[pbs-devel] [PATCH proxmox-backup 0/5] added section on ransomware to docs

[pbs-devel] [PATCH proxmox-backup 0/5] added section on ransomware to docs

[Noel Ullreich]

added section on ransomware to pbs docs consisting of a section in
backup storage and a bullet point in the main features section.

also fixed a few minor typos in the docs


Noel Ullreich (5):
  readme: fixed typo in readme
  docs: changed wording
  docs: fixed capitalization
  docs: main features ransomware
  docs: added section on ransomware

 README.rst            |  2 +-
 docs/introduction.rst | 15 ++++++-----
 docs/storage.rst      | 58 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 7 deletions(-)

-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 1/5] readme: fixed typo in readme

[Noel Ullreich]

From: Noel Ullreich <nullreich@eloa.proxmox.com>

fixed a typo in the readme because i am a huge pedant

Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
---
 README.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index 53f53e42..934c49ec 100644
--- a/README.rst
+++ b/README.rst
@@ -65,7 +65,7 @@ You are now able to build using the Makefile or cargo itself, e.g.::
 Design Notes
 ************
 
-Here are some random thought about the software design (unless I find a better place).
+Here are some random thoughts about the software design (unless I find a better place).
 
 
 Large chunk sizes
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 2/5] docs: changed wording

[Noel Ullreich]

From: Noel Ullreich <nullreich@eloa.proxmox.com>

while delta is not wrong, i think deltas sounds more fluent here, since all other nouns are pluralized here

Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
---
 docs/introduction.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/introduction.rst b/docs/introduction.rst
index 369e7e29..ca4003ae 100644
--- a/docs/introduction.rst
+++ b/docs/introduction.rst
@@ -56,7 +56,7 @@ Main Features
    space used.
 
 :Incremental backups: Changes between backups are typically low. Reading and
-   sending only the delta reduces the storage and network impact of backups.
+   sending only the deltas reduces the storage and network impact of backups.
 
 :Data Integrity: The built-in `SHA-256`_ checksum algorithm ensures accuracy and
    consistency in your backups.
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 3/5] docs: fixed capitalization

[Noel Ullreich]

From: Noel Ullreich <nullreich@eloa.proxmox.com>

Updated capitalization to be consistent. Imo, since these are bulletpoints and not headings, they should be in lowercase

Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
---
 docs/introduction.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/introduction.rst b/docs/introduction.rst
index ca4003ae..2f392157 100644
--- a/docs/introduction.rst
+++ b/docs/introduction.rst
@@ -58,10 +58,10 @@ Main Features
 :Incremental backups: Changes between backups are typically low. Reading and
    sending only the deltas reduces the storage and network impact of backups.
 
-:Data Integrity: The built-in `SHA-256`_ checksum algorithm ensures accuracy and
+:Data integrity: The built-in `SHA-256`_ checksum algorithm ensures accuracy and
    consistency in your backups.
 
-:Remote Sync: It is possible to efficiently synchronize data to remote
+:Remote sync: It is possible to efficiently synchronize data to remote
    sites. Only deltas containing new data are transferred.
 
 :Compression: The ultra-fast Zstandard_ compression is able to compress
@@ -79,13 +79,13 @@ Main Features
 :Web interface: Manage the Proxmox Backup Server with the integrated, web-based
    user interface.
 
-:Open Source: No secrets. Proxmox Backup Server is free and open-source
+:Open source: No secrets. Proxmox Backup Server is free and open-source
    software. The source code is licensed under AGPL, v3.
 
-:No Limits: Proxmox Backup Server has no artificial limits for backup storage or
+:No limits: Proxmox Backup Server has no artificial limits for backup storage or
    backup-clients.
 
-:Enterprise Support: Proxmox Server Solutions GmbH offers enterprise support in
+:Enterprise support: Proxmox Server Solutions GmbH offers enterprise support in
    the form of `Proxmox Backup Server Subscription Plans
    <https://www.proxmox.com/en/proxmox-backup-server/pricing>`_. Users at every
    subscription level get access to the Proxmox Backup :ref:`Enterprise
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 4/5] docs: main features ransomware

[Noel Ullreich]

From: Noel Ullreich <nullreich@eloa.proxmox.com>

added ransomware protection as main feature of pbs

Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
---
 docs/introduction.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/introduction.rst b/docs/introduction.rst
index 2f392157..f1dec018 100644
--- a/docs/introduction.rst
+++ b/docs/introduction.rst
@@ -76,6 +76,9 @@ Main Features
    provides extensive support for backing up to tape and managing tape
    libraries.
 
