Encrypted offsite backup but no access to port forwarding


1812

Recommended Posts

As the title states I want to have an offsite backup to another computer I own. But I need the data encrypted on the remote site because it's not in a 100% secure location. The computer could walk out. It probably won't, but it could.

 

Crashplan is the first easy answer, and I would like to use it, but I have no access to port forwarding or any other network attributes at the remote site, so that's a no-go (already tested.)

 

I could have a static VPN to my main server (problem solved......) but I'd don't want to leave that as an open door into my network from an insecure remote location.

 

Any other options that I'm not aware of? Syncthing says it works regardless of port forwarding or not, but doesn't have encryption on the storage side, just on the data transmission.

 

Total data will be 16 TB initially duplicated locally, than growing to 30-40 over the next 12 months.

 

Many thanks!

Link to comment

A few thoughts... 

 

First, make all passwords very secure using the many suggestions that a simple google search will provide! 

 

Second, install Fix common problems.  As a part of its defaults is a setting to limit the number of allowed logins per day.  This would help prevent unauthorized access at the remote location.  Third, set all of the shares to private on the remote server which will require the use of a different password than root logon.  Be sure that the VPN is linked to the MAC address of the NIC. 

 

Fourth, make sure that the VPN connection requires a login from the remote.  This make sure that someone can't simply reboot the server to a alternate OS to access your server. 

 

Fifth, encrypt your files as they are being transmitted to the remote server.  Sixth, check the logs often to see failed logins or other signs of attempted access.  If you install the ' Tips and Tweaks' plugin, you can turn off Telenet and FTP access and all SSH login are recorded.  Look to see if there are any logins that you didn't do. 

 

Sixth, set the IP address of that remote server so that is essentially hidden on the remote network.

 

Putting a server in a remote location where you are weary of the honesty of the residents/employees/persons are questionable is not on anyone's list of acceptable practices.  If you are only this paranoid because the break-ins  to the CIA at Langley that you have seen in Hollywood movies that is one thing.  But if it because what you are reading the local newspaper about break-ins in that area where the server will be, that is another matter. 

Edited by Frank1940
  • Upvote 1
Link to comment

Thanks for your thoughts, Frank. The remote computer is going to probably run windows....  so a fair portion of what you wrote (which is good practice) is not applicable. But even if it was unRaid (which is a possibility,) my main problem is traversing the network firewall that I have no access to modify. If I can figure that out, I can just use crash plan and all the data is encrypted on the remote backup.

 

I could just run the vpn on a continuous from the remote to my server,  but I don't trust windows login "protection" on the remote computer.  This part I'm not following you on (maybe because it's been a long day) :

 

16 minutes ago, Frank1940 said:

Fourth, make sure than the VPN connection requires a login from the remote.  This make sure that someone can't simply reboot the server to a alternate OS to access your server. 

 

Basically you're saying login and pw to access network, login in on the remote computer itself, right? And obviously not keeping it saved on the remote computer? 

 

I use pfSense for my router and already have openVPN setup on it, so I wonder if there is a way to have the remote computer isolated to only access the ip of the local unRaid box. So that way if someone does get on it the connection, they can't really get anywhere else on the network.. 

 

 As far physical security, the computer will sit in a locked room where about a thousand people will pass it daily. Most will never know it is there, and less than a dozen or so would have access to the room. I believe it is highly unlikely that it would walk off, but it is a possibility. And as such, means that I'm trying to take precautions that if it does, the contents are of no use to anyone.

 

 

 

 

Link to comment
4 minutes ago, 1812 said:

I could just run the vpn on a continuous from the remote to my server,  but I don't trust windows login "protection" on the remote computer.

 

I had assumed that you were running a unRAID server (with some plugins or Docker and no VM's) at the remote location.  Throwing Windows into the equation is a whole new ball game.  I would then surmise that you would be using using some other array type software to provide +16TB of storage.  Windows is fairly secure from the outside but the inside 'job' stuff is more marginal and, with physical access, almost trivial to many more people. 

 

Another thought, if you use unRAID, put the Flash Drive on the inside of the case and use a lock on the case.  And don't share the Flash Drive.  Plus, the computer would be almost useless to the average thief by running an system that basically can only serve up encrypted files. 

Link to comment
2 minutes ago, Frank1940 said:

 

I had assumed that you were running a unRAID server (with some plugins or Docker and no VM's) at the remote location.  Throwing Windows into the equation is a whole new ball game.  I would then surmise that you would be using using some other array type software to provide +16TB of storage.  Windows is fairly secure from the outside but the inside 'job' stuff is more marginal and, with physical access, almost trivial to many more people. 

 

Another thought, if you use unRAID, put the Flash Drive on the inside of the case and use a lock on the case.  And don't share the Flash Drive.  Plus, the computer would be almost useless to the average thief by running an system that basically can only serve up encrypted files. 

 

However I end up going, it will have a singular purpose: store encrypted backups. Unfortunately it appears that leaving it on a constant vpn connection to my local network is the "easiest" solution.... many thanks for your help so far!

Link to comment

Using your static VPN approach and having pfSense would get you close to a somewhat comfortable level of security.  I'd suggest on your local unRAID you use a Docker or Virtualbox VM with read only shares and a separate IP address from that of your server for the remote backup to access, I would not just give the VPN access to your server IP.  Restrict the OpenVPN server on pfSense to just the one IP and restrict everything except the ports required.

 

On your remote end highly suggest moving away from Windows or at least locking it down/moving to server version.  Doesn't necessarily need to be unRAID, there are several options using various Linux flavors that can do the job, just not as GUI easy as unRAID.  ZFS, various NAS programs, etc.

