Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Could we create an immutable incremental backup system to protect against ransomware?

  1. #1
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,784
    Distro
    Lubuntu 18.04 Bionic Beaver

    Question Could we create an immutable incremental backup system to protect against ransomware?

    In a world where ransomware has become clever enough to mess with backups, I was wondering how to create incremental backups, but make each increment immutable?

    At the moment, I use two daily backup solutions: SpiderOakONE for online (off-site) backups, and rdiff-backup for offline (on-site) backups. Both provide incremental backups, but neither provides an immutable option.

    Obviously, I'd like a solution for Ubuntu, but if it were also available for Windows and Mac (so that I could recommend it to non-Linux users), that would be great.

    Another factor would be ease of use. I'd find it too complex to have to start setting up servers and whatnot; it needs to be reasonably straightforward.

    I found the heavily-advertised Veeam, which seems reasonably priced. But, as far as I can tell, Veeam is tailored specifically for cloud services rather than for personal computers, as well as needing a complex set-up, so it's unsuitable.

    What can you suggest?
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Could we create an immutable incremental backup system to protect against ransomw

    I guess that all depends on your definition of "immutable." You could burn your backups to CD/DVD/Bluray and have it read only, but that's going to cost a bit and the storage space would be exponential as your data grew.

    You could also back up to tape and then set the tape as read only via the switch (https://www.ibm.com/docs/en/ts3500-t...-tape-cartrige). However, tape drives and media are expensive for larger capacities (even used) since you'd need an auto loader so backups won't be a total pain in the butt.

    If you want an immutable backup where you can't delete data from the backup, you can look into using borgbackup with the --append-only flag set at creation (see here: https://borgbackup.readthedocs.io/en...sage/init.html).

    Otherwise, keep your backups offline (or unmounted) until the backup job actually needs to run, then mount the drive, run the backup, and the unmount the drive.

    However, both of these options are moot if your system is compromised and the ransomware encrypts the mounted file systems, so the only protection there is to do a weekly/monthly backup and keep that drive disconnected.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,784
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by CharlesA View Post
    … burn your backups to CD/DVD/Bluray…
    Unfortunately, the backups are almost 90Gb now, and of course it will only grow with time!
    Quote Originally Posted by CharlesA View Post
    … back up to tape … are expensive for larger capacities
    This would be a problem!
    Quote Originally Posted by CharlesA View Post
    … look into using borgbackup
    I hadn't heard of this. I'll check it out.
    Quote Originally Posted by CharlesA View Post
    … keep your backups offline (or unmounted) until the backup job actually needs to run, then mount the drive, run the backup, and the unmount the drive.
    I do this already, including a couple of older backup drives (which I rotate), so I have up to three weeks going back (although three weeks is rather a lot to lose).
    Quote Originally Posted by CharlesA View Post
    … both of these options are moot if your system is compromised and the ransomware encrypts the mounted file systems…
    Indeed so.

    Thanks for your suggestions. I think that an online service, such as SpiderOakONE but with immutability as an option,would be best — ransomware couldn't affect it from my machine. I've submitted a request to SpiderOakONE for an option for immutability, but as they can't even implement 2FA for logins, I'm not holding my breath.

    I'll read up on Borg.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  4. #4
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,904
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by Paddy Landau View Post
    ... I was wondering how to create incremental backups, but make each increment immutable?
    As was already mentioned: You'd need to write to CD-R / DVD-R / Bluray BD-R disks, they can be written once but not overwritten.


    Quote Originally Posted by Paddy Landau View Post
    I found the heavily-advertised Veeam, which seems reasonably priced. But, as far as I can tell, Veeam is tailored specifically for cloud services rather than for personal computers, as well as needing a complex set-up, so it's unsuitable.
    I've used an older release of this in the past:
    https://www.veeam.com/virtual-machin...tion-free.html

    It will create a bootable DVD-R / BD-R (... depends on your disk recorder, of course ...) from your installed OS. If your OS installation gets hosed you boot off that CD / DVD / BD and get your system back. It didn't really strike me as being "complex"??

  5. #5
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,904
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by Paddy Landau View Post
    Unfortunately, the backups are almost 90Gb now, and of course it will only grow with time!
    Why should that be a problem?
    https://en.wikipedia.org/wiki/Blu-ray_Disc_recordable

    BD-R XL can hold up to 128 GB per disk. And a quick search on Amazon shows that USB BD-R drives that can handle such disks cost about 80$ to 90$. Not exactly expensive.

