[pbs-devel] [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up

[pbs-devel] [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up

[Stefan Sterz]

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
 docs/storage.rst | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/docs/storage.rst b/docs/storage.rst
index a773b666..5ba419cd 100644
--- a/docs/storage.rst
+++ b/docs/storage.rst
@@ -383,7 +383,7 @@ Ransomware Protection & Recovery
 `Ransomware <https://en.wikipedia.org/wiki/Ransomware>`_ is a type of malware
 that encrypts files until a ransom is paid. Proxmox Backup Server includes
 features that help mitigate and recover from ransomware attacks by offering
-off-server and off-site synchronizations and easy restoration from backups.
+off-server and off-site synchronization and easy restoration from backups.
 
 Built-in Protection
 ~~~~~~~~~~~~~~~~~~~
@@ -399,39 +399,40 @@ The 3-2-1 Rule with Proxmox Backup Server
 
 The `3-2-1 rule <https://en.wikipedia.org/wiki/Backup#Storage>`_ is simple but
 effective in protecting important data from all sorts of threats, be it fires,
-natural disasters or attacks on your infrastructure by adversaries .
+natural disasters or attacks on your infrastructure by adversaries.
 In short, the rule states that one should create *3* backups on at least *2*
 different types of storage media, of which *1* copy is kept off-site.
 
 Proxmox Backup Server provides tools for storing extra copies of backups in
 remote locations and on various types of media.
 
-By setting up a remote Proxmox Backup Server you can take advantage of the
+By setting up a remote Proxmox Backup Server, you can take advantage of the
 :ref:`remote sync jobs <backup_remote>` feature and easily create off-site
 copies of your backups.
 This is recommended, since off-site instances are less likely to be infected by
 ransomware in your local network.
-You can configure sync jobs to not removed snapshots if they vanished on the
+You can configure sync jobs to not remove snapshots if they vanished on the
 remote-source to avoid that an attacker that took over the source can cause
 deletions of backups on the target hosts.
-If the source-host became victim of a ransomware attack, there's a good chance
-that sync jobs will fail triggering an :ref:`error notification
+If the source-host became victim of a ransomware attack, there is a good chance
+that sync jobs will fail, triggering an :ref:`error notification
 <maintenance_notification>`.
 
 It is also possible to create :ref:`tape backups <tape_backup>` as a second
-storage medium. This way you get an additional copy of your data on a
-different, for long-term storage designed medium type which can easily be moved
-around, be it to and off-site location or, for example into an on-site fire
-proof vault for quicker access.
+storage medium. This way, you get an additional copy of your data on a
+different storage medium designed for long-term storage. Additionally, it can
+easily be moved around, be it to and off-site location or, for example, into an
+on-site fireproof vault for quicker access.
 
 Restrictive User & Access Management
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Proxmox Backup Server offers a comprehensive and fine grained :ref:`user and
+Proxmox Backup Server offers a comprehensive and fine-grained :ref:`user and
 access management <user_mgmt>` system. The `Datastore.Backup` privilege, for
 example, allows only to create, but not to delete or alter existing backups.
 
 The best way to leverage this access control system is to:
+
 - Use separate API tokens for each host or Proxmox VE Cluster that should be
   able to back data up to a Proxmox Backup Server.
 - Configure only minimal permissions for such API tokens. They should only have
@@ -443,8 +444,8 @@ The best way to leverage this access control system is to:
    permissions, but to perform backup pruning directly on Proxmox Backup Server
    using :ref:`prune jobs <maintenance_prune_jobs>`.
 
-Please note that same also applies for sync jobs. By limiting a sync user's or
-an access token's right to only write backups, not delete them, compromised
+Please note that the same also applies for sync jobs. By limiting a sync user's
+or an access token's right to only write backups, not delete them, compromised
 clients cannot delete existing backups.
 
 Ransomware Detection
@@ -461,8 +462,8 @@ To detect ransomware inside a compromised guest, it is recommended to
 frequently test restoring and booting backups. Make sure to restore to a new
 guest and not to overwrite your current guest.
 In the case of many backed-up guests, it is recommended to automate this
-restore testing or, if this is not possible, to restore random samples from the
-backups periodically (for example, once a week or month).
+restore testing. If this is not possible, restoring random samples from the
+backups periodically (for example, once a week or month), is advised'.
 
 In order to be able to react quickly in case of a ransomware attack, it is
 recommended to regularly test restoring from your backups. Make sure to restore
@@ -470,7 +471,7 @@ to a new guest and not to overwrite your current guest.
