From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 11154C3C5 for ; Mon, 28 Nov 2022 15:34:26 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C1A7B35462 for ; Mon, 28 Nov 2022 15:34:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 28 Nov 2022 15:34:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9956244DA8 for ; Mon, 28 Nov 2022 15:34:22 +0100 (CET) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Mon, 28 Nov 2022 15:34:00 +0100 Message-Id: <20221128143401.610254-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.336 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_EU 0.5 Prevalent use of .eu in spam/malware SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2022 14:34:26 -0000 Signed-off-by: Stefan Sterz --- docs/storage.rst | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/docs/storage.rst b/docs/storage.rst index a773b666..5ba419cd 100644 --- a/docs/storage.rst +++ b/docs/storage.rst @@ -383,7 +383,7 @@ Ransomware Protection & Recovery `Ransomware `_ is a type of malware that encrypts files until a ransom is paid. Proxmox Backup Server includes features that help mitigate and recover from ransomware attacks by offering -off-server and off-site synchronizations and easy restoration from backups. +off-server and off-site synchronization and easy restoration from backups. Built-in Protection ~~~~~~~~~~~~~~~~~~~ @@ -399,39 +399,40 @@ The 3-2-1 Rule with Proxmox Backup Server The `3-2-1 rule `_ is simple but effective in protecting important data from all sorts of threats, be it fires, -natural disasters or attacks on your infrastructure by adversaries . +natural disasters or attacks on your infrastructure by adversaries. In short, the rule states that one should create *3* backups on at least *2* different types of storage media, of which *1* copy is kept off-site. Proxmox Backup Server provides tools for storing extra copies of backups in remote locations and on various types of media. -By setting up a remote Proxmox Backup Server you can take advantage of the +By setting up a remote Proxmox Backup Server, you can take advantage of the :ref:`remote sync jobs ` feature and easily create off-site copies of your backups. This is recommended, since off-site instances are less likely to be infected by ransomware in your local network. -You can configure sync jobs to not removed snapshots if they vanished on the +You can configure sync jobs to not remove snapshots if they vanished on the remote-source to avoid that an attacker that took over the source can cause deletions of backups on the target hosts. -If the source-host became victim of a ransomware attack, there's a good chance -that sync jobs will fail triggering an :ref:`error notification +If the source-host became victim of a ransomware attack, there is a good chance +that sync jobs will fail, triggering an :ref:`error notification `. It is also possible to create :ref:`tape backups ` as a second -storage medium. This way you get an additional copy of your data on a -different, for long-term storage designed medium type which can easily be moved -around, be it to and off-site location or, for example into an on-site fire -proof vault for quicker access. +storage medium. This way, you get an additional copy of your data on a +different storage medium designed for long-term storage. Additionally, it can +easily be moved around, be it to and off-site location or, for example, into an +on-site fireproof vault for quicker access. Restrictive User & Access Management ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Proxmox Backup Server offers a comprehensive and fine grained :ref:`user and +Proxmox Backup Server offers a comprehensive and fine-grained :ref:`user and access management ` system. The `Datastore.Backup` privilege, for example, allows only to create, but not to delete or alter existing backups. The best way to leverage this access control system is to: + - Use separate API tokens for each host or Proxmox VE Cluster that should be able to back data up to a Proxmox Backup Server. - Configure only minimal permissions for such API tokens. They should only have @@ -443,8 +444,8 @@ The best way to leverage this access control system is to: permissions, but to perform backup pruning directly on Proxmox Backup Server using :ref:`prune jobs `. -Please note that same also applies for sync jobs. By limiting a sync user's or -an access token's right to only write backups, not delete them, compromised +Please note that the same also applies for sync jobs. By limiting a sync user's +or an access token's right to only write backups, not delete them, compromised clients cannot delete existing backups. Ransomware Detection @@ -461,8 +462,8 @@ To detect ransomware inside a compromised guest, it is recommended to frequently test restoring and booting backups. Make sure to restore to a new guest and not to overwrite your current guest. In the case of many backed-up guests, it is recommended to automate this -restore testing or, if this is not possible, to restore random samples from the -backups periodically (for example, once a week or month). +restore testing. If this is not possible, restoring random samples from the +backups periodically (for example, once a week or month), is advised'. In order to be able to react quickly in case of a ransomware attack, it is recommended to regularly test restoring from your backups. Make sure to restore @@ -470,7 +471,7 @@ to a new guest and not to overwrite your current guest. Restoring many guests at once can be cumbersome, which is why it is advisable to automate this task and verify that your automated process works. If this is not feasible, it is recommended to restore random samples from your backups. -While creating backups is important, verifying that the backups work is equally +While creating backups is important, verifying that they work is equally important. This ensures that you are able to react quickly in case of an emergency and keeps disruption of your services to a minimum. @@ -489,13 +490,13 @@ limited to: * Following safe and secure network practices, for example using logging and monitoring tools and dividing your network so that infrastructure traffic and user or even public traffic are separated, for example by setting up VLANs. -* Set up a long term retention. Since some ransomware might lay dormant a +* Set up a long-term retention. Since some ransomware might lay dormant a couple of days or weeks before starting to encrypt data, it can be that older, existing backups are compromised. Thus, it is important to keep at least a few backups over longer periods of time. For more information on how to avoid ransomware attacks and what to do in case -of a ransomware infection, see official goverment recommendations like `CISA's +of a ransomware infection, see official government recommendations like `CISA's (USA) guide `_ or EU resources like ENSIA's `Threat Landscape for Ransomware Attacks `_ -- 2.30.2