I have read in the past about intruders breaking into hosting companies, wiping out their production servers, and then their backups as well because they left their backups available to their production servers.
I was thinking that they must have poor security practice to leave their backups vulnerable like that, but then I got to wondering...my backups function in the same way. I have all of my servers backup to a common backup storage location. In order to be automated, I use SSH key pairs with no passphrase. So...any compromised server would be able to wipe out the backup server with no problem.
So, the question is - what is the best way to secure a backup server from a compromised production server?
My thoughts so far:
Pull from the backup server instead of pushing from the production server. This would protect against a compromised production server, but a compromised backup server puts all production servers at risk.
Set the shell to /bin/false on the backup server's SSH account and disable root login. This would prevent someone from running malicious commands, but I could run rsync against an empty directory and would effectively wipe out the backup as well.
I found this article, but I don't like it because although the backup server mounts the production server filesystems as read only, there is nothing stopping a malicious user from changing the mount options if the server was compromised.