 Restoring many guests at once can be cumbersome, which is why it is advisable
 to automate this task and verify that your automated process works. If this is
 not feasible, it is recommended to restore random samples from your backups.
-While creating backups is important, verifying that the backups work is equally
+While creating backups is important, verifying that they work is equally
 important. This ensures that you are able to react quickly in case of an
 emergency and keeps disruption of your services to a minimum.
 
@@ -489,13 +490,13 @@ limited to:
 * Following safe and secure network practices, for example using logging and
   monitoring tools and dividing your network so that infrastructure traffic and
   user or even public traffic are separated, for example by setting up VLANs.
-* Set up a long term retention. Since some ransomware might lay dormant a
+* Set up a long-term retention. Since some ransomware might lay dormant a
   couple of days or weeks before starting to encrypt data, it can be that
   older, existing backups are compromised. Thus, it is important to keep at
   least a few backups over longer periods of time.
 
 For more information on how to avoid ransomware attacks and what to do in case
-of a ransomware infection, see official goverment recommendations like `CISA's
+of a ransomware infection, see official government recommendations like `CISA's
 (USA) guide <https://www.cisa.gov/stopransomware/ransomware-guide>`_ or EU
 resources like ENSIA's `Threat Landscape for Ransomware Attacks
 <https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks>`_
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 2/2] docs: add paragraph on verification jobs to ransomware section

[Stefan Sterz]

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
drop this if inappropriate. i just thought this might answer some
questions that a somewhat advanced user may have about verification
jobs in this scenario.

 docs/storage.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/storage.rst b/docs/storage.rst
index 5ba419cd..c457ff06 100644
--- a/docs/storage.rst
+++ b/docs/storage.rst
@@ -475,6 +475,13 @@ While creating backups is important, verifying that they work is equally
 important. This ensures that you are able to react quickly in case of an
 emergency and keeps disruption of your services to a minimum.
 
+:ref:`Verification jobs <maintenance_verification>` can also assist in detecting
+a ransomware presence on a Proxmox Backup Server. Since verification jobs
+regularly check if all backups still match the checksums on record, they will
+start to fail if a ransomware starts to encrypt existing backups. Please be
+aware, that an advanced enough ransomware could circumvent this mechanism.
+Hence, consider verification jobs only as an additional, but not a sufficient
+protection measure.
 
 General Prevention Methods and Best Practices
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
2.30.2

Re: [pbs-devel] [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up

[Daniel Tschlatscher]

On 11/28/22 15:34, Stefan Sterz wrote:
> Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
> ---
>  docs/storage.rst | 37 +++++++++++++++++++------------------
>  1 file changed, 19 insertions(+), 18 deletions(-)
> 
> diff --git a/docs/storage.rst b/docs/storage.rst
> index a773b666..5ba419cd 100644
> --- a/docs/storage.rst
> +++ b/docs/storage.rst
> @@ -383,7 +383,7 @@ Ransomware Protection & Recovery
>  `Ransomware <https://en.wikipedia.org/wiki/Ransomware>`_ is a type of malware
>  that encrypts files until a ransom is paid. Proxmox Backup Server includes
>  features that help mitigate and recover from ransomware attacks by offering
> -off-server and off-site synchronizations and easy restoration from backups.
> +off-server and off-site synchronization and easy restoration from backups.
>  
>  Built-in Protection
>  ~~~~~~~~~~~~~~~~~~~
> @@ -399,39 +399,40 @@ The 3-2-1 Rule with Proxmox Backup Server
>  
>  The `3-2-1 rule <https://en.wikipedia.org/wiki/Backup#Storage>`_ is simple but
>  effective in protecting important data from all sorts of threats, be it fires,
> -natural disasters or attacks on your infrastructure by adversaries .
> +natural disasters or attacks on your infrastructure by adversaries.
>  In short, the rule states that one should create *3* backups on at least *2*
>  different types of storage media, of which *1* copy is kept off-site.
>  
>  Proxmox Backup Server provides tools for storing extra copies of backups in
>  remote locations and on various types of media.
>  
> -By setting up a remote Proxmox Backup Server you can take advantage of the
> +By setting up a remote Proxmox Backup Server, you can take advantage of the
>  :ref:`remote sync jobs <backup_remote>` feature and easily create off-site
>  copies of your backups.
>  This is recommended, since off-site instances are less likely to be infected by
>  ransomware in your local network.
> -You can configure sync jobs to not removed snapshots if they vanished on the
> +You can configure sync jobs to not remove snapshots if they vanished on the
>  remote-source to avoid that an attacker that took over the source can cause
>  deletions of backups on the target hosts.
