[ale] how do I make a virus proof nas?

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Wed Jan 9 10:49:05 EST 2013


Hi Matthew,

That mini server you mentioned first looks really cool.  I also saw some things like the Buffalo Link Station when I was at Fry's last night.  Sounds like we're talking $ 300 - $ 500 to get / make a box and put a couple of hard drives in it.  I would have to save up a while to get that.  I do have a spare 1 TB drive that used to be attached to the cable box / dvr that I could donate to the cause.  It's my drive, not Comcast's.

I'm assuming that, with the mini server, you're buying a basic computer and you can put your own OS on it and exercise some control over it with scripting, etc.  I'm assuming that, for something like the Buffalo Link Station, you don't have much control over what it does.

As far as I know, my machines have never had a virus.  I had some flaky behavior going on once and reinstalled the OS, but I'm not sure that was a virus.  I've had to rebuild a family member's computer twice because they got viruses.  The guys on the Going Linux podcast say 1 in 3 Windows machines are infected.  That sounds high, but it's definitely a concern.  I am very careful, run av, noscript, etc.  It's just that, if one client machine did get a virus, and that wiped out its hard drive, it would be a bummer for the virus to also wipe out the backup.  It is true that viri don't usually wipe the hdd any more.  They want to stay hidden and replicate.  I wouldn't want it to contaminate the backups either.

As a side note, in addition to this concern about viruses, having the backup drive directly attached to the machine being backed up (not a nas), subjects the backup drive to any electrical failures that the client machine has.  So, the thing that causes you to need the backup, can trash the backup.  That's the general class of phenomenon that I'm trying to avoid.  Having the backup drive on a nas avoids the potential problem of electrical failure on the client, but does not avoid the virus problem without jumping through some hoops.

Sincerely,

Ron



Matthew <simontek at gmail.com> wrote:

>I use this as my NAS server:
>http://www.newegg.com/Product/Product.aspx?Item=N82E16859107052
>
>naslite is cheap, freenas is free.
>
>Dedicated NAS purpose built:
>http://www.newegg.com/Product/ProductList.aspx?Submit=Property&Subcategory=124&Description=&Type=&N=100008175&IsNodeId=1&IsPowerSearch=1&srchInDesc=&MinPrice=&MaxPrice=&PropertyCodeValue=5027%3A35284&PropertyCodeValue=5027%3A123972&PropertyCodeValue=5027%3A35282&PropertyCodeValue=5490%3A46252&PropertyCodeValue=5490%3A123974&PropertyCodeValue=5490%3A45855&PropertyCodeValue=5490%3A348749&PropertyCodeValue=5490%3A36426&PropertyCodeValue=5490%3A45854&PropertyCodeValue=5490%3A389082&PropertyCodeValue=5490%3A36433&PropertyCodeValue=5490%3A94408&PropertyCodeValue=5490%3A389157&PropertyCodeValue=5490%3A36428&PropertyCodeValue=5490%3A49227&PropertyCodeValue=5490%3A389156
>
>Or just build a home machine.
>
>What are you doing that you get a lot of virus's that will affect both
>windows and linux? If your that paranoid, run systems off of optic
>disc's.
>or read only mode.
>
>
>On Tue, Jan 8, 2013 at 10:17 PM, Brian MacLeod <nym.bnm at gmail.com>
>wrote:
>
>> On Tue, Jan 8, 2013 at 8:31 PM, Ron Frazier (ALE)
>> <atllinuxenthinfo at techstarship.com> wrote:
>> >
>> > The main concern I've always had about having backup media attached
>all
>> the time is that, if a virus got into the machine, it could attack
>and wipe
>> out the backup drive.
>>
>>
>> Always a possibility unless clients have absolutely NO write
>> privileges. That means adding new files, writing to old, or
>deletions.
>>
>>
>> > So, I need to know how to make a virus proof nas, such that at
>least one
>> partition on the device is accessible only  to the backup software
>for
>> write mode.  I don't care if everything can read the backup file, but
>I
>> only want the backup software to be able to add new files, write to
>them,
>> or delete them.
>>
>>
>> If it is writeable by the client, it will never be virus proof.  This
>> is part of the reason the massive backup infrastructure that I
>> maintain for the compute clusters at work don't work this way.  The
>> clients have no write capability to the backup servers. Ever. The
>> backup servers call the storage units and get copies of stuff
>instead.
>>  It still means I might be backing up a virus, but that virus on the
>> client will NOT destroy client backups.
>>
>>
>> > I need something that can run while Windows 7 is running and backup
>> using the volume shadow copy service.  I also need it to be able to
>back up
>> the ext4 Ubuntu partition on the PC's HDD, either by reading the
>native
>> file system or by using a sector by sector approach.  This way, I can
>just
>> let the backups run periodically on their own and not worry about
>malware
>> affecting the backup.
>>
>>
>> Well, can't help you with that then, because I do do Windows anymore,
>> so I'm not exactly sure I know what that shadow copy stuff is.  But I
>> have a feeling it doesn't enable what I described above about a
>backup
>> server initiating the work.  And frankly, I'd probably would rather
>> remain ignorant of those facts because my recent family/holiday time
>> was so much more enjoyable since I could honestly I don't know how to
>> run these versions of Windows.  I probably could grasp it, but I like
>> being stupid in this case.
>>
>> The Ubuntu thing -- piece of cake.  First ideas are LVM snapshots
>> which your backup machine calls in to get, or, backup machine uses
>LVM
>> to create daily snapshots of itself after a daily rsync of important
>> filesystems.
>>
>> Oh, and make the backup machine be only a backup machine.  No
>> browsing, no tasking of other things that could get it in trouble.  I
>> don't what other safe guards you have for browsing experience.  Just
>> don't do it.
>>
>> That's the only way you get to "virus proof" (and even then it still
>> isn't). That, or you have machine that never talks to another
>machine.
>>  But that's not exactly useful in this case.
>>
>> bnm
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity.

(To whom it may concern.  My email address has changed.  Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address.  Please send all personal correspondence to the new address.)

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com




More information about the Ale mailing list