network-vault/README.md
2021-06-12 00:17:01 +01:00

1.7 KiB

Network Vault

Ansible playbook for network vault.

This creates a share vault on the target server which is writeable.

A second share is read only and keeps snapshots of the data from the rw-share.

Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share. How long the data will be kept depends on settings in rsnapshot.conf

Use-Case: Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.

When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.

When sealing the vault, you can not access it over ssh any more so no ransomware can access the system.

You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network

Place this stuff on something like an Intel NUC, paint it red and put it into a safe place.

Create any job to copy your DR-plans there every night.

It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date

Varialbes:

  • networkvault_vault_password -> password for user to access shares
  • networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network

ToDo:

  • Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
  • Check diff-size and do some kind of alter
  • Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
  • Add more interfaces like WebDAV, FTP
  • Only reboot if required
  • check no unneeded ports open/block with firewall