<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I have an rsync-based script that pulls specific directories, dates them and saves them to a remote host/storage. It is relatively dumb and just adds the new tarred collection to a group of them. I don't think a malware could follow this backup home. Have to test it. <br><br><span style="font-size: 13pt;">Wolf Halton</span><div><div>Atlanta Cloud Technology</div><div>Cybersecurity & Disaster Recovery Solutions </div><div>Mobile/Text <span style="font-size: 13pt;">678-687-6104</span></div><div><br></div><div>--</div><div>Sent from my iPhone. Creative word completion courtesy of Apple, Inc. </div></div></div><div><br>On Nov 9, 2015, at 1:48 PM, Lightner, Jeff <<a href="mailto:JLightner@dsservices.com">JLightner@dsservices.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Ideally rather than having a local backup source your server pushes to, you have a remote backup server that pulls backups. That won’t prevent a backup run
AFTER the infection from containing the infection but it will keep the infection from pushing out to backups made before the backups.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Really, Web Servers, shouldn’t be doing much PUSHING in the first place. Here we have a limited number of connections allowed from our DMZ to internal systems
and none of it is obvious things such as ssh. We can ssh into the web server but cannot ssh from the web server back into our internal network. I periodically have to remind people that requests ssh trusts in from web server that we don’t even allow ssh
inbound let alone setup trusts in that direction.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [<a href="mailto:ale-bounces@ale.org">mailto:ale-bounces@ale.org</a>]
<b>On Behalf Of </b>Scott Plante<br>
<b>Sent:</b> Monday, November 09, 2015 11:46 AM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Linux Ransom-ware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:black">The article says it goes after backup files too. It seems what you need is either a backup drive or media you manually connect to do backups, or a separate backup server that only
accepts new backups and doesn't give the client write access to old backups. I think it might be fairly easy to script something like this, but is anyone aware of an existing backup server software that does this kind of thing? Most of the backup software
I've seen assumes you have read/write access to a "backup drive" whether that's a USB, NFS, or other network accessible mount, or of course a tape or dvd that someone manually changes. For all the advantages of removable media, you always have the problem
of human error or laziness fouling up your backup regime, so automated is good.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Arial","sans-serif";color:black">For a backup server, it would of course be of some limited space. You wouldn't want the push process to be able to just keep pushing junk until your
good backups are pushed off. Just a thought that popped into my head in the vein of maybe a push-only backup server is more complicated than I first thought. Seems like some of the issues people have worked out for log servers that accept log messages but
are extra hard for hackers to mess with.<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Arial","sans-serif";color:black">
<hr size="2" width="100%" align="center" id="zwchr">
</span></div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica","sans-serif";color:black">From:
</span></b><span style="font-family:"Helvetica","sans-serif";color:black">"Leam Hall" <<a href="mailto:leamhall@gmail.com">leamhall@gmail.com</a>><br>
<b>To: </b>"Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org">ale@ale.org</a>><br>
<b>Sent: </b>Monday, November 9, 2015 5:53:07 AM<br>
<b>Subject: </b>Re: [ale] Linux Ransom-ware<br>
<br>
On 11/09/15 04:35, DJ-Pfulio wrote:<br>
> Linux Ransom-ware is out looking for ways to attack and encrypt your<br>
> systems:<br>
> <a href="https://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/">
https://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/</a><br>
><br>
> Good news: They only want 1 bitcoin as payment.<br>
><br>
> Bad news: 1 BC is about US$420 and the unlock process doesn't put<br>
> everything back exactly like it was.<br>
<br>
Good news; we're all now reminded to back up our files and sites. :)<br>
<br>
Leam<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Ale mailing list</span><br><span><a href="mailto:Ale@ale.org">Ale@ale.org</a></span><br><span><a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a></span><br><span>See JOBS, ANNOUNCE and SCHOOLS lists at</span><br><span><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a></span><br></div></blockquote></body></html>