On Fri, Nov 11, 2011 at 1:27 PM, Grant <emailgr...@gmail.com> wrote: >> [snip] >> >>> The problem with my current push-style layout is that if one of the 3 >>> machines is compromised, the attacker can delete or alter the backup >>> of the compromised machine on the backup server. I can rsync the >>> backups from the backup server to another machine, but if the backups >>> are deleted or altered on the backup server, the rsync'ed copy on the >>> next machine will also be deleted or altered. >> >> As a final stage in your backup, could you trigger a 'pull'-style >> backup copying the data image to a more secure area? How about setting > > Even if I pull a copy of the backup to a separate machine from the > backup server, it will pull an altered copy if an attacker compromises > one of the systems being backed up and alters that system's backup on > the backup server. Am I missing something?
If you're not applying any kind of versioning, it doesn't matter if you're pushing or pulling; your backup will eventually be overwritten by a backup of a hacked system unless you catch and respond as soon as the original invasion happens. So it sounds like the scenario you fear isn't tied to the mechanism you're reconsidering. -- :wq