Re: [Duplicity-talk] Biggest nightmare

[rsync.net]

Hello Christian,

On Sun, 31 May 2009, Cristian KLEIN wrote:

> > > - he installs a sniffer or uses another method to get access to you
> > > duplicity backup host
> > > - he deletes your hole home folder
> > > - he deletes yours backups from your backup host
> > >
> > > Is anybody dealing with this situation right now? How?
> >
> > Sorry to hear you're having problems.
>
> Luckily, I don't have this problem. But better be safe than sorry. :)
>
> Thank you very much for your feedback. I observe that there are two
> solutions:
> 1) Also store backup off-site.
> 2) Backup-host initiated backup.
>
> I would like to add another idea and know what you're thinking about it.
> Everything duplicity needs for ???normal??? backup operations is to list
> files, read files and create new (non-existing) files. So I thought
> about creating a restricted SFTP server, which would allow exactly these
> three operations. Then an evil attacker could not compromise backups.
>
> A user who has an SSH account on a backup host, would use two keys:
> a) not-password-protected, restricted to SFTP
> b) password-protected, restricted to backup maintainance, which he
> should actually *never* use


The solution you suggest, a restricted sftp server, does not protect 
against a root compromise of the remote backup host.  This is fine, but if 
you aren't protecting against remote root compromise, then there is no 
reason to invent such a complicated solution.

Just chflag all of the backup files on the remote side to be immutable. 
You could do this with cron. Even root would be required to unflag them to 
alter them at all.

This question is only complicated if you are also protecting against a 
remote root compromise, which, it seems, you are not.