[ale] how do I make a virus proof nas?

Brian MacLeod nym.bnm at gmail.com
Tue Jan 8 22:17:33 EST 2013


On Tue, Jan 8, 2013 at 8:31 PM, Ron Frazier (ALE)
<atllinuxenthinfo at techstarship.com> wrote:
>
> The main concern I've always had about having backup media attached all the time is that, if a virus got into the machine, it could attack and wipe out the backup drive.


Always a possibility unless clients have absolutely NO write
privileges. That means adding new files, writing to old, or deletions.


> So, I need to know how to make a virus proof nas, such that at least one partition on the device is accessible only  to the backup software for write mode.  I don't care if everything can read the backup file, but I only want the backup software to be able to add new files, write to them, or delete them.


If it is writeable by the client, it will never be virus proof.  This
is part of the reason the massive backup infrastructure that I
maintain for the compute clusters at work don't work this way.  The
clients have no write capability to the backup servers. Ever. The
backup servers call the storage units and get copies of stuff instead.
 It still means I might be backing up a virus, but that virus on the
client will NOT destroy client backups.


> I need something that can run while Windows 7 is running and backup using the volume shadow copy service.  I also need it to be able to back up the ext4 Ubuntu partition on the PC's HDD, either by reading the native file system or by using a sector by sector approach.  This way, I can just let the backups run periodically on their own and not worry about malware affecting the backup.


Well, can't help you with that then, because I do do Windows anymore,
so I'm not exactly sure I know what that shadow copy stuff is.  But I
have a feeling it doesn't enable what I described above about a backup
server initiating the work.  And frankly, I'd probably would rather
remain ignorant of those facts because my recent family/holiday time
was so much more enjoyable since I could honestly I don't know how to
run these versions of Windows.  I probably could grasp it, but I like
being stupid in this case.

The Ubuntu thing -- piece of cake.  First ideas are LVM snapshots
which your backup machine calls in to get, or, backup machine uses LVM
to create daily snapshots of itself after a daily rsync of important
filesystems.

Oh, and make the backup machine be only a backup machine.  No
browsing, no tasking of other things that could get it in trouble.  I
don't what other safe guards you have for browsing experience.  Just
don't do it.

That's the only way you get to "virus proof" (and even then it still
isn't). That, or you have machine that never talks to another machine.
 But that's not exactly useful in this case.

bnm



More information about the Ale mailing list