Help me harden my home server
https://lemmy.sdf.org/post/24652924
=> More informations about this toot | More toots from miau@lemmy.sdf.org
You might want to consider that backups only protect very old data from ransomware.
Ransomware works by getting on a machine and sitting for several months before activating. During that time, your data is encrypted but you don’t know because when you open a file, your computer decrypts it and shows you what you expect to see. So your backups are working but are saving files that will be lost once the ransom ware activates.
The only solution is to frequently manually verify the backup from a known safe computer. Years ago I looked for something to automate this but didn’t find it. (Something like a raspberry pi with no Internet that can only see the PC it’s testing, compares a known file, then touches the file so it gets backed up again.)
=> More informations about this toot | More toots from Blue_Morpho@lemmy.world
During that time, your data is encrypted but you don’t know because when you open a file, your computer decrypts it and shows you what you expect to see.
First time i hear of that. You sure? Would be really risky since you basically need to hijack the complete Filesystem communication to do that. Also for that to work you would need the private and public key of the encryption on the system on run time. Really risky and unlikely that this is the case imho.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
I don’t know much about ransomware but thats what got me concerned. I always assumed if I were to be infected, restic would just create a new snapshot for the files and Id be able to restore after nuking the server.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
I doubt that this is the case, whether it is encrypted or not. The complexity and risks involved with decrypting it on the fly is really unrealistic and unheard of by me (have not heard of everything but still)
Also the ransomware would also need to differentiate between the user and the backup program. When you do differentiated backups(like restic) with some monitoring you also would notice the huge size of the new data that gets pushed to your repo.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
I see, I appreciate you sharing your knowledge on the matter.
Yeah I thoght about the spike in size, which I would definetely notice because the amount of data is pretty stable and I have limited cloud storage.
Regarding your last point, I currently have everything under a user account: the data I am backing up, the applications and restic itself all run on the same user account. Would it be a good ideia to run restic as root? Or as a different service account?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
You want your backup functional even if the system is compromised so yes another system is required for that, or through it to the cloud. Important that you do not allow deleting or editing of the backup even if the credentials used for backing up are compromised. Basically an append only storage.
Most Cloud Storage like S3 Amazon (or most other S3 compatible providers like backblaze) offer such a setting.
=> More informations about this toot | More toots from ShortN0te@lemmy.ml
Oh, now I get what you mean, thanks for the explanation
Yeah it makes sense, I had originally gone with onedrive for the much cheaper price but I will take a look into s3 compatible storage and consider migrating in the future.
=> More informations about this toot | More toots from miau@lemmy.sdf.org
text/geminiThis content has been proxied by September (ba2dc).