0

I'm looking over a physical server that runs VMware and 4-6 VMs (mostly Linux but also Windows10/11). Currently I'm backuping only 2 Linux VMs (the others aren't critical), by mounting an NFS share from our local NAS and using rsync to dump everything there.

I need to optimise and automate this. Currently it's just dumping all the files. I'd like to manage (for example) weekly full backups with daily differential/incremental backups and monthly full backups to a remote server. A management interface would be necessary here. BackupPC comes to mind. What I need is:

  1. cross platform (Linux/Win clients)
  2. incremental/differential backups
  3. backed files accessible and human-readable (i.e. when restoring a backup I can look into an files through SSH - this is important in case the interface/app managing the backups fails as well)

The above is not the core of my question (although I'm open to suggestions for solutions), but I've found something concerning. If I understand correctly, systems like backuppc use rsync and smb to connect to client machines via SSH/keys and download all the files. Does this mean that backuppc has root access to all the machines and all the backups? This would mean that if the server running backuppc is compromised there's a risk of loosing everything - both running VMs and backups. An attacker gaining access to the server running backuppc could wipe all the running VMs and all the backups (local or remote) as the server has keys to access them all.

A safer system I would imagine would be a chain approach: clients -> backup server (non root access) -> NAS. In this approach, a compromised VM would not be able to destroy the backups of other VMs and it sees only it's own backups on the server (and maybe not even those). Also, a compromised backup server would not be able to destroy the running VMs, as it only sees the stored backups.

Should this be a real concern? Am I missing something? Is the approach used by backuppc safe? Is the situation just described less serious than I expect it to be? What's the disaster recovery in such a case?

Wojciech
  • 3
  • 1
  • `systems like backuppc use rsync and smb to connect to client machines via SSH/keys and download all the files.` I doubt that is the case. These apps usually have their own file/data management, probably block level. – Greg Askew Aug 30 '22 at 10:32

1 Answers1

0

A pull approach to backups (where the NAS/storage logs into the VM and copies changed files) is generally safer than a push one (where the client logs into the destination backup box). This is because if a VM is compromised, it has no means to log into the NAS and destroy its own backups. Sure, you can argue that the backup box become the new "weak link", and it is imperative to keep such a system safe from internet and other threats. But being a single system to protect, and one that should expose no services at all, it is simpler to kept it safe.

To have added protection, you can configure your client machines to launch their rsync process with read-only privileges. If using rsync in daemon mode, you can set read only in its config file. If using rsync over SSH, you can use the rrsync wrapper to deny/discard any write requests.

I do vast use of rrsync on virtual machines, coupled with rsnapshot (and corresponding SSH auth keys) on the backup host. Compared with backuppc, it is simpler to configure and debug, but it losed cross-client file-level deduplication (which is not an issue in my environment).

shodanshok
  • 47,711
  • 7
  • 111
  • 180