Design an online ransomware safe backup with restic

The only way to be safe for ransomware, except for keeping a offline backup, is to have a immutable online backup.

restic is a deduplication backup sofware, designed for ease of use and security. Rclone is a versatile program for syncing data between a huge variety of protocols and cloud providers. What is especially nifty is that restic can use rclone as a backend, and by that extend restic destination into most cloud providers.

Problem

Setting up an automated backup from one macine is no problem. This can be done quite easily with

restic -p password_file -r sftp://user@destination/srv/backups init

Backups is then done with

restic -p password_file -r sftp://user@destination/srv/backups backup /srv/backmeup

If a malicious actor has access to the source machine, they will have read and write access to the backup on the destination. To avoid giving the malicious actor write access to already existing backups, we need to ensure that existing backups on the destination never is changed. This is done by making the destination immutable. When data is written, it cannot be changed later.

Solution

This can be solved in couple of ways

  1. Use a immutable backend, in example immutable object storage in the cloud.
  2. Make any destination immutable by relying all traffic through a secured rclone proxy with the --append-only forced.

Design, rely traffic through proxy

     source               intermediate                destination
+---------------+       +--------------+  chosen     +-----------+
|               |  SSH  | rclone       |  transport  | favorite  |
| /srv/backmeup | ----> | append only  | ----------> | cloud     |
|               |       | rely         |             | storage   |
+---------------+       +--------------+             +-----------+

Configure

On source

  1. Create a SSH key on the source without a password.

    ssh-keygen -t ed25519 -f .ssh/id_ed25519 -N ''
    
  2. Cat the newly created key .ssh/id_ed25519.pub

    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAS2qJU7yIDRVY9cgjyJ0tGM32aB/aaeSwjQ0O/RTN6d
    

On intermediate

  1. Secure the intermediate server as you see fit. Do not allow unrestricted SSH from the source.

  2. Log in as your user, in this example user.

  3. Create a rclone profile, in this case it's called myprofile.

    rclone config
    
  4. Test the profile.

    rclone ls myprofile:
    
  5. Allow source to SSH into intermediate and run a very limited rclone which only may append data to myprofile. Edit .ssh/authorized_keys.

    restrict,command="rclone serve restic --stdio --append-only myprofile:backups" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAS2qJU7yIDRVY9cgjyJ0tGM32aB/aaeSwjQ0O/RTN6d
    

Back on source

  1. Create a unique password for the backup. Take note of this password! You will not be able to restore without it.

    apg -m 32 | head -1 > restic.pwd
    chmod 400 restic.pwd
    cat restic.pwd
    
  2. Initiate restic backup repository.

    restic -o rclone.program='ssh user@intermediate' -p restic.pwd -r rclone: init
    
  3. Back up your data.

    restic -o rclone.program='ssh user@intermediate' -p restic.pwd -r rclone: backup /srv/backmeup
    
  4. Create a job that run restic regularly.

You can use all restic commands as normal, except repair and cleanup commands.

Conclusion

Now you have a source which backs up data online.

If the source get compromised, the malicious actor cannot

  • Delete or change old backups.
  • Know final destination of backups.

Caveats

  • source should newer have normal SSH into intermediate
  • Access to intermediate should be restricted. 2FA is recommended, example YubiKey.
vim: set syn=markdown spell spl=en:

Comments