[Borgbackup] round robin

Mon Aug 26 04:03:25 EDT 2019

On Mon, 26 Aug 2019 11:00:15 +0800
Oon-Ee Ng <ngoonee.talk at gmail.com> wrote:

> In addition to your primary question (which has been answered), I'd
> just chime in that round robin daily is fairly dangerous in the case
> of ransomware attacks, since there's a possibility all your good
> backups get over-written before you notice it (7 days response time).
> 
> Obviously if that's not important for your particular situation then
> that's fine, but I think for most private internet-exposed systems
> ransomware is likely to be one of the larger threat vectors.

For each user system I use a "canary.txt" file in a "canary" directory
containing "Do not delete or alter this file". A canary was (or is
maybe) used in coal mines to be able to detect mine gas:

https://en.wiktionary.org/wiki/canary_in_a_coal_mine

Somewhere in the user's share I place this canary file (r/w for
that user) and he/she should not touch it. When this user is hit by
ransomewhere the file will be altered or renamed by the ransomware.

Each 5 minutes I collect all these canary files on another machine and
check them with the md5sums I have on that machine. If one of these
files is changed or has disappeared (renamed), the backup is blocked
for that user and all alarm bells will ring.

(Un)fortunately I have not been able yet to test it in practice, so if
it is an effective system, I don't know.

And BTW, maybe someone here knows this: does ransomware also encrypts
IMAP mail systems? Searching for this shows lots of articles saying that
ransomware is getting in by IMAP, but not a word about ransomware
encrypting mails on an IMAP server.

R.

-- 
richard lucassen
http://contact.xaq.nl/