Welcome! » Log In » Create A New Profile

lvm -and- ssh backups: do NOT mount

Posted by Anonymous 
lvm -and- ssh backups: do NOT mount
March 29, 2015 07:17PM
Sorry to reply to a slightly old thread, but I noticed a risk here that should perhaps be mentioned.

[quote]Another possibility is to mount the backup directory as an NFS writable volume, to only the client that needs to write from the LVM snapshot.

Note that such an approach means that as cryptolocker victims know all too well, if your machine is rooted, your backups will likely be unusuable. An accidental rm -rf .* or similar would also wipe out your backups just when you need them the most, as could various bugs in the storage stack. That might be an acceptable risk for nearline backups if you also have separate, regularly tested backups which do not suffer from this vulnerability. Many people have been bitten by this, bitten hard, so it isn't recommended.

To accomplish this goal safely with the hot-spare service we do, we PULL data via ssh, then do something similar to rsnapshot on the backup server. The machine being backed up does not have, and cannot have, any access to damage it's previous mirrors when it is compromised or damaged.
Ray Morris
Sorry, only registered users may post in this forum.

Click here to login