Well... yes, if you use TLS Verify Peer than TLS library is your first
line of defence because you shouldn't be able to connect with a peer
without a valid certificate. I don't see any mention about CRL in TLS
configuration Directives though so you might want to think how you would
like to address possible issue with compromised client (you can
explicitly allow specified CN's with TLS Allowed CN option as a workaround).
In general, compromised client - unless abusing some error in the
director software - shouldn't be able to exploit the director. As you
can see on the picture in
https://docs.bareos.org/IntroductionAndTutorial/WhatIsBareos.html#interactions-between-the-bareos-services
even though it might be the FD that connects to the DIR (if you don't
use passive clients), it's the Director that issues commands to the FD.
Of course a rogue fd could try to generate an endless stream of data but
you can mitigate it to some extent by - for example - limiting job run
time or fiddling with Maximum Volume Jobs and Maximum Volume Bytes in
case of file backed storage.
On 24.09.2021 21:57, Alexandre Denault wrote:
Hi,
I understand that there is a risk for any application on the Internet.
Heck, even Nginx and Apache has a certain risk.
I'm trying to gage the amount of risk based on the security of the
director. My understanding is that I would need to expose a TLS socket
which no one can interact with without an acceptable key. That said, I
understand that if one of my client is compromised, then the attacker
would have a foothold on the director.
Should this be a concern? Can a "rogue" file client really do any
damage other to its backup? I guess it could try filling the storage
pool. Or am I being paranoid?
Cheers,
On Fri, Sep 24, 2021 at 2:36 PM Spadajspadaj <[email protected]
<mailto:[email protected]>> wrote:
In case of multi-location setup you need to think about ways of
limiting access and connection direction.
I have a "reverse" setup - I needed passive clients so I can
initiate connections from director/sd _to_ fd. You might need the
opposite, as I see, so it's pretty standard.
There is _always_ a risk when you're putting something open to the
internet so if you want to limit your exposure, think about
filtering the traffic on the network/OS level (limiting access to
bareos ports only to specific addreses) and of course you can
always think about setting up a VPN between your locations.
On 24.09.2021 09:25, Florian Panzer - PLUSTECH GmbH wrote:
We're runnig this setup (public director + client initiated fd
connections) with overall success.
No problems so far - apart from the usual* ;)
I'm sure nobody will gurarantee that there are no security flaws
- there most like are.
*) bareos-dir crashing on typo in config followed by reload
*) bareos-dir crashing because it's tuesday
Florian Panzer
-----------------------------------
PLUSTECH GmbH
Jäckstraße 35
96052 Bamberg
Telefon: +49 951 299 09 716
https://plustech.de/ <https://plustech.de/>
Geschäftsführung: Florian Panzer
Amtsgericht Bamberg - HRB 9680
-----------------------------------
Am 24.09.21 um 02:51 schrieb Alexandre Denault:
Hi,
I’m working on a somewhat complicated Bareos setup and it would
be must simpler/easier to host the Bareos Director over the
Internet. Combined with Active Storage and File clients, it
would simplify my multisite setup greatly.
That said, is the Bareos Director robust enough to be hosted
over the Intenet? Is it secure? I would assure that any client
without a private key recognized by the Director would not be
able to interact with it.
Thanks,
Alex
--
You received this message because you are subscribed to the
Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/08188095-4800-413c-88b7-ccc66bc57bacn%40googlegroups.com
<https://groups.google.com/d/msgid/bareos-users/08188095-4800-413c-88b7-ccc66bc57bacn%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/4847a7d9-edf1-fb2e-be89-57b73be58bbc%40plustech.de
<https://groups.google.com/d/msgid/bareos-users/4847a7d9-edf1-fb2e-be89-57b73be58bbc%40plustech.de?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to a topic in
the Google Groups "bareos-users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/bareos-users/7P_SZrWBJ8U/unsubscribe
<https://groups.google.com/d/topic/bareos-users/7P_SZrWBJ8U/unsubscribe>.
To unsubscribe from this group and all its topics, send an email
to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/02211794-f8b3-6c7e-17fc-28e38f377bb4%40gmail.com
<https://groups.google.com/d/msgid/bareos-users/02211794-f8b3-6c7e-17fc-28e38f377bb4%40gmail.com?utm_medium=email&utm_source=footer>.
--
Alexandre Denault
Senior Director, Technology Operations
Ludia Inc.
--
You received this message because you are subscribed to the Google
Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/CALT3ydaxDaZYy4Eg3QptEz_%2Bo8UXsEt87DJfUwFzzVy_AKWBog%40mail.gmail.com
<https://groups.google.com/d/msgid/bareos-users/CALT3ydaxDaZYy4Eg3QptEz_%2Bo8UXsEt87DJfUwFzzVy_AKWBog%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/b9b8f2e6-01a4-65e4-7c89-0b876140df7b%40gmail.com.
