Offsite Backup strategy + security

Sycoriorz

Well-Known Member
Mar 19, 2018
44
2
48
35
Dear at all,

i have some questions regarding built up an offsite Backup with 2 PBS.

I have made an small drawing of the setup idea.
infrastruktur2.jpg

ETH2 should be only used for syncing between PBS1 and PBS2.
ETH2 is planed to put in an seperate Network to make it more difficult to enter the main Network which is connected on ETH1.
ETH1 is used for doing the backups from the PVE-Nodes.
Is PBS by default safe on the interface ETH2?
Or i must do my own firewall rules on the pbs1 for eth2?
If yes, is it enough to do?

ufw deny all incoming eth2 ufw allow in on eth2 to any port 8007/tcp

port is correct for doing remote and syncing?

On the baremetal-firewall/gateway i would like to do any further allowance rule. Like only one special ip adress is allowed to enter.
But the problem is that pbs2 has no static ip. Which rule possibility i have more? MAC of the ETH from PBS2?

Is this setup safe?
Or you would suggest another setup.

many thanks

best regards

thomas
 
Hi,

I would do like this:

- the storage lan switch must not be connected on the border ruter(left side of your draw)
- on both locations I would add a cheap (but powerful ) dedicated router (ascii below)

(storage-switch)--(pbs1)--(mkt1)--[border1]=== wan/internet

(pbs2)--(mkt2)--[border2]=== wan/internet

As mkt1,2 I would use mikrotik hex s.
From mkt1 to mkt2 I would use a vpn (ipsec, sstp, openvpn) . I will restrict on each mkt the vpn access based on the other side host name (the have by default a hostname luke ddns, so you do not need fixed IP from ISP)

On each border you will need port-fw for your vpn to the internal mkt1/2.

I would also create a time base/schedule rule when vpn must be active or disable (so only when data must be replicated from pbs1 to pbs2).

The last thing is to create acls for access to both mkt1/2 from lan(pppoe client from admin PC to mkt, as a example) in each location and/or from Internet (could be used the same vpns, adding extra acls)

Anything else would be drop.

In a such scenario, an intuder can not access from wan or even from lan your pbs servers. I guessing that your pmx nodes have other network for your VMs/CTs.

Note: you could use others routers insted of Mikrotik, but I think you will need to pay more with less functionality(my own opinion )



Good luck / Bafta !
 
  • Like
Reactions: Sycoriorz
Hi Bafta,

this is an real great solution.
No open ports. only this which is already open (VPN Ports)

I would also create a time base/schedule rule when vpn must be active or disable (so only when data must be replicated from pbs1 to pbs2).
Is this cron job possible to do on the mikrotik hex s?
Or is there possibile to do that in the management console of the switch.
Nothing heard about this switch before.

many thanks

Thomas
 
Is this cron job possible to do on the mikrotik hex s

Hi,

On any Mikrotik device you can create firewall rules using time base acl (days of the week, hours, minutes). It has something like cron if you need... ssh, telnet and a tons of others good things.


If you want to have an ideea how is it you can install a free version of RouterOS (search for CHR). The limitation is the 1 mbits for each interface.

Good luck / Bafta!
 
Last edited:
Setup a wireguard vpn between the two PBS servers. Wireguard itself can be locked down to only allow point to point, configure the firewall's to only allow a connection between the two sites. You would just need to port forward a single UDP port to each PBS server.
As soon as you start stuffing around with timed access, even though you may be using NTP for time sync, the time required for a backup is indeterminate, so how long do you leave the connection open for? Too long starts to defeat the purpose of only having a port open for a finite period of time and too short will cut off the backup process.
 
  • Like
Reactions: oversite
As soon as you start stuffing around with timed access, even though you may be using NTP for time sync, the time required for a backup is indeterminate, so how long do you leave the connection open for?
Hi,

With a statefull firewall, you need to use time base restriction only for new connections to VPN ports, so after that, it is not important what time will be need that backup to finish(backup traffic will match only established connection).

Good luck / Bafta!
 
Hi,

With a statefull firewall, you need to use time base restriction only for new connections to VPN ports, so after that, it is not important what time will be need that backup to finish(backup traffic will match only established connection).

Good luck / Bafta!
Fair call, doesn't negate the first paragraph though.
 
Wireguard itself can be locked down to only allow point to point, configure the firewall's to only allow a connection between the two sites. You would just need to port forward a single UDP port to each PBS server.