    Me personally? I often use USB3 disks that I only attach when I need them. 4 TB and larger capacity drives are very very cheap these days and good enough.


    Quote Originally Posted by Paddy Landau View Post
    Re: tape ... This would be a problem!
    At one of my previous jobs we had 2 x StorageTek SL500 tape libraries ...
    https://sunstarco.com/oracle/tape/sl500/

    And we made a backup of everything. Really everything. Totally worth it.

    But yeah ... expensive
    Last edited by scorp123; June 5th, 2021 at 04:23 PM.

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by Paddy Landau View Post
    Unfortunately, the backups are almost 90Gb now, and of course it will only grow with time!

    This would be a problem!
    Tell me about it. I've been backing up about 2TB of "essential" data to multiple hard drives for the last few years. Granted, this doesn't grow as quickly as my media and games do, but large data sets can be a pain to backup.

    The rest of my data set (media, games, etc) totals to about 50TB or so and that gets backed up to a second NAS with secondary backups going to external hard drives.

    I could move to tape, but the cost of the drive in addition to the cost of media makes it a bit of a wash. If I wanted to get a LTO5 drive, those are relatively "cheap" (at least compared to LTO 6 and 7 drives). But each tape would only hold 1.5TB of data, so I couldn't even fit my "essential" backup set on a single tape, so I'd need multiple tapes to back everything up.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Would mounting the target backup storage as read-only work? Just remount it rw for the backups, but ro for all other times.

    With the rdiff-backups, are you pruning the oldest versions? Something like this?
    Code:
    $rdiffb --remove-older-than $days --force $target

  8. #8
    Join Date
    Oct 2004
    Location
    Albuquerque New Mexico, U
    Beans
    1,186
    Distro
    Ubuntu Development Release

    Re: Could we create an immutable incremental backup system to protect against ransomw

    For Windows, take a look at Macrium Reflect ver 8. It should do the things for which you are looking.
    regards

  9. #9
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,784
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by scorp123 View Post
    I've used an older release of this in the past:

    It will create a bootable DVD-R / BD-R (... depends on your disk recorder, of course ...) from your installed OS. If your OS installation gets hosed you boot off that CD / DVD / BD and get your system back. It didn't really strike me as being "complex"??
    OK. The advertising on the Veeam website shows something rather different. Maybe it's changed? Or maybe its advertising is targeted to a different market?
    Quote Originally Posted by scorp123 View Post
    Why should that be a problem? …
    Woah… I didn't realise how much storage those disc could hold!
    Yes, that's an idea, then.
    Quote Originally Posted by scorp123 View Post
    I often use USB3 disks that I only attach when I need them. 4 TB and larger capacity drives are very very cheap these days and good enough.
    That's pretty much what I do as well, attach them only when needed.
    Quote Originally Posted by TheFu View Post
    Would mounting the target backup storage as read-only work? Just remount it rw for the backups, but ro for all other times.
    Yes, I do that. Read-write while writing the backups, and read-only other times. Of course, clever enough ransomware would simply change read-only to read-write; simple enough if it has the right access. Or, it could wait until I back up, and then start its encryption process. I believe that some ransomware already does this.
    Quote Originally Posted by TheFu View Post
    With the rdiff-backups, are you pruning the oldest versions?
    At the moment, yes, I do that. Otherwise storage would grow immense. With immutable incremental backups, of course, I'd have to accept having larger drives with corresponding increase in costs.

    Ideally, an online (off-site) backup, like the one that I use, would offer an immutable option, which would simplify everything as well as keeping costs down.
    Quote Originally Posted by rbmorse View Post
    For Windows, take a look at Macrium Reflect ver 8. It should do the things for which you are looking.
    Thank you for the suggestion. I'll check it out.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  10. #10
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,904
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Could we create an immutable incremental backup system to protect against ransomw

    Quote Originally Posted by Paddy Landau View Post
    OK. The advertising on the Veeam website shows something rather different ...
    Follow the link I provided. If you just visit their main web site without specifically searching for their free ("free" as in free beer) personal backup product, chances are they will only show you their expensive corporate stuff...

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •