User:Cedric1337
Overview
This describes the procedure to create a samba server that creates a daily backup to a slave server
Goal
The goal of this setup is to store user data in such a way that it's protected against various the following disasters.
Ransomware / Unwanted file deletion
The user data is written by a unprivileged user. This user only has write access to one single directory. Every day, a read-only snapshot of that directory is made. Only the root user is able to alter or remove this snapshot.
Drive crash
The user data is written twice onto a btrfs raid array. If a drive crashes, the user data is still available on the second drive.
Data corruption on a drive
Btrfs calculates a checksum for each block of data. If a drive corrupts data, btrfs corrects this data from data blocks on the second drive.
Faulty System Update
The system makes a snapshot before a system upgrade. If the upgrade fails, the root user can revert the system to the state before the upgrade.
Master NAS disappears
The master NAS synchronizes the user data once per day. After the master NAS has been rebuild, all data, up to the last day can be downloaded from the slave NAS. A backup of the credentials of the slave NAS (IP/onion address, port number, ssh public key) is required.
Slave NAS disappears
The master NAS synchronizes the user data once per day. After the slave NAS has been rebuild, the data can be synchronized from the master NAS. The master NAS has to be configured with the credentials of the slave NAS (IP/onion address, port number, ssh public key)
Unauthorized access to slave NAS drives
The data portion of the slave NAS can be encrypted, so they cannot be unauthorized accessed. (This is not covered in this manual yet)
Unauthorized remote access to slave NAS
In order to protect the data on the slave nas against unauthorized access via the network, the following protections are in place: All commands and data transfers are done via a ssh tunnel. All ssh access is done via a public/private key pair, a user can't login with a password. All commands are issued as a normal user. Sudo is used to only allow a certain commands to run as root (This is not covered in this manual yet) If somebody tries to guess the password, their IP address is automatically blocked (This is not covered in this manual yet) All ssh communication is done via a non-standard port. The slave NAS has a firewall that block all incoming traffic, except to the port used for ssh. (This is not covered in this manual yet)
Unnoticed failures
logging summary mailing
Preparation
Explain the bootable arch linux medium can't be used to format the drives with btrfs, as btrfs-tools is missing (and has to be installed from source)
Prepare arch linux host computer
-> install linux install scripts -> install btrfs-tools
Install slave NAS
Storage layout
Install master NAS
Storage layout
Snapshots
Samba configuration
Master-slave synchronization
synchronization with all drives in one machine
synchronization via LAN
synchronization via SSH
synchronization via TOR
Disaster recovery
Ransomware / Unwanted file deletion
Restoring files from slave NAS
Drive crash
Determining what drive is faulty Replacement of a drive, and adding new drive to to the array
Data corruption on a drive
Determining what drive is faulty Replacement of a drive, and adding new drive to to the array
Faulty System Update
Roll back snapshot of the system Prepare for new system update
Master NAS disappears
Rebuild the master NAS Reconnect to slave NAS (regenerate ssh certificate, get onion address of slave) Retrieve secrets from slave NAS (ssh certificate, onion address) (afterwards, follow the procedure from Ransomware)
Slave NAS disappears
Rebuild the slave NAS Recreate ssh certificate and tor address Synchronization to from master NAS
Unauthorized access to slave NAS drives
drive encryption (not implemented yet)
Unauthorized remote access to slave NAS
ssh certificates firewall unprivileged NAS user sudo configuration