Yes, it will function.
But the problem is that pbs2 has no static ip

So he will need to open the wireguard/whatever port for ANYbody from Internet. And from this point a lot of problem could be happend. An enemy could easy inject trafic on this vpn port, maybe even a flood. This will not affect the integrity/security of the vpn, but for sure could disrupt/disconnect the vpn => No backup!!!


Good luck / Bafta !
 
Hi,
So he will need to open the wireguard/whatever port for ANYbody from Internet.

while the discussion i got an idea.

I have static ip on one side.
Use the VPNServer on dynamic side. Setup up an DDNS.
Setting up the firewall on server side.

Drop all.
open port 22 restriced on my static adress.

Is it safe? Or there are more suggestions if i am paranoid.

regards
 
.... and could be more tricks .... because your backup's are done after work-hours, maybe you will want to prioritise your VPN traffic(DSCP for example) => faster backup's, if during this periods you may have other Internet consumers in your LAN.
 
MAC of ETH from Client Side?

No way... MAC addr cand be seen only in the same brodcast domain(layer2), like in your LAN, if all devices are in the same switch(or all switches are connected). If you have 2 different networks connected with routers(like Internet), you can not see the MAC addr of any A LAN from any dev. of B LAN.

Also note, that ANY ACL based on MAC addr is only a weak options, if you ask me(it is very easy to create a fake MAC Addr ....)

Good luck / Bafta!
 
Last edited:
Which verification i could set else on the firewall?
Based on my scenario?

Good question! As usual, minimize your "atack surface".

1. watch for a while what dynamic IP you recive from your ISP!
- then for each IP check "whois IP_from_ISP", and note on paper the IP network class used by your ISP(with some luck/"bafta" you will see a single IP class network)
- create on your firewall(on the other location) one/more rules that permit port-forwarding ONLY for this IP network class

2. this could work, or not .... depens by your ISPs....
- try to test/check from the dynamic host how many hops(=x) are need from dynamic host to arive on the fixed IP host
- then create a rule on the dynamic IP location that your VPN will use a let say TTL=(x hops + 5)
- on the oposite side, accept in port-forwarding ONLY a pkg with TTL <= 5
- any other TTL(> 5 ) will be DROPed and not forwardind to the VPN!


If like I said you have luck, you can use both ;)


Good luck / Bafta !

PS: my nickname is guletz, and not "bafta"(= good luck - my mother language) :p
 
Last edited:
Hi,

This could result to disconnect the VPN when the dynamic IP must be renewed => NO Backup !
I have used mikrotik's ddns (ip/cloud) a lot with EOIP and dynamic IP on one side. I found it very quick and reliable.
 
forget the time rules. if you roughly know the subnet pbs2 getting new adresses you can simply lock it down to that network.
but evne if not, just exposing a vpn port is just fine. its a minimal attack surface and any more is not worth the hassle.

it would be more of a headache to debug issues caused by timetables, likme backup take to long for special reasons.

point is from all possible attack vectors you absolutly will have in your network you focus very much on one of the tiniest and most hardest to exploit.

one of the biggest if not the biggest vector are networks that becmae to complicated and overtime open holes because noone has any diea what is going on anymore. keep it simple, keep it clean, it will become complicated enough anyway.

also that timer firewall rule doesnt really solve anything. if it blocks attack than any other rule that exclude all other networks (or at least regions based on geoip) would work too.

also even in case someome breaks into your vpn, then what? he is still just in your lan in need to break up pbs boxes or sniff our encrypted traffic of encrypted backups.

if your data is that important then simply ask your level 3 representative for a vlan on your 10gbit dedicaded tier 1 line ans ask the helicpters for mroe frequent flyovers. no really at that point its more likely someone picks your 20€ locks and carrys that thing out of the door
 
it would be more of a headache to debug issues caused by timetables, likme backup take to long for special reasons.

Like I said already, is not the case:

With a statefull firewall, you need to use time base restriction only for new connections to VPN ports, so after that, it is not important what time will be need that backup to finish(backup traffic will match only established connection).
also that timer firewall rule doesnt really solve anything. if it blocks attack than any other rule that exclude all other networks (or at least regions based on geoip) would work too.

also even in case someome breaks into your vpn, then what? he is still just in your lan in need to break up pbs boxes or sniff our encrypted traffic of encrypted backups.

The only reson for time-base rule is for the case when someone( intentional or not ) must not have the possibility to inject traffic into the vpn(who could disrupt/disconnect the backup traffic).
if your data is that important then simply ask your level 3 representative for a vlan

I would not be so sure about this kind of vlan, because I see some bad events with them in several ocassions.

Good luck / Bafta!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!