+:Ransomware protection:  Proxmox Backup Server provides protection from ransomware attacks via checksums and
+   user access control as well as mitigation of ransomware attacks by restoring from tape backups and remote syncs. 
+
 :Web interface: Manage the Proxmox Backup Server with the integrated, web-based
    user interface.
 
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 5/5] docs: added section on ransomware

[Noel Ullreich]

From: Noel Ullreich <nullreich@eloa.proxmox.com>

Added a section on ransomware that lists the features
offered by pbs to protect from ransomware as well as
best practices outside of pbs

Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
---
 docs/storage.rst | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/docs/storage.rst b/docs/storage.rst
index c4e44c72..60991cb9 100644
--- a/docs/storage.rst
+++ b/docs/storage.rst
@@ -374,3 +374,61 @@ with a comma, like this:
 .. code-block:: console
 
   # proxmox-backup-manager datastore update <storename> --tuning 'sync-level=filesystem,chunk-order=none'
+
+.. _ransomware_protection:
+
+Ransomware Protection
+---------------------
+
+Prevention by Proxmox Backup Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`Ransomware <https://en.wikipedia.org/wiki/Ransomware>`_ is a type of malware that
+encrypts files until a ransom is paid. Proxmox Backup Server includes features to 
+prevent ransomware attacks.
+
+Proxmox Backup Server does not allow for existing chunks of a backup to be re-uploaded.
+This means that a compromised Proxmox VE cannot corrupt existing backups.
+
+Furthermore, comprehensive :ref:`user management <user_mgmt>` is offered in Proxmox
+Backup Server. By limiting a sync user's or an access token's right to only write 
+backups, not delete them, compromised Proxmox VEs cannot delete existing backups. Backup
+pruning should be done by the Proxmox Backup Server itself.
+
+Should a guest running in a Proxmox VE instance become compromised and encrypted,
+it can no longer be backed up by a Proxmox Backup Server instance. This is because the 
+SHA-256 checksum can no longer be read. This should alert you that your backups are
+corrupted and might indicate a compromised Proxmox VE (although it should be noted that
+verify jobs can also fail for other reasons, such as bit rot).
+
+To detect ransomware inside a compromised guest, it is recommended to frequently
+restore and boot backups fully. In the case of many backed-up guests, it is
+recommended to automate this restore testing or, if this is not possible, to restore
+random samples from the backups.
+
+Other Prevention Methods and Best Practices
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is recommended to take additional security measures, apart form the ones offered
+by Proxmox Backup Server. These recommendations include, but are not limited to: 
+
+* Using `two-factor authentification <https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_tfa_auth>`_ 
+  for user management in the Proxmox Virtual Environment.
+* Using `Fail2ban <https://pve.proxmox.com/wiki/Fail2ban>`_ to secure the 
+  Proxmox Virtual Environment web interface. Fail2ban monitors login attempts and
+  temporarily bans IP addresses that try unsuccessfully to log in too many times.
+* Using `RSA keys with SSH <https://wiki.debian.org/SSH>`_.
+* Keeping the firmware and software up-to-date to patch exploits and vulnerabilities
+  (such as `spectre <https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)>`_ or
+  `meltdown <https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)>`_).
+* Following safe and secure network practices, for example using logging and
+  monitoring tools and setting up vlans.
+* Making plenty of backups using the
+  `3-2-1 rule <https://en.wikipedia.org/wiki/Backup#Storage>`_: creating
+  3 backups on 2 storage media, of which 1 copy is kept offsite.
+* Retaining backups for a few months. Some ransomware might only be encrypted weeks after an infection.
+* Creating :ref:`tape backups <tape_backup>` and :ref:`remote sync jobs <backup_remote>`.
+* Restore testing: frequently test if the backups of the guests can be correctly restored.
+
+For more information on how to avoid ransomware attacks and what to do in case of a ransomware infection, see `Cisa <https://www.cisa.gov/stopransomware/ransomware-guide>`_.
+
-- 
2.30.2

Re: [pbs-devel] [PATCH proxmox-backup 1/5] readme: fixed typo in readme

[Thomas Lamprecht]

Am 23/11/2022 um 18:48 schrieb Noel Ullreich:
> From: Noel Ullreich <nullreich@eloa.proxmox.com>

erm, fix your git config I guess?

https://pve.proxmox.com/wiki/Developer_Documentation#Using_git

-> git config --global user.email 'n.ullreich@proxmox.com'

You can then rebase the series interactively, stopping on each commit
and use `git commit --amend --reset-author` to fix-up the author to the
currently configured, now hopefully correct, name+mail.

