[PLUG] A server that isn't

Charles Sliger chaz at bctonline.com
Sat Dec 4 19:53:07 UTC 2004 

I haven't heard of a backup server like this, but it certainly could be
done.
Why the DOS attack concerns?  Is this system on the internet?

Charles L. Sliger
Information Systems Engineer
chaz at bctonline.com
503-313-5567
 

-----Original Message-----
From: plug-bounces at lists.pdxlinux.org
[mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of Keith Lofstrom
Sent: Saturday, December 04, 2004 9:24 AM
To: PLUG
Subject: [PLUG] A server that isn't


I would like to design a backup server that is extra secure.  The way
I plan to set things up, the server rsyncs to the backup clients and
pulls information from them, but other than that server-internally-
initiated process, the server does not respond to any externally-
initiated service requests.  If you ran nmap on the server, you would
not see any open ports.  iptables on the server would continue
internally initiated connections, but would not respond to externally
initiated ones.  

With one semi-exception - the backup server would respond to pings.
So in a way, the server is not really a server.  Is there another 
name for this kind of "silent server"?  (submarine?)

The idea is to not worry about securing any services on the backup
server, because none are offered.  The fewer server-side programs 
exposing their security holes to the network, the better.  Especially
on a backup server, which has copies of all the treasures of all
the clients.

So how does the backup server respond to restore requests?  By polling;
it goes out to the client machines and looks for restore requests, on
a fairly frequent basis.  It will only restore files to the particular
client it got them from (using the same ssh authentication used for
backup), to a separate user owned directory (permission 700) and only
if "restore permissions" on the backup server permit it (otherwise it
"restores" a "not-permitted" message).  Some security-related restores
will require sysadmin participation.

I figure a polling interval of once per minute should be adequate;
it will take longer than that to construct a list of available files
on the backup server, so think "hour-long" process rather than
"quick response".  Some restores will need sysadmin attention, anyway;
the restore media may be off-line, in storage.  A faster alternative 
might be "ping-initiated polling", where the backup server senses that
it is being pinged by a client and responds immediately with a poll. 
However, this alternative method seems insecure to things like Denial
of Service attacks.

But all this is de-novo speculation;  there are probably already
standard ways to do what I am planning.  Perhaps my caution is
misplaced; if I am relying on server-outbound rsync and ssh, then
maybe server-inbound ssh adds no new insecurities.  Any comments?

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list