41 lines
1.7 KiB
Markdown
41 lines
1.7 KiB
Markdown
# Network Vault
|
|
|
|
Ansible playbook for network vault.
|
|
|
|
This creates a share vault on the target server which is writeable.
|
|
|
|
A second share is read only and keeps snapshots of the data from the rw-share.
|
|
|
|
Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share.
|
|
How long the data will be kept depends on settings in rsnapshot.conf
|
|
|
|
|
|
## Use-Case:
|
|
Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
|
|
|
|
When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
|
|
|
|
When sealing the vault, you can not access it over ssh any more so no ransomware can access the system.
|
|
|
|
You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network
|
|
|
|
Place this stuff on something like an Intel NUC, paint it red and put it into a safe place.
|
|
|
|
Create any job to copy your DR-plans there every night.
|
|
|
|
It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
|
|
|
|
|
|
|
|
|
|
Varialbes:
|
|
* networkvault_vault_password -> password for user to access shares
|
|
* networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
|
|
|
|
ToDo:
|
|
* Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
|
|
* Check diff-size and do some kind of alter
|
|
* Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
|
|
* Add more interfaces like WebDAV, FTP
|
|
* Only reboot if required
|
|
* check no unneeded ports open/block with firewall |