Off network PBS best practice?

[proxwolfe]

So I have been running a PBS to complement my home lab PVE cluster for a while now and everything works beautifully.

And yet I am not fully happy because if my (management) network ever were breached and my VMs compromised, the next steps for an attacker would be to go after my backups. And if the attacker managed to hack my PVE, chances are the attacker could also breach my PBS and destroy/encrypt my backups.

Now while I make regular tape copies of my PBS's datastore, I would like to move the PBS out of my management network so that an attacker that breached my PVE could not just move laterally to my PBS as well. The problem with this is that PVE backups to PBS by pushing the backups there. And that doesn't work, if PBS is another network behind a firewall.

One solution would be to set up another PBS on that other network that syncs (pulls) from my main PBS. And I do have that at an offsite location. But this means that I have everything twice (which in itself isn't bad but it does create redundancy).

So what I am looking here is a solution where my main PBS polls my PVE cluster and initiates the backups (rather than my PVE cluster pushing the backups). My off network PBS would be able to connect to the PVE cluster through the firewall and the PVE cluster would be able respond but the PVE cluster would have no way of reaching the PBS on its own (and so would any attacker).

Can that be done?

Or what is the best practice to keep a potential attacker from getting to the PBS?

Thanks!

 

[VictorSTS]

PVE backups have to push them to PBS, there's no way PBS can create a "pull backup" of PVE. Your best option is to keep PBS in the same network and use a host firewall in PBS and restrict which devices can reach your PBS host. And of course use proper permissions for the user used in PVE to connect to PBS (i.e. just allow datastore audit and datastore backup and never ever grant datastore.prune).

Having offline/offsite backups are a good option too in case everything else's fail.

 

[floh8]

And that doesn't work, if PBS is another network behind a firewall.

Why should that not work. You must configure routing and/or firewall correctly. But it solves not the problem u describe. Best is a 2. PBS with pull sync.

 

[floh8]

I had time to over think your question. Of course, u can create a backup Trojans save with 1 PBS. U kill all connection from pve to your pbs. Then use a own script from pbs with a SSH connection to your pve.

 

[proxwolfe]

Best is a 2. PBS with pull sync.

Yeah, that's what I have currently, but I was wondering whether there might be another setup that doesn't require two separate PBSs.

 

[proxwolfe]

Seeing that there doesn't seem to be a solution where there is only one PBS that doesn't sit on the same network as the PVE (safe piercing a hole in the firewall that ought to separate the networks), I would like to understand whether the following would be possible:

There is one small PBS on the PVE network that PVE can backup to and another larger PBS that sits on another network and pulls from the first PBS. The first PBS would only have a small datastore and often delete the backups and only act as a "pass-through" for the off-network PBS that has a large datastore to store the backups long term. Would that work or could the pulling PBS only ever store what the pulled PBS has in its own store? In other words: Will the larger PBS that syncs from the smaller PBS only have a perfect copy of the smaller PBS's datastore and nothing more?

 

[floh8]

Of course, u can do that in this way. If u have to save money and u decide for a one pbs solution there is the simple solution. u use a separate user to connect to the local pbs with only permission to create and read backups. Therefore a malware could not change the exists backups.