Re: [Duplicity-talk] Biggest nightmare

[Robin Smidsrød]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cristian KLEIN wrote:
> Hello list,
> 
> I wanted to ask you how did you prepare yourself to deal with your
> biggest nightmare. Say somebody hacked your system and wants to do the
> biggest damage possible. So his strategy goes as follows:
> 
> - he installs a sniffer or uses another method to get access to you
> duplicity backup host
> - he deletes your hole home folder
> - he deletes yours backups from your backup host
> 
> Is anybody dealing with this situation right now? How?

Keep at least one backup _off-line_. That is, in a place that is not
reachable with networking. Like a USB-drive locked in a safe or some
DVD/BD discs burnt and kept somewhere safe. When you need to do the
backup you actually hook the thing up, and when you're done you actually
un-hook it. Nothing beats physical security.

If that is not doable with your setup, you could use a one-way firewall
rule. That is: main server can not initiate communication with
backup-host, but backup-host can initiate contact with main server. The
backup host will pull the backup archive from the main host at
intervals, but a restore will require it to be initiated from the
backup-host or with a firewall rule override.

- -- Robin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkohghcACgkQHAwEVD/in27kSQCfcHbmWb3Nykjlca7FP4bI/pbZ
a2oAnjNuL1lP8ms9vSdFq1oyE1Z4vT0b
=fB9b
-----END PGP SIGNATURE-----