How to easily backup your shiny new Linux/BSD firewall.

Wed 16 Dec 2009

So, you've just built your new pf or iptables firewall and everything's working. You've done all the due diligence you should by checking your rules with nmap nessus and hping. Your NAT works and all rules pass only the traffic you have allowed.

You can tell your client you're done, right? Well, not quite. Where are the backups for your new firewall? If people make changes, how are you going to see what they changed? Or, if your machine dies, can you easily see what the live config was, or what config broke your box ?

Backups are a pain and as the recent apache.org incident highlighted they can be a cause of concern when deploying a secure system, especially a firewall.

At remotebackupzone we think that Box Backup can help you to backup your firewall installs. If you use our automated install then you can start backing up in under 60 seconds which is really "fire and forget". Because the keys used to encrypt your data are created on your firewall, no one can read any of your files. This is really important for your firewall especially as attackers are getting more and more creative with how they attack your system.

A tip if you are going to use Box Backup on your firewall is to lower the default "MinimumFileAge = 21600" to be "3600" as this gives you a great way to track changes in case your firewall breaks. You could also use boxbackup as a sync for your firewall logs. This can be useful if an attacker manages to compromise your system and deletes your log files. Boxbackup would hold these files for you securely online for any Linux or BSD firewall box.

Secure online Unix PCI compliant mysql backups.

Sat 21 Nov 2009

Here, we present a strategy to backup your mysql databases on Linux and BSD which gives you both quick local restoration and disaster recovery.

The aim of this strategy is to provide:-

• Incremental backups;
• Compressed backups;
• Disaster recovery;
• Automation using cron and a simple script;
• A solution that will work with hosted environments;
• Bandwidth efficiency by using 'rsyncable' option for gzip;
• HIPPA and PCI compliancy;
• Security of your offsite backup using Box Backup.

Step 1.  Create required directories by typing:

# mkdir -p /home/backups/mysql_backup
# mkdir -p /home/backups/disaster_recovery

Step 2.  Create mysql-backup script by entering:

# touch /usr/local/sbin/mysql-backup
# chmod 755 /usr/local/sbin/mysql-backup

Step 3.  Open /usr/local/sbin/mysql-backup with your favourite editor.  Copy and paste all of the following script into the file:

#!/bin/sh

# Change the following to match your environment

BDIR="/home/backups/mysql_backup" # Directory to store local backups
DRECOVERY="/home/backups/disaster_recovery" # Directory to store backups for upstream
bname="rbz" # Base name for backup
password="test" # Mysql password
mysql_dump="/usr/bin/mysqldump" # Mysqldump
rsync_binary="/usr/bin/rsync" # Rync

# Change the following to suit your needs here we are creating 7 days worth of backups

# Create 7 days worth of backups and copy todays backup for disaster recovery.
daily_backup()
{
rm -f $BDIR/$b_name-7daysago.sql.gz
mv $BDIR/$bname-6daysago.sql.gz $BDIR/$bname-7daysago.sql.gz
mv $BDIR/$bname-5daysago.sql.gz $BDIR/$bname-6daysago.sql.gz
mv $BDIR/$bname-4daysago.sql.gz $BDIR/$bname-5daysago.sql.gz
mv $BDIR/$bname-3daysago.sql.gz $BDIR/$bname-4daysago.sql.gz
mv $BDIR/$bname-2daysago.sql.gz $BDIR/$bname-3daysago.sql.gz
mv $BDIR/$bname-1dayago.sql.gz $BDIR/$bname-2daysago.sql.gz
mv $BDIR/$bname-today.sql.gz $BDIR/$bname-1dayago.sql.gz

# We are dumping --all-databases you may want something else, here are your options.
#mysqldump [options] db_name [tables]
# mysqldump [options] --databases db_name1 [db_name2 db_name3...]
# mysqldump [options] --all-databases

$mysql_dump -u root -p$password --all-databases | gzip --rsyncable >$BDIR/$bname-today.sql.gz
$rsync_binary -av $BDIR/$bname-today.sql.gz $DRECOVERY/$bname-today.sql.gz
}

# Copy 7daysago backup to start a 4 weekly rotation of our database.

weekly_backup()
{
if [ -e $BDIR/$bname-7daysago.sql.gz ]; then
rm -f $BDIR/$b_name-weekly.4.sql.gz
mv $BDIR/$bname-weekly.3.sql.gz $BDIR/$bname-weekly.4.sql.gz
mv $BDIR/$bname-weekly.2.sql.gz $BDIR/$bname-weekly.3.sql.gz
mv $BDIR/$bname-weekly.1.sql.gz $BDIR/$bname-weekly.2.sql.gz
mv $BDIR/$bname-weekly.0.sql.gz $BDIR/$bname-weekly.1.sql.gz
cp $BDIR/$bname-7daysago.sql.gz $BDIR/$bname-weekly.0.sql.gz
else
echo "ERROR no weekly backup $bname-7daysago.sql.gz does not exist"
fi
}

# Copy weekly.4 and make 5 months worth of backups

monthly_backup()
{
if [ -e $BDIR/$bname-weekly.4.sql.gz ]; then
rm -f $BDIR/$b_name-monthly.4.sql.gz
mv $BDIR/$bname-monthly.3.sql.gz $BDIR/$bname-monthly.4.sql.gz
mv $BDIR/$bname-monthly.2.sql.gz $BDIR/$bname-monthly.3.sql.gz
mv $BDIR/$bname-monthly.1.sql.gz $BDIR/$bname-monthly.2.sql.gz
mv $BDIR/$bname-monthly.0.sql.gz $BDIR/$bname-monthly.1.sql.gz
cp $BDIR/$bname-weekly.4.sql.gz $BDIR/$bname-monthly.0.sql.gz
else
echo "ERROR no monthly backup $bname-weekly.4.sql.gz does not exist"
fi


