[SOLVED] Ransomware protection?

K

Kurgan

Well-Known Member
Proxmox Subscriber
Apr 27, 2018
44
8
48
55
I have just read the documentation about the new PBS, and I am concerned about ransomware (or worse, attacks that are carried on by humans, that are far more intelligent that automated ransomware). The backup model is "push", i mean, the client machine (the one that is being backed up) accesses the server and "sends" its backup to it. The client machine can also delete old backups (all of them) with a simple command. This means that an attacker that has control on the client machine can easily erase all of the backup data before encrypting the data on the client machine. This is definitely not a nice scenario, and this is why I use only backup systems that work in "pull" mode, where the backup server "pulls" backups from the client machines.

Is there a way to set up PBS so that the client machine cannot delete previous backups at all? (pruning or manual deletion can always be done only from the PBS server)
 
Kurgan said:
Is there a way to set up PBS so that the client machine cannot delete previous backups at all?
Click to expand...

yes, just set the permission for the backup client access.
 
Being unable to delete a backup results in a error / unsuccessful backup message within PVE.

the Backup itself seems to be ok though.
I had to change permissions to get rid of this as a workaround.
 
Trulli said:
Being unable to delete a backup results in a error / unsuccessful backup message within PVE.

the Backup itself seems to be ok though.
I had to change permissions to get rid of this as a workaround.
Click to expand...

Maybe you've not set the "maxfiles" of the PVE storage entry explicitly to 0? As else it tries to prune backups to enforce max files setting.
 
  • Like
Reactions: Trulli
t.lamprecht said:
Maybe you've not set the "maxfiles" of the PVE storage entry explicitly to 0? As else it tries to prune backups to enforce max files setting.
Click to expand...
Yeah I did set it not to zero :)
(Eventually disable the setting in PvE, but may still be a legit option in some cases ?)
 
So, to sum it up: Set up an user that has the DataStoreBackup priviliege, use it for backups from PVE (or from the backup agent on a phisical machine) and obviously do not try to set a pruning schedule on the client machine (PVE or phisical) because it will fail. Use pruning rules on the PBS server.
 
Of course I have offline backups, a management network that's not the same as the users network, restricted access (you need a vpn to access the management from the LAN), etc.
Still I'm thinking of the issues if someone somehow becomes root on the PVE hosts.

As of today I see two scenarios where it's usually too late to save the day and you just lose the fight:

1- data exfiltration: once they're gone, they're gone. There is nothing you can do to have them un-gone.

2- an attacker with access to PVE can install an encryption key to encrypt the backups. If you don't notice it, backups work just fine but they are now encrypted. Then the attacker removes the key after some months and all you have are useless backups. The good ones are from 6 months ago. (you can probably save yourself from this with a home brewed script that backs up the PVE configuration, encryption key included, to somewhere else, and hope the attacker does not notice its presence)

Since the data exfiltration does not require any admin access, it just need user-level access to the data that the legitimate user must be able to use, there is nothing you can do against it. A competent attacker will exfiltrate a small quantity of critical data to avoid triggering any kind of "anomaly alert" on network traffic. No need to exfiltrate the whole fileserver contents.

So unless you have a "magic" IDS/IPS, I don't see how you can avoid it.
 
About backup encryption abuse, see this:

P

Thread 'Verification of encryption integrity'

Hi folks,

I tested changing the encryption key for PBS backups. Unfortunately, the backup job and verification job did not notify me that the key had been changed. This is the behavior of PVE/PBS as I understand it from the documentation. No surprise, just confirmation.

So it's great to have immutable backups, but for a malicious actor who has gained access to PVE, it's just a matter of how long the retention is set on the PBS side.

It would be great to monitor not only data integrity but also encryption integrity. So a verification job or other job would notify us of the encryption key...
  • Like
 
You must log in or register to reply here.
Top Bottom