Re: [pbs-devel] [PATCH proxmox-backup 4/5] docs: main features ransomware

[Thomas Lamprecht]

Am 23/11/2022 um 18:48 schrieb Noel Ullreich:
> From: Noel Ullreich <nullreich@eloa.proxmox.com>
> 
> added ransomware protection as main feature of pbs
> 

I'd squash this into the next patch and directly link to the new section.

> Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
> ---
>  docs/introduction.rst | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/docs/introduction.rst b/docs/introduction.rst
> index 2f392157..f1dec018 100644
> --- a/docs/introduction.rst
> +++ b/docs/introduction.rst
> @@ -76,6 +76,9 @@ Main Features
>     provides extensive support for backing up to tape and managing tape
>     libraries.
>  
> +:Ransomware protection:  Proxmox Backup Server provides protection from ransomware attacks via checksums and
> +   user access control as well as mitigation of ransomware attacks by restoring from tape backups and remote syncs. 

"code" style wise: please avoid overly long lines, target 80cc text-width,
also extra white space after the colon.

content wise I'd drop starting with PBS here and avoid mentioning "ransomware attack"
as often as three times, e.g., something like:

:Ransomware protection: Protect your critical data from ransomware attacks with
   Proxmox Backup Server's fine-grained access control, data integrity
   verification, and off-site backup through remote sync and tape backup.

> +
>  :Web interface: Manage the Proxmox Backup Server with the integrated, web-based
>     user interface.
>  

Re: [pbs-devel] [PATCH proxmox-backup 5/5] docs: added section on ransomware

[Thomas Lamprecht]

in general there are various trailing whitespace

```
Applying: docs: added section on ransomware
.git/rebase-apply/patch:23: trailing whitespace.
encrypts files until a ransom is paid. Proxmox Backup Server includes features to 
.git/rebase-apply/patch:30: trailing whitespace.
Backup Server. By limiting a sync user's or an access token's right to only write 
.git/rebase-apply/patch:35: trailing whitespace.
it can no longer be backed up by a Proxmox Backup Server instance. This is because the 
.git/rebase-apply/patch:49: trailing whitespace.
by Proxmox Backup Server. These recommendations include, but are not limited to: 
.git/rebase-apply/patch:51: trailing whitespace.
* Using `two-factor authentification <https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_tfa_auth>`_ 
warning: squelched 2 whitespace errors
warning: 7 lines add whitespace errors.
```



Am 23/11/2022 um 18:48 schrieb Noel Ullreich:
> From: Noel Ullreich <nullreich@eloa.proxmox.com>
> > Added a section on ransomware that lists the features
> offered by pbs to protect from ransomware as well as
> best practices outside of pbs
> 
> Signed-off-by: Noel Ullreich <n.ullreich@proxmox.com>
> ---
>  docs/storage.rst | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 58 insertions(+)
> 
> diff --git a/docs/storage.rst b/docs/storage.rst
> index c4e44c72..60991cb9 100644
> --- a/docs/storage.rst
> +++ b/docs/storage.rst
> @@ -374,3 +374,61 @@ with a comma, like this:
>  .. code-block:: console
>  
>    # proxmox-backup-manager datastore update <storename> --tuning 'sync-level=filesystem,chunk-order=none'
> +
> +.. _ransomware_protection:
> +
> +Ransomware Protection
> +---------------------
> +
> +Prevention by Proxmox Backup Server
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +`Ransomware <https://en.wikipedia.org/wiki/Ransomware>`_ is a type of malware that
> +encrypts files until a ransom is paid. Proxmox Backup Server includes features to 
> +prevent ransomware attacks.

We cannot prevent ransomware attacks in general on a setup/datacenter/..., but PBS can
be used to insure against such attacks by making it possible, and relatively easy to
recover by restoring a backup.

> +
> +Proxmox Backup Server does not allow for existing chunks of a backup to be re-uploaded.

It does not re-writes data for existing blocks, making them immutable. As just because
our (uncompromised) client does not uploads chunks again as optimization you can do so
just fine, and it's not forbidden on an api level, but, and that's the important thing,
we don't re-write the data if it already exisits but only touch (update) the access time.

