mirror of
https://github.com/borgbackup/borg.git
synced 2025-01-01 12:45:34 +00:00
Merge pull request #1012 from ThomasWaldmann/append-only-docs
FAQ: add entries about compromised machines and other troubles, fixes #1011
This commit is contained in:
commit
6e12d9c92d
2 changed files with 51 additions and 4 deletions
44
docs/faq.rst
44
docs/faq.rst
|
@ -133,6 +133,50 @@ into the repository.
|
||||||
Yes, as an attacker with access to the remote server could delete (or
|
Yes, as an attacker with access to the remote server could delete (or
|
||||||
otherwise make unavailable) all your backups.
|
otherwise make unavailable) all your backups.
|
||||||
|
|
||||||
|
How can I protect against a hacked backup client?
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
Assume you backup your backup client machine C to the backup server S and
|
||||||
|
C gets hacked. In a simple push setup, the attacker could then use borg on
|
||||||
|
C to delete all backups residing on S.
|
||||||
|
|
||||||
|
These are your options to protect against that:
|
||||||
|
|
||||||
|
- Do not allow to permanently delete data from the repo, see :ref:`append-only-mode`.
|
||||||
|
- Use a pull-mode setup using ``ssh -R``, see :issue:`900`.
|
||||||
|
- Mount C's filesystem on another machine and then create a backup of it.
|
||||||
|
- Do not give C filesystem-level access to S.
|
||||||
|
|
||||||
|
How can I protect against a hacked backup server?
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
Just in case you got the impression that pull-mode backups are way more safe
|
||||||
|
than push-mode, you also need to consider the case that your backup server S
|
||||||
|
gets hacked. In case S has access to a lot of clients C, that might bring you
|
||||||
|
into even bigger trouble than a hacked backup client in the previous FAQ entry.
|
||||||
|
|
||||||
|
These are your options to protect against that:
|
||||||
|
|
||||||
|
- Use the standard push-mode setup (see also previous FAQ entry).
|
||||||
|
- Mount (the repo part of) S's filesystem on C.
|
||||||
|
- Do not give S file-system level access to C.
|
||||||
|
- Have your backup server at a well protected place (maybe not reachable from
|
||||||
|
the internet), configure it safely, apply security updates, monitor it, ...
|
||||||
|
|
||||||
|
How can I protect against theft, sabotage, lightning, fire, ...?
|
||||||
|
----------------------------------------------------------------
|
||||||
|
|
||||||
|
In general: if your only backup medium is nearby the backupped machine and
|
||||||
|
always connected, you can easily get into trouble: they likely share the same
|
||||||
|
fate if something goes really wrong.
|
||||||
|
|
||||||
|
Thus:
|
||||||
|
|
||||||
|
- have multiple backup media
|
||||||
|
- have media disconnected from network, power, computer
|
||||||
|
- have media at another place
|
||||||
|
- have a relatively recent backup on your media
|
||||||
|
|
||||||
Why do I get "connection closed by remote" after a while?
|
Why do I get "connection closed by remote" after a while?
|
||||||
---------------------------------------------------------
|
---------------------------------------------------------
|
||||||
|
|
||||||
|
|
|
@ -821,13 +821,16 @@ Now, let's see how to restore some LVs from such a backup. ::
|
||||||
$ borg extract --stdout /path/to/repo::arch dev/vg0/home-snapshot > /dev/vg0/home
|
$ borg extract --stdout /path/to/repo::arch dev/vg0/home-snapshot > /dev/vg0/home
|
||||||
|
|
||||||
|
|
||||||
|
.. _append-only-mode:
|
||||||
|
|
||||||
Append-only mode
|
Append-only mode
|
||||||
~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
A repository can be made "append-only", which means that Borg will never overwrite or
|
A repository can be made "append-only", which means that Borg will never overwrite or
|
||||||
delete committed data. This is useful for scenarios where multiple machines back up to
|
delete committed data (append-only refers to the segment files, but borg will also
|
||||||
a central backup server using ``borg serve``, since a hacked machine cannot delete
|
reject to delete the repository completely). This is useful for scenarios where a
|
||||||
backups permanently.
|
backup client machine backups remotely to a backup server using ``borg serve``, since
|
||||||
|
a hacked client machine cannot delete backups on the server permanently.
|
||||||
|
|
||||||
To activate append-only mode, edit the repository ``config`` file and add a line
|
To activate append-only mode, edit the repository ``config`` file and add a line
|
||||||
``append_only=1`` to the ``[repository]`` section (or edit the line if it exists).
|
``append_only=1`` to the ``[repository]`` section (or edit the line if it exists).
|
||||||
|
@ -888,6 +891,6 @@ repository. Make sure that backup client machines only get to access the reposit
|
||||||
Ensure that no remote access is possible if the repository is temporarily set to normal mode
|
Ensure that no remote access is possible if the repository is temporarily set to normal mode
|
||||||
for e.g. regular pruning.
|
for e.g. regular pruning.
|
||||||
|
|
||||||
Further protections can be implemented, but are outside of Borgs scope. For example,
|
Further protections can be implemented, but are outside of Borg's scope. For example,
|
||||||
file system snapshots or wrapping ``borg serve`` to set special permissions or ACLs on
|
file system snapshots or wrapping ``borg serve`` to set special permissions or ACLs on
|
||||||
new data files.
|
new data files.
|
||||||
|
|
Loading…
Reference in a new issue