Again, please add FTP/SFTP backup destinations for ransomware protection


Author
Message
FloridaMatt
FloridaMatt
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)
Group: Forum Members
Posts: 9, Visits: 36
Windows has a nasty habit of caching credentials for SMB shares.  In this age of ransomware, the ideal is to place backup files in a location only accessible to the backup software itself, or to an external administrator.  For example, a NAS folder which can be accessed by only ftp and a NAS administrator using credentials unknown to windows.


Yastis
Yastis
New Member
New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)
Group: Forum Members
Posts: 21, Visits: 119
I would like to endorse the point made by FloridaMatt. I'm running a linux-based homeserver (built from a Shuttle Barebone) for local push mails from my router, longtime backups, movie streaming and so on. Only ProFTPD yawns boredly most of the time. It would be nice to feed him directly with daily backups.

Regards,
Yastis




FloridaMatt
FloridaMatt
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)
Group: Forum Members
Posts: 9, Visits: 36
There IS a way to use ftp, but it's imperfect.  I build backup definition files to direct backups to nonexistent drive letter N.  (Reflect complains, but allows this).  For each, I create two batch files (one for each of the two NAS servers I rotate backups between.)  In each batch file I use the third-party program FTPUSE to map N: to an ftp directory (which windows can't otherwise access) just before reflect, and delete the mapping.at the end of the batch file.

The key imperfection in this is that malicious software on the windows box could potentially access the backup directory during a backup.  There's a secondary issue in that the ftp credentials need to be in cleartext in the batch file.  I'm sufficiently paranoid that I addressed that by writing a small program to invoke ftpuse without needing to expose the ftp directory's usercode and password.

One thing:  After reading all the issues with V7 using the SYSTEM account and scheduling, I expect that if I ever move to V7 I may need to schedule the backups myself instead of letting V7 do it. That's how I do backups for an old computer running Reflect free because Macrium only sells a 4-pack instead of the 5-pack I'd otherwise buy.

Another thing:  low-end NAS boxes may allow backups to be faster with ftp than smb.  At least that was the case with a Synology DS212j I used to have.  Backups through FTP achieved significantly higher network speeds. 

Edited 19 March 2017 8:58 PM by FloridaMatt
Trapper
Trapper
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)
Group: Forum Members
Posts: 8, Visits: 146
FloridaMatt - 19 March 2017 2:24 PM
Windows has a nasty habit of caching credentials for SMB shares.  In this age of ransomware, the ideal is to place backup files in a location only accessible to the backup software itself, or to an external administrator.


There is a way to protect your backup files against ransomware viri using FolderGuard
http://www.winability.com/folderguard/

1)  Install FolderGuard

2)  Select Reflect.exe & Reflectbin.exe as trusted files (in options ==> trusted list)

3)  Set your Macrium backup files as Read only / Visible in FolderGuard

This protects against ANY unauthorized access to your back up files EXCEPT Macrium.

I've done it this way for years & it has served me well.

Gork
Gork
Guru
Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)
Group: Forum Members
Posts: 563, Visits: 1.6K
Thanks for that hint on Folder Guard.  I'm in the process of switching over to a complete "local drive" solution from having multiple servers and was wondering about a good piece of software to do just this and to lock down a few folders from "prying eyes."  Seems a bit spendy, but your recommendation goes a long way toward making it feel worthwhile.  Do you know off the top of your head if it will lock down folders on removable USB drives as well?

UPDATE:
Found the answer to my question about USB drives.  Yes, but only from the computer Folder Guard is installed on, which makes sense.


OPs can help other forum searchers by highlighting (✔) an answer that resolves the issue.

Edited 20 March 2017 2:02 AM by Gork
Yastis
Yastis
New Member
New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)
Group: Forum Members
Posts: 21, Visits: 119
FloridaMatt - 19 March 2017 8:57 PM
... I'm sufficiently paranoid that I addressed that by writing a small program to invoke ftpuse without needing to expose the ftp directory's usercode and password. ...