> -If the source-host became victim of a ransomware attack, there's a good chance
> -that sync jobs will fail triggering an :ref:`error notification
> +If the source-host became victim of a ransomware attack, there is a good chance
> +that sync jobs will fail, triggering an :ref:`error notification
>  <maintenance_notification>`.
>  
>  It is also possible to create :ref:`tape backups <tape_backup>` as a second
> -storage medium. This way you get an additional copy of your data on a
> -different, for long-term storage designed medium type which can easily be moved
> -around, be it to and off-site location or, for example into an on-site fire
Typo: "an" off-site location...

> -proof vault for quicker access.
> +storage medium. This way, you get an additional copy of your data on a
> +different storage medium designed for long-term storage. Additionally, it can
> +easily be moved around, be it to and off-site location or, for example, into an
> +on-site fireproof vault for quicker access.
>  
>  Restrictive User & Access Management
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  
> -Proxmox Backup Server offers a comprehensive and fine grained :ref:`user and
> +Proxmox Backup Server offers a comprehensive and fine-grained :ref:`user and
>  access management <user_mgmt>` system. The `Datastore.Backup` privilege, for
>  example, allows only to create, but not to delete or alter existing backups.
>  
>  The best way to leverage this access control system is to:
> +
>  - Use separate API tokens for each host or Proxmox VE Cluster that should be
>    able to back data up to a Proxmox Backup Server.
>  - Configure only minimal permissions for such API tokens. They should only have
> @@ -443,8 +444,8 @@ The best way to leverage this access control system is to:
>     permissions, but to perform backup pruning directly on Proxmox Backup Server
>     using :ref:`prune jobs <maintenance_prune_jobs>`.
>  
> -Please note that same also applies for sync jobs. By limiting a sync user's or
> -an access token's right to only write backups, not delete them, compromised
> +Please note that the same also applies for sync jobs. By limiting a sync user's
> +or an access token's right to only write backups, not delete them, compromised
>  clients cannot delete existing backups.
>  
>  Ransomware Detection
> @@ -461,8 +462,8 @@ To detect ransomware inside a compromised guest, it is recommended to
>  frequently test restoring and booting backups. Make sure to restore to a new
>  guest and not to overwrite your current guest.
>  In the case of many backed-up guests, it is recommended to automate this
> -restore testing or, if this is not possible, to restore random samples from the
> -backups periodically (for example, once a week or month).
> +restore testing. If this is not possible, restoring random samples from the
> +backups periodically (for example, once a week or month), is advised'.
>  
>  In order to be able to react quickly in case of a ransomware attack, it is
>  recommended to regularly test restoring from your backups. Make sure to restore
> @@ -470,7 +471,7 @@ to a new guest and not to overwrite your current guest.
>  Restoring many guests at once can be cumbersome, which is why it is advisable
>  to automate this task and verify that your automated process works. If this is
>  not feasible, it is recommended to restore random samples from your backups.
> -While creating backups is important, verifying that the backups work is equally
> +While creating backups is important, verifying that they work is equally
>  important. This ensures that you are able to react quickly in case of an
>  emergency and keeps disruption of your services to a minimum.
>  
> @@ -489,13 +490,13 @@ limited to:
>  * Following safe and secure network practices, for example using logging and
>    monitoring tools and dividing your network so that infrastructure traffic and
>    user or even public traffic are separated, for example by setting up VLANs.
> -* Set up a long term retention. Since some ransomware might lay dormant a
> +* Set up a long-term retention. Since some ransomware might lay dormant a
>    couple of days or weeks before starting to encrypt data, it can be that
>    older, existing backups are compromised. Thus, it is important to keep at
>    least a few backups over longer periods of time.
>  
>  For more information on how to avoid ransomware attacks and what to do in case
> -of a ransomware infection, see official goverment recommendations like `CISA's
> +of a ransomware infection, see official government recommendations like `CISA's
>  (USA) guide <https://www.cisa.gov/stopransomware/ransomware-guide>`_ or EU
>  resources like ENSIA's `Threat Landscape for Ransomware Attacks
>  <https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks>`_

[pbs-devel] applied: [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up

[Thomas Lamprecht]

Am 28/11/2022 um 15:34 schrieb Stefan Sterz:
> Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
> ---
>  docs/storage.rst | 37 +++++++++++++++++++------------------
>  1 file changed, 19 insertions(+), 18 deletions(-)
> 
>

applied both patches and removed the extra 'd' Daniel spotted in a follow up,
thanks to both of you!