}

usage() {
echo "Usage: $0 options"
echo
echo "Options:"
echo
echo " daily - Dump daily backup"
echo " weekly - Take 7days ago backup for weekly"
echo " monthly - Take weekly.4 backup and make month.0"
}


START=`date`
echo "Creating $1 mysql backup"
echo

if [ $# = 0 ]; then usage; exit 1; fi

for i in $*
do
case $i in
daily)
daily_backup
;;
weekly)
weekly_backup
;;
monthly)
monthly_backup
;;
*)
echo "********** Abort! Abort! **********"
echo "Non supported option encountered: $i"
echo "Exiting......."
echo
exit 1
;;
esac
done
echo
echo "Start Time : $START"
echo "Finish Time : `date`"
echo

Step 4.  Test the script works by running the following:

#/usr/local/sbin/mysql-backup daily
#ls /home/backups/mysql_backups/
#rbz-today.sql.gz
#ls /home/backups/disaster_recovery/
#rbz-today.sql.gz

Step 5.  Create a cron tab to run script daily, weekly and monthly with:

# crontab -e

Step 6.  Paste the following into the crontab:

# do daily/weekly/monthly mysql backus
30 0 * * * /usr/local/sbin/mysql-backup daily
30 1 * * 6 /usr/local/sbin/mysql-backup weekly
30 2 1 * * /usr/local/sbin/mysql-backup monthly

Using the above, after 4 months you will end up with your /home/backups/mysql_backup directory containing the following:

rbz-1dayago.sql.gz rbz-6daysago.sql.gz rbz-today.sql.gz
rbz-2daysago.sql.gz rbz-monthly.0.sql.gz rbz-weekly.0.sql.gz
rbz-3daysago.sql.gz rbz-monthly.1.sql.gz rbz-weekly.1.sql.gz
rbz-4daysago.sql.gz rbz-monthly.2.sql.gz rbz-weekly.2.sql.gz
rbz-5daysago.sql.gz rbz-monthly.3.sql.gz rbz-weekly.3.sql.gz

And a /home/backups/disaster_recovery directory with only the following file.

rbz-today.sql.gz

The local backup routine is now complete.  The next step is to create a backup for disaster recovery using Box Backup.  The Box Backup client will provide the following;-

• Automation;
• Multiple versions of our rbz-today.sql.gz file;
• Encryption;
• Bandwidth efficiency.

Warning you must backup the FileEncKeys.raw file as your database will be encrypted with this file.

How secure are your online backups ?

Thu 29 Oct 2009

When looking at online backup solutions, it is paramount to consider how secure your data is with your chosen provider.

Statements from providers that you should discard;

• We use a really secure password to protect your data. (How do you know the password is secure and who has access to this password? It is a bit like giving your front door keys to a stranger and hoping that nothing gets stolen. )
• We are using our own proprietary software that no third party has audited. (It is impossible to know whether the software is actually doing what the marketing speak tells you on their site.)
• All data is encrypted but you can access it via any web browser with a user name and password. (If I can access the data through a web browser then are we really sure my data is safe?)
• We recommend you encrypt your data with our default key. (Some providers want you to use a generic key to store your data, well there is no real point to the encryption.)

What you should be looking for;

• The key that encrypts the data should be in your possession and controlled by you and only you. (This means no one except you can view your data.)
• Ideally, authentication should only be possible using Public Key Infrastructure. (Using PKI ensures that you are the only remote user who can access your data.)
• The authenticity of the server you connect to should also be checked using PKI. (If your provider does not perform this step then you may be open to a man-in-the-middle attack.)
• The transport layer should also be encrypted. (If the transport layer is not encrypted, your data can be read in transit.)

At Remote Backup Zone we think Ben Summers the orginal author of Box Backup has solved the above issues in a way that does not impact the user. Transport Layer Security is used to encrypt connections, and more importantly, to authenticate servers and clients with both server and client side certificates. Your data's security is guaranteed by the raw key that is created on your machine. Stored files are encrypted using AES for file data and Blowfish for metadata. There is a down side to this approach inasmuch you must backup the raw key. This down side is easily fixed with removable media like USB sticks or cd-rom. Just store your USB stick or cd-rom somewhere safe or off site. You could even use something like GPG or Password Safe to keep your key encrypted.

There are secure alternatives to Box Backup, such as Encrypted Backups For Paranoiacs . However, Box Backup is an automated process where as the above recipe contains lots of manual steps.

Further warnings from SANS Institute on why you should care about your backup security;

• http://www.sans.org/top20/#s4
• http://isc.sans.org/diary.html?storyid=187

More information on Box Backups use of certificates and further comparisons to other backup systems;

• http://www.boxbackup.org/trac/wiki/ManagingKeysAndCertificates
• http://www.boxbackup.org/comparison.html

Affordable backups for Linux and BSD

Fri 16 Oct 2009

At remotebackupzone we have been working hard to deliver an affordable backup solution. We have started by supporting Linux and BSD as this is what we know best.

Remotebackupzone currently provides backups using Box Backup. Remotebackupzone was born from our own search for a backup provider that was affordable, guaranteed the security of our data and supported both Linux and BSD. We looked at lots of providers but were unable to find any that met these requirements. Remotebackupzone is commited to being fair on price and delivering a solid service.