Thank you for the hint on Ftpuse. However, it installs "DOKAN file system drivers" in my Windows 10 x64 System. First, I'll give it a try in a VM.
Well, I'm sufficiently paranoid too. Your small program sounds interesting. Do you call Ftpuse directly with hard coded arguments?

@Trapper:
Seems to be a powerful tool, but as Gork says, a bit spendy. On the other hand, Folder Guard could enhance the security in many corners on my drives. Thanks for the hint.

But besides that, the bettermost solution of course would be FTP backup via Macrium Reflect.

Regards,
Yastis



FloridaMatt
FloridaMatt
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)
Group: Forum Members
Posts: 9, Visits: 36
[quote]
Yastis - 20 March 2017 11:22 PM
[quote]
FloridaMatt - 19 March 2017 8:57 PM
Thank you for the hint on Ftpuse. However, it installs "DOKAN file system drivers" in my Windows 10 x64 System. First, I'll give it a try in a VM.
Well, I'm sufficiently paranoid too. Your small program sounds interesting. Do you call Ftpuse directly with hard coded arguments?

Yes. Plain old System.Diagnostics.Process.Start("ftpuse.exe", startargs);

Trapper
Trapper
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)
Group: Forum Members
Posts: 8, Visits: 146
Ya, you could think FolderGuard is a bit expensive, but look at it this way... compared to the cost of Macrium, it's maybe not so bad.  More importantly, this software is rock solid.  It's NEVER given me any problems over the many years & versions I've used it for.

This is a serious piece of high end security software.  Using it to protect Macrium back up files is only the tip of the iceberg of what it can do (obviously).  IMO I think of FolderGuard the same as I do Macrium.... indispensable.


Yastis
Yastis
New Member
New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)New Member (33 reputation)
Group: Forum Members
Posts: 21, Visits: 119
FloridaMatt - 20 March 2017 11:51 PM
Yes. Plain old System.Diagnostics.Process.Start("ftpuse.exe", startargs);
Okay, thanks. Visual Studio is ready to go.
[smartass mode]To leave the quote part while posting here, you may click on the green "+" (Move Cursor Below) hovering over the quote. This closes the quote properly.[/smartass mode]

Trapper - 21 March 2017 12:47 AM
Ya, you could think FolderGuard is a bit expensive, but look at it this way... compared to the cost of Macrium, it's maybe not so bad.  More importantly, this software is rock solid.  It's NEVER given me any problems over the many years & versions I've used it for.

This is a serious piece of high end security software.  Using it to protect Macrium back up files is only the tip of the iceberg of what it can do (obviously).  IMO I think of FolderGuard the same as I do
Macrium.... indispensable.

I'm running the FolderGuard trial now. Wow, you're absolutely right. Only protecting Macrium back up files with this tool is using a sledge-hammer to crack a nut. I'll buy it almost certainly.

Regards,
Yastis




Edited 21 March 2017 5:08 PM by Yastis
Gork
Gork
Guru
Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)Guru (1.2K reputation)
Group: Forum Members
Posts: 563, Visits: 1.6K
You know, I was just thinking.  If Macrium were to add the ability to create a "secure storage area" to Reflect which would provide a folder that only Reflect could write to, much like part of what Folder Guard can do, it would put Macrium ahead of the pack in imaging software.  I don't think I've seen this feature offered by any competitor.  It'd be a GREAT feature and a boon to business.  I'm sure it'd be a very expansive feature to add, but at the risk of hijacking this thread I'd like to add this ability as a wish list item too.

But for now, I too, see myself purchasing Folder Guard relatively soon.  Hopefully deals beyond their current "$10 off trickery price" are offered from time to time.  But when I get my two 4TB SSDs (I use the word "when" heh) I definitely want Folder Guard to be a part of that "investment."  (One of them will be used to save Reflect images to instead of using a NAS as it is now, and the images will be copied over to one of two USB drives as well.  One will be stored off site.  And with the Folder Guard software it appears I wouldn't have to worry about leaving one plugged in as long as I wanted/needed to.)


OPs can help other forum searchers by highlighting (✔) an answer that resolves the issue.

Edited 21 March 2017 5:30 PM by Gork
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search