running Windows (as they generally, but not always,
> are)
> 2) that I'm using commercial backup software like Acronis, Paragon, or
> Terabyte Unlimited, which is very capable but perhaps not very scriptable
> 3) that the clients are running firewalls which I don't necessarily want
> to open ports in
> 4) that I don't necessarily want the clients sharing their hard drives on
> a peer to peer basis
> 5) that the nas box can make available different folders or partitions to
> the clients with different passwords for each
> 6) that the clients have av running periodically and I will be notified of
> any viri that are detected
> 7) that I want to do a full image backup of the client weekly with
> differential backups daily
>
> The reason for 3) and 4) is that having the clients with open ports or
> shared drives increases the possibility that a virus could spread from peer
> to peer on the network.
>
> I will acknowledge in advance that this could get very complicated with
> more computers. So, here's what would happen. Let's say client 1 is set
> to do its image backup on Monday, client 2 on Tuesday, client 3 on
> Wednesday, and client 4 on Thursday. On Monday, client 1 runs its backup
> software and produces an image file which is, say, 350 GB. It saves this
> image file in a public folder on the nas which is a staging area. It would
> be better if that client only has access to that particular folder. Once
> the image file is saved properly, a process kicks off on the nas box which
> moves that image file to a private folder or partition that only the nas
> has access to. This is the permanent storage area.
>
> So, every day, each client either uploads an image backup file or a
> differential backup file to the nas. The nas takes these files and moves
> them to a restricted storage area and deletes them from the staging area.
> Scripts on the nas would manage the space in the storage area and delete
> old backups when new ones come in sort of like your dvr does with shows.
>
> I specifically want image backups and not just file backups. If I ever
> have to do a restore, I want to do the restore and have the client computer
> back to it's exact state as of the backup day, without having to reinstall
> and reconfigure the OS and applications. At the very least, I would want
> one image backup per month, which is what I try to do by hand now.
>
> The main problem I see with this is the storage space. Let's say that one
> week's image and one week's diff files take up 500 GB. I have 4 clients,
> so I need 2 TB of storage per week. If I want to have 4 weeks of extra
> historical backups in case one is corrupted or I back up a virus, etc.,
> then I would need 10 TB of storage.
>
> This appears to be getting complex and expensive fast.
>
> In any case, what do you think?
>
> Sincerely,
>
> Ron
>
>
>
> Brian MacLeod <nym.bnm at gmail.com> wrote:
>
> >On Tue, Jan 8, 2013 at 8:31 PM, Ron Frazier (ALE)
> ><atllinuxenthinfo at techstarship.com> wrote:
> >>
> >> The main concern I've always had about having backup media attached
> >all the time is that, if a virus got into the machine, it could attack
> >and wipe out the backup drive.
> >
> >
> >Always a possibility unless clients have absolutely NO write
> >privileges. That means adding new files, writing to old, or deletions.
> >
> >
> >> So, I need to know how to make a virus proof nas, such that at least
> >one partition on the device is accessible only to the backup software
> >for write mode. I don't care if everything can read the backup file,
> >but I only want the backup software to be able to add new files, write
> >to them, or delete them.
> >
> >
> >If it is writeable by the client, it will never be virus proof. This
> >is part of the reason the massive backup infrastructure that I
> >maintain for the compute clusters at work don't work this way. The
> >clients have no write capability to the backup servers. Ever. The
> >backup servers call the storage units and get copies of stuff instead.
> > It still means I might be backing up a virus, but that virus on the
> >client will NOT destroy client backups.
> >
> >
> >> I need something that can run while Windows 7 is running and backup
> >using the volume shadow copy service. I also need it to be able to
> >back up the ext4 Ubuntu partition on the PC's HDD, either by reading
> >the native file system or by using a sector by sector approach. This
> >way, I can just let the backups run periodically on their own and not
> >worry about malware affecting the backup.
> >
> >
> >Well, can't help you with that then, because I do do Windows anymore,
> >so I'm not exactly sure I know what that shadow copy stuff is. But I
> >have a feeling it doesn't enable what I described above about a backup
> >server initiating the work. And frankly, I'd probably would rather
> >remain ignorant of those facts because my recent family/holiday time
> >was so much more enjoyable since I could honestly I don't know how to
> >run these versions of Windows. I probably could grasp it, but I like
> >being stupid in this case.
> >
> >The Ubuntu thing -- piece of cake. First ideas are LVM snapshots
> >which your backup machine calls in to get, or, backup machine uses LVM
> >to create daily snapshots of itself after a daily rsync of important
> >filesystems.
> >
> >Oh, and make the backup machine be only a backup machine. No
> >browsing, no tasking of other things that could get it in trouble. I
> >don't what other safe guards you have for browsing experience. Just
> >don't do it.
> >
> >That's the only way you get to "virus proof" (and even then it still
> >isn't). That, or you have machine that never talks to another machine.
> > But that's not exactly useful in this case.
> >
> >bnm
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://mail.ale.org/mailman/listinfo/ale
> >See JOBS, ANNOUNCE and SCHOOLS lists at
> >http://mail.ale.org/mailman/listinfo
>
>
> --
>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity.
>
> (To whom it may concern. My email address has changed. Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address. Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone. I get about 300 emails per day from alternate energy
> mailing lists and such. I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O) Leave a message.
> linuxdude AT techstarship.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Charles Selfridge
PBYC IT director
(404) 910-3409
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130109/10b106e5/attachment-0001.html>
More information about the Ale
mailing list