Protect Your Backup Files And Production Server From Intruders!

UNIXy — Fri, 27 Mar 2009 05:06:44 +0000

In this short post, I would like to share a technique that will protect your confidential data even if your backup store were to be compromised. We shall leverage the powerful open source Encryption Filesystem. I’ll go through all steps required to install the software, use it, and finally integrate it with your back up strategy. This is a one-time configuration that doesn’t require much maintenance to keep it going and is well worth it in my opinion.

Off-server or off-network backup procedures are essential to any disaster recovery strategy. Current trends, however, show that little effort is directed at securing the backup node(s) and / or strategy. By storing plain text copies of your confidential databases, accounts, emails, and passwords on remote systems you’re exposing yourself to a host of issues. In light of the incident that affected WHT, if a capable intruder were to compromise your backup store (VPS, FTP, NFS, or server), it won’t take long before the intruder gains access to your production system. The consequences are material and the loss of productivity and revenue can break a business.

Installing EncFS

While I’m only covering installation of EncFS on Debian and Redhat derivatives, it’s relatively easy to install it on other Linux distributions. Special instructions are required to install the tools on OpenVZ. See http://wiki.openvz.org/FUSE

ON DEBIAN DISTRIBUTIONS

Let’s install EncFS and libraries. As root inside the shell prompt, execute the following two commands:

# apt-get install encfs libfuse2
# modprobe fuse

ON REDHAT DISTRIBUTIONS

First you have to add a yum application repository. Create a file called rpmforge.repo under /etc/yum.repos.d/rpmforge.repo and, with a text editor, copy / paste the following in it (this is for centos 5 / redhat 5. Checkout DAG for other versions):

# Name: RPMforge RPM Repository for Red Hat Enterprise 5 – dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever – RPMforge.net – dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

Save and exit. Then run the following commands as root:

# yum install fuse-encfs dkms-fuse
# modprobe fuse

Using EncFS

EncFS is a set of tools that allow the creation of a filesystem that is by default encrypted. The encrypted filesystem can be mounted similarly to a hard drive. With EncFS, however, the encrypted filesystem is protected by a password. And this is where it’s useful. When you transfer your backup files from your production server to an off-server backup store, you’re transferring and storing clear text files and information. So, how do we use these tools to secure our backup store?

In brief, here are the steps we’re setting to accomplish

A) Initialize a folder on the production server as an EncFS volume and mount it
B) Point our backup scripts to the encrypted volume to store the generated backups
C) Seal the encrypted volume
D) Finally, transfer the encrypted files over to the backup store

A) First of all, we need to initialize the backup filesystem. Here’s are the steps:

# mkdir /encrypted /decrypted
# encfs /encrypted/ /decrypted/
Creating new encrypted volume.
Please choose from one of the following options:
enter “x” for expert configuration mode,
enter “p” for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: “ssl/blowfish”, version 2:1:1
Filename encoding: “nameio/block”, version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:

At this point in the steps, we have created an encrypted and a decrypted folder. Plain text backups should always be copied in the /decrypted folder. Once copied, we unmounted the decrypted folder and leave all as is. Make sure you remember the Encfs password as it’s the only way to decrypt your backup files.

As a quick demo, let’s copy a random file in /decrypted to see all of this in action

Let’s pick a random file

# du -sh /tmp/unixy.zip
2.9M /tmp/unixy.zip

Mount the encrypted filesystem:

# encfs /encrypted/ /decrypted/# cp /tmp/unixy.zip /decrypted/

# ls -al /decrypted/
total 2948
drwxr-xr-x 2 root root 4096 2009-03-26 13:49 .
drwxr-xr-x 23 root root 4096 2009-03-26 12:39 ..
-rw——- 1 root root 3006176 2009-03-26 13:49 unixy.zip

# ls -al /encrypted/
total 2952
drwxr-xr-x 2 root root 4096 2009-03-26 13:49 .
drwxr-xr-x 23 root root 4096 2009-03-26 12:39 ..
-rw-r—– 1 root root 224 2009-03-26 12:40 .encfs5
-rw——- 1 root root 3006184 2009-03-26 13:49 HMDEZvfTz7HQnO5tyOsgAiIl

B) If you have custom backup scripts, all you have to do in this step is the following

1) Before we modify the backup scripts, we need to store the encryption password in a file under the folder /root. Call it file /root/enc.txt and on the first line type in the password after running the below chmod command.

# touch /root/enc.txt
# chmod 700 /root/enc.txt # The file shouldn’t be readable to anyone other than user root

Add this command at the top of the backup script:

# cat /root/enc.txt | encfs -S /encrypted /decrypted

What this does is “feed” the encryption password to the command “encfs” so it runs unattended. Otherwise, encfs is interactive and might hand waiting for you to enter the password. Remember, we want to set this up and let it run itself.

Add this command at the end of the backup script:

# fusermount -u /decrypted

For cPanel users, you can put include the above two steps in script files called /scripts/precpbackup and /scripts/postcpbackup as such:

Inside file /scripts/precpbackup

#!/bin/bashexport PATH=$PATH:/usr/bin:/usr/sbin:/sbin

cat /root/enc.txt | encfs -S /encrypted /decrypted

# In file /scripts/postcpbackup

#!/bin/bashexport PATH=$PATH:/usr/bin:/usr/sbin:/sbin

fusermount -u /decrypted

Finally, make sure the two scripts are executable:

# chmod +x /scripts/*cpbackup

From WHM, in backup configuration, put /decrypted as the backup folder. And we’re done!

C) Let’s unmount the unencrypted filesystem since we’re done copying our files.

# fusermount -u /decrypted/
# ls -al /decrypted/
total 8
drwxr-xr-x 2 root root 4096 2009-03-26 12:39 .
drwxr-xr-x 23 root root 4096 2009-03-26 12:39 ..
# ls -al /encrypted/
total 2952
drwxr-xr-x 2 root root 4096 2009-03-26 13:49 .
drwxr-xr-x 23 root root 4096 2009-03-26 12:39 ..
-rw-r—– 1 root root 224 2009-03-26 12:40 .encfs5
-rw——- 1 root root 3006184 2009-03-26 13:49 HMDEZvfTz7HQnO5tyOsgAiIl

# ls -al encrypted/HMDEZvfTz7HQnO5tyOsgAiIl
-rw——- 1 root root 3006184 2009-03-26 13:49 encrypted/HMDEZvfTz7HQnO5tyOsgAiIl

Sweet!

D) Transfer the encrypted backup files to the destination backup store

Now your backup files are secure. You can simply SCP or rsync the encrypted files from the encrypted FS /encrypted. Make sure to copy the .encfs5 file located inside the /encrypted directory. Without this file, the encrypted file are NOT recoverable!

UNIXy » WHT

Protect Your Backup Files And Production Server From Intruders!