Duane Maas, FMDiSC 14/04/2023
Table of Contents
- Introduction to Immutable Backups and Their Importance
- What is an Immutable Backup?
- Understanding the 3-2-1 Backup Strategy
- Challenges in Backup Protection: Ransomware
- Creating Hidden Backup Folders in macOS and Linux
- Automating Backups with
rsync - Scheduling Backups with FileMaker Server and
rsync - Advanced Techniques: Running
rsyncin Reverse - Considerations for Windows Systems
- Protecting Backups with
chmodand Read-Only Permissions - Conclusion: Enhancing Backup Security and Resilience
1. Introduction to Immutable Backups and Their Importance
In today’s digital landscape, data is increasingly vulnerable to ransomware attacks that can compromise the integrity of your backups. This makes immutable backups crucial for any business. In his presentation, Duane Maas shared an innovative solution for automating the creation of immutable backups on macOS and Linux systems. His approach not only protects backups from being encrypted by ransomware but also ensures that hackers cannot trace the off-site backup destination.
2. What is an Immutable Backup?
An immutable backup is a data copy that cannot be altered, deleted, or encrypted after creation. This guarantees that even in the event of a ransomware attack, you will have an intact backup to restore your system. By making backups immutable, you reduce the chances of losing data, even if the primary server is compromised.
3. Understanding the 3-2-1 Backup Strategy
The 3-2-1 backup strategy is a time-tested approach to ensure your data remains secure and recoverable:
- 3 Copies: One primary copy and two backups.
- 2 Different Storage Types: Store backups on two different media types, such as local storage and cloud storage.
- 1 Off-site Copy: Keep one copy of your backup off-site to safeguard against physical disasters like fire or theft.
Duane’s system integrates this 3-2-1 strategy into an automated, secure process using hidden folders, encrypted transfers, and off-site storage.
4. Challenges in Backup Protection: Ransomware
One of the biggest threats to backup integrity today is ransomware. Ransomware can spread to backup locations if they are easily accessible, encrypting or destroying your backup files. The ability to create hidden and encrypted backups, as described by Duane, helps minimize this risk. His process focuses on concealing the backup directories and automating the transfer of those backups to a secure off-site location.
5. Creating Hidden Backup Folders in macOS and Linux
Using Dot Folders
A key element of Duane’s backup strategy involves using hidden folders by creating directories that start with a dot (.) in macOS or Linux. These folders are not visible in standard directory listings, making them less likely to be targeted by ransomware.
For example, a backup folder could be created as .backups, ensuring that it remains hidden from view but still accessible for backup processes.
Steps to Create a Hidden Folder:
# Create a hidden backup directory
mkdir /path/to/.backups
# List directory contents to ensure it's hidden
ls -la /path/to/
This step prevents many types of malware from easily detecting and attacking your backup folders.
Video Demonstration: Making Backups Invisible to Ransomware
In the video demonstration, Duane shows the process of creating and managing hidden folders. He illustrates how to rename the hidden backup folder to make it visible, and how to hide it again afterward. The method involves using basic Unix commands to rename the folder:
- When the folder is renamed with a dot prefix (e.g.,
.backups), it becomes hidden. - When the folder is renamed back (e.g.,
backups), it becomes visible again.
This technique adds a layer of stealth and security against potential ransomware attacks.
6. Automating Backups with rsync
What is rsync and Why Use It?
rsync is a command-line utility that efficiently copies and synchronizes files across directories. It only transfers files that have changed, saving time and bandwidth. For Duane’s backup system, rsync is used to transfer backup files from the local server to a remote off-site location without exposing sensitive data.
Setting Up Password-Free rsync with SSH Keys
To securely transfer backups, Duane recommends using SSH key-based authentication with rsync. This eliminates the need to store passwords in scripts, reducing the risk of credentials being compromised.
Steps to Set Up SSH Key Pair:
- Generate the SSH Key Pair:bashCopy code
ssh-keygen -t rsa - Copy the Public Key to the Remote Server:bashCopy code
ssh-copy-id user@remote_server
This setup allows rsync to transfer files between servers without requiring manual password entry, making the process seamless and secure.
7. Scheduling Backups with FileMaker Server and rsync
Creating the Backup Schedule
Duane demonstrates how to create a regular backup schedule in FileMaker Server, ensuring that databases are backed up to the hidden folder (.backups) at regular intervals.
Steps to Create a Backup Schedule:
- Open FileMaker Server Admin Console.
- Create a new backup schedule.
- Set the destination as the hidden
.backupsfolder.
By storing backups in this hidden directory, they remain secure and out of reach from ransomware.
Executing the Backup Script Automatically
The next step involves creating a script that executes the rsync command to transfer the backups to a remote server. This script is triggered by FileMaker Server after each backup is completed.
Sample rsync Command:
rsync -av /path/to/.backups user@remote_server:/remote/backup/path
Triggering the Backup Script: You can automate the execution of this command by using AppleScript or FileMaker’s Perform AppleScript function:
do shell script "/path/to/rsync_backup.sh"
8. Advanced Techniques: Running rsync in Reverse
An interesting variation of Duane’s method involves reversing the rsync process. Instead of pushing the backups from the local server to the remote server, the remote server can pull the backups from the FileMaker Server. This method may be more appropriate in situations where outbound connections from the FileMaker Server are restricted or monitored.
Reverse rsync Command:
rsync -av user@FileMakerServer:/path/to/.backups /remote/backup/path
This reverse rsync process allows for greater flexibility and security in backup strategies.
9. Considerations for Windows Systems
Duane’s method works seamlessly on macOS and Linux systems due to their native support for dot folders and powerful command-line tools. However, Windows systems do not support dot folders, making it challenging to hide backups in the same way. To work around this, Duane suggests using protected folders and installing rsync on Windows servers.
While this process is more complex on Windows, it is still possible to implement a secure, automated backup system using third-party tools and some manual configuration.
10. Protecting Backups with chmod and Read-Only Permissions
After backups are transferred off-site, Duane emphasizes the importance of securing the backups by making them read-only. This ensures that even if an attacker gains access to the backup location, they will not be able to modify or delete the backup files.
Command to Make Backups Read-Only:
chmod -R 444 /remote/backup/path
In addition to read-only permissions, you can also set a lock flag on the files, preventing even administrative users from modifying them without first unlocking the files.
11. Conclusion: Enhancing Backup Security and Resilience
By following Duane Maas’s method of automating immutable backups, you can significantly improve the security of your FileMaker databases. This approach ensures that your backups are not only securely transferred to an off-site location but also remain invisible to ransomware and immutable once created. This guarantees that in the event of an attack, you will have a reliable, untampered backup to restore your systems.
Implementing this backup strategy will give you peace of mind, knowing that your critical data is protected against ransomware and other threats, allowing you to focus on your core business operations.
Key Takeaways:
- Automate backups using hidden folders and rsync to protect against ransomware.
- Use SSH key authentication to secure file transfers without exposing passwords.
- Implement a read-only and lock flag strategy to ensure backups remain immutable after transfer.
By incorporating these practices into your backup routine, you can build a resilient, ransomware-resistant backup system that safeguards your valuable data.
This blog post serves as a comprehensive guide to Duane Maas’s presentation on automating immutable backups and can be implemented to improve your data protection strategy.
