From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B74DCC3C0 for ; Mon, 28 Nov 2022 15:52:59 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1DA273581B for ; Mon, 28 Nov 2022 15:52:59 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 28 Nov 2022 15:52:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3983C44DC8 for ; Mon, 28 Nov 2022 15:52:51 +0100 (CET) Message-ID: Date: Mon, 28 Nov 2022 15:52:49 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Content-Language: en-US To: pbs-devel@lists.proxmox.com References: <20221128143401.610254-1-s.sterz@proxmox.com> From: Daniel Tschlatscher In-Reply-To: <20221128143401.610254-1-s.sterz@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.247 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_EU 0.5 Prevalent use of .eu in spam/malware NICE_REPLY_A -0.257 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox-backup 1/2] docs: minor re-phrasing and spell checking clean up X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2022 14:52:59 -0000 On 11/28/22 15:34, Stefan Sterz wrote: > Signed-off-by: Stefan Sterz > --- > docs/storage.rst | 37 +++++++++++++++++++------------------ > 1 file changed, 19 insertions(+), 18 deletions(-) > > diff --git a/docs/storage.rst b/docs/storage.rst > index a773b666..5ba419cd 100644 > --- a/docs/storage.rst > +++ b/docs/storage.rst > @@ -383,7 +383,7 @@ Ransomware Protection & Recovery > `Ransomware `_ is a type of malware > that encrypts files until a ransom is paid. Proxmox Backup Server includes > features that help mitigate and recover from ransomware attacks by offering > -off-server and off-site synchronizations and easy restoration from backups. > +off-server and off-site synchronization and easy restoration from backups. > > Built-in Protection > ~~~~~~~~~~~~~~~~~~~ > @@ -399,39 +399,40 @@ The 3-2-1 Rule with Proxmox Backup Server > > The `3-2-1 rule `_ is simple but > effective in protecting important data from all sorts of threats, be it fires, > -natural disasters or attacks on your infrastructure by adversaries . > +natural disasters or attacks on your infrastructure by adversaries. > In short, the rule states that one should create *3* backups on at least *2* > different types of storage media, of which *1* copy is kept off-site. > > Proxmox Backup Server provides tools for storing extra copies of backups in > remote locations and on various types of media. > > -By setting up a remote Proxmox Backup Server you can take advantage of the > +By setting up a remote Proxmox Backup Server, you can take advantage of the > :ref:`remote sync jobs ` feature and easily create off-site > copies of your backups. > This is recommended, since off-site instances are less likely to be infected by > ransomware in your local network. > -You can configure sync jobs to not removed snapshots if they vanished on the > +You can configure sync jobs to not remove snapshots if they vanished on the > remote-source to avoid that an attacker that took over the source can cause > deletions of backups on the target hosts. > -If the source-host became victim of a ransomware attack, there's a good chance > -that sync jobs will fail triggering an :ref:`error notification > +If the source-host became victim of a ransomware attack, there is a good chance > +that sync jobs will fail, triggering an :ref:`error notification > `. > > It is also possible to create :ref:`tape backups ` as a second > -storage medium. This way you get an additional copy of your data on a > -different, for long-term storage designed medium type which can easily be moved > -around, be it to and off-site location or, for example into an on-site fire Typo: "an" off-site location... > -proof vault for quicker access. > +storage medium. This way, you get an additional copy of your data on a > +different storage medium designed for long-term storage. Additionally, it can > +easily be moved around, be it to and off-site location or, for example, into an > +on-site fireproof vault for quicker access. > > Restrictive User & Access Management > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > -Proxmox Backup Server offers a comprehensive and fine grained :ref:`user and > +Proxmox Backup Server offers a comprehensive and fine-grained :ref:`user and > access management ` system. The `Datastore.Backup` privilege, for > example, allows only to create, but not to delete or alter existing backups. > > The best way to leverage this access control system is to: > + > - Use separate API tokens for each host or Proxmox VE Cluster that should be > able to back data up to a Proxmox Backup Server. > - Configure only minimal permissions for such API tokens. They should only have > @@ -443,8 +444,8 @@ The best way to leverage this access control system is to: > permissions, but to perform backup pruning directly on Proxmox Backup Server > using :ref:`prune jobs `. > > -Please note that same also applies for sync jobs. By limiting a sync user's or > -an access token's right to only write backups, not delete them, compromised > +Please note that the same also applies for sync jobs. By limiting a sync user's > +or an access token's right to only write backups, not delete them, compromised > clients cannot delete existing backups. > > Ransomware Detection > @@ -461,8 +462,8 @@ To detect ransomware inside a compromised guest, it is recommended to > frequently test restoring and booting backups. Make sure to restore to a new > guest and not to overwrite your current guest. > In the case of many backed-up guests, it is recommended to automate this > -restore testing or, if this is not possible, to restore random samples from the > -backups periodically (for example, once a week or month). > +restore testing. If this is not possible, restoring random samples from the > +backups periodically (for example, once a week or month), is advised'. > > In order to be able to react quickly in case of a ransomware attack, it is > recommended to regularly test restoring from your backups. Make sure to restore > @@ -470,7 +471,7 @@ to a new guest and not to overwrite your current guest. > Restoring many guests at once can be cumbersome, which is why it is advisable > to automate this task and verify that your automated process works. If this is > not feasible, it is recommended to restore random samples from your backups. > -While creating backups is important, verifying that the backups work is equally > +While creating backups is important, verifying that they work is equally > important. This ensures that you are able to react quickly in case of an > emergency and keeps disruption of your services to a minimum. > > @@ -489,13 +490,13 @@ limited to: > * Following safe and secure network practices, for example using logging and > monitoring tools and dividing your network so that infrastructure traffic and > user or even public traffic are separated, for example by setting up VLANs. > -* Set up a long term retention. Since some ransomware might lay dormant a > +* Set up a long-term retention. Since some ransomware might lay dormant a > couple of days or weeks before starting to encrypt data, it can be that > older, existing backups are compromised. Thus, it is important to keep at > least a few backups over longer periods of time. > > For more information on how to avoid ransomware attacks and what to do in case > -of a ransomware infection, see official goverment recommendations like `CISA's > +of a ransomware infection, see official government recommendations like `CISA's > (USA) guide `_ or EU > resources like ENSIA's `Threat Landscape for Ransomware Attacks > `_