IMO that difference is important, as somebody testing this would be surprised after
reading this, if they can re-upload chunks (seemingly!) just fine as the API tells
OK.

> +This means that a compromised Proxmox VE cannot corrupt existing backups.
s/Proxmox VE/Proxmox VE host/ or maybe even include clients more generally, something
like (not closely typo checked):

This means that a compromised Proxmox VE host, or any other compromised system using
the client to backup data, cannot corrupt existing backups.

> +
> +Furthermore, comprehensive :ref:`user management <user_mgmt>` is offered in Proxmox
> +Backup Server. By limiting a sync user's or an access token's right to only write 
> +backups, not delete them, compromised Proxmox VEs cannot delete existing backups. Backup
> +pruning should be done by the Proxmox Backup Server itself.

"In that case, backup pruning should be handled on the Proxmox Backup Server using
prune jobs."

> +
> +Should a guest running in a Proxmox VE instance become compromised and encrypted,
> +it can no longer be backed up by a Proxmox Backup Server instance. This is because the 

huh? a encrypted guest can be backed up just fine? Otherwise users couldn't use
desired encryption for privacy/integrity, e.g. things like LUKS in the guest.

> +SHA-256 checksum can no longer be read. This should alert you that your backups are
> +corrupted and might indicate a compromised Proxmox VE (although it should be noted that
> +verify jobs can also fail for other reasons, such as bit rot).

Do you mean restore test here? this section seems off

> +
> +To detect ransomware inside a compromised guest, it is recommended to frequently

maybe hint that its restore _test_ing (not that people think they need to restore over
existing guests ^^)
s/frequently restore and boot backups fully/frequently test restoring and booting backups/

> +restore and boot backups fully. In the case of many backed-up guests, it is
> +recommended to automate this restore testing or, if this is not possible, to restore
> +random samples from the backups.
> +
> +Other Prevention Methods and Best Practices
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +It is recommended to take additional security measures, apart form the ones offered
> +by Proxmox Backup Server. These recommendations include, but are not limited to: 

wouldn't half of this section fit better into PVE? So that PBS docs only links at that
and gives tipps here about how to make PBS more resistant (use API tokens, setup remote
sync, ...) - can be done later too though, for now I'd just keep fail2ban and TFA tipss
for PVE out, we're talking about PBS-as-insurance-for-after-the-fact here.

> +
> +* Using `two-factor authentification <https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_tfa_auth>`_ 

s/authentification/authentication/

> +  for user management in the Proxmox Virtual Environment.
> +* Using `Fail2ban <https://pve.proxmox.com/wiki/Fail2ban>`_ to secure the 
> +  Proxmox Virtual Environment web interface. Fail2ban monitors login attempts and
> +  temporarily bans IP addresses that try unsuccessfully to log in too many times.



> +* Using `RSA keys with SSH <https://wiki.debian.org/SSH>`_.

Why RSA, are ecdsa, ... insecure?

> +* Keeping the firmware and software up-to-date to patch exploits and vulnerabilities
> +  (such as `spectre <https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)>`_ or
> +  `meltdown <https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)>`_).
> +* Following safe and secure network practices, for example using logging and
> +  monitoring tools and setting up vlans.

s/vlans/VLANs/

> +* Making plenty of backups using the
> +  `3-2-1 rule <https://en.wikipedia.org/wiki/Backup#Storage>`_: creating
> +  3 backups on 2 storage media, of which 1 copy is kept offsite.

s/offsite/off-site/

> +* Retaining backups for a few months. Some ransomware might only be encrypted weeks after an infection.

maybe rather something along:

Retaining backups for a longer period, using Proxmox Backup Server's
flexible retention keep settings, as you may only notice that guest got
encrypted by an attacker after some days or even weeks, which makes the
newer backups unusable too.

> +* Creating :ref:`tape backups <tape_backup>` and :ref:`remote sync jobs <backup_remote>`.

I'd flesh that out as short e.g. "Off-Site Safe Keeping" sub-section above.

> +* Restore testing: frequently test if the backups of the guests can be correctly restored.
> +
> +For more information on how to avoid ransomware attacks and what to do in case of a ransomware infection, see `Cisa <https://www.cisa.gov/stopransomware/ransomware-guide>`_.
> +

overly long line