Link to comment
  • 2 weeks later...
On 4/28/2017 at 4:23 PM, Frank1940 said:

A few thoughts... 

 

First, make all passwords very secure using the many suggestions that a simple google search will provide! 

 

Second, install Fix common problems.  As a part of its defaults is a setting to limit the number of allowed logins per day.  This would help prevent unauthorized access at the remote location.  Third, set all of the shares to private on the remote server which will require the use of a different password than root logon.  Be sure that the VPN is linked to the MAC address of the NIC. 

 

Fourth, make sure that the VPN connection requires a login from the remote.  This make sure that someone can't simply reboot the server to a alternate OS to access your server. 

 

Fifth, encrypt your files as they are being transmitted to the remote server.  Sixth, check the logs often to see failed logins or other signs of attempted access.  If you install the ' Tips and Tweaks' plugin, you can turn off Telenet and FTP access and all SSH login are recorded.  Look to see if there are any logins that you didn't do. 

 

Sixth, set the IP address of that remote server so that is essentially hidden on the remote network.

 

Putting a server in a remote location where you are weary of the honesty of the residents/employees/persons are questionable is not on anyone's list of acceptable practices.  If you are only this paranoid because the break-ins  to the CIA at Langley that you have seen in Hollywood movies that is one thing.  But if it because what you are reading the local newspaper about break-ins in that area where the server will be, that is another matter. 

 

After much more research, I have decided to go with unRaid offsite. An essentially headless computer with a set amount of login attempts, holding only encrypted data is about a secure as one could hope for on the cheap! 

 

@Frank1940 Is there a way to setup the ability for me to log into the remote server via vpn (remembering that I have no access to the network settings at the remote location) vs. leaving the remote logged into my home network all the time? That way when I wanted to run a backup, I can limit my outside access/exposure?

Link to comment
9 minutes ago, 1812 said:

@Frank1940 Is there a way to setup the ability for me to log into the remote server via vpn (remembering that I have no access to the network settings at the remote location) 

I'm not Frank, but there is a convoluted method you could use. On the remote server set up a lite VM with teamviewer (any small linux with GUI should work) and teamviewer in to it, then use the VM to log into the remote unraid and connect your vpn to the home network for the duration of the backup. I think you could get away with leaving the VM on unraid's internal NAT with no outward facing services to sniff.

 

I think with a little effort, you could theoretically harden the box pretty well, leaving only physical security on site as the major risk.

  • Upvote 1
Link to comment

I am no expert on setting VPN's.  Since you don't have access to the firewall, you (should) have to establish the connection from inside of that firewall.  (Otherwise, they have BIG security issue.)    

 

EDIT: Does the company where the remote server is have a VPN setup?  Perhaps, you could use that...

Edited by Frank1940
Link to comment
26 minutes ago, Frank1940 said:

I am no expert on setting VPN's.  Since you don't have access to the firewall, you (should) have to establish the connection from inside of that firewall.  (Otherwise, they have BIG security issue.)    

 

EDIT: Does the company where the remote server is have a VPN setup?  Perhaps, you could use that...

 

nope.

 

Might just try doing @jonathanm's method. I wouldn't call it convoluted, I'd call it a creative workaround that I wish I thought of!

Link to comment
10 hours ago, jonathanm said:

On the remote server set up a lite VM with teamviewer (any small linux with GUI should work)

 

Would ubuntu work for that? Is it fairly secure out of the box?

 

I decided to go with crashplan as it has encrypted versioned backups, and it means that I can have the sever on the network with no shares available. It might be a little bit more work to 1. login with team viewer 2. connect to uRaid web GUI 3. start vpn, but I think it's the most secure and reliable way I can expect to put the box where I want it.

 

Hat tip to @Frank1940 for the multiple tips in his first post I'm also going to be implementing. Some good stuff there. 

Link to comment
13 minutes ago, 1812 said:

setup it up today. works way better than I thought it would. thanks!

How did you end up implementing it? Teamviewer to a VM to start the VPN? Or something similar? If you used a VM, were you able to keep its interface on the internal unraid .22 network, or is it poking out to the offsite network with another dhcp request?

Link to comment
1 hour ago, jonathanm said:

How did you end up implementing it? Teamviewer to a VM to start the VPN? Or something similar? If you used a VM, were you able to keep its interface on the internal unraid .22 network, or is it poking out to the offsite network with another dhcp request?

 

 

unRaid sits on a static ip, and the vm is assigned static in the same range. The vm was temporarily on an ip set by the dhcp server by the network on first boot, but not a big deal. There are hundreds (if not more) devices on this network at a time at its bussiest.

 

So unRaid and the vm are running now all the time. I have a ubuntu vm with team viewer host installed. From my home network I connect using team viewer to the vm, then open the unRaid web GUI using preinstalled firefox. From there, in unRaid, use the openvpn client plugin to start the vpn connection back to my home network. A few seconds later, the remote server appears on my network. I log in to the assigned ip address of the remote server on my local network and start crashplan. It is setup as a "friend" account. This was done so someone couldn't gain access crashplan on the remote server and make changes to what files are backed up or restore encrypted files to a local drive. 

 

It takes about 60-90 seconds for crashplan to boot and then be discovered by my main server on my network. I can then run the backup.

 

When I'm done, shut down crashplan, then go to the openvpn client and stop the vpn session. 

 

Both the ubuntu vm and crashplan's vnc connection are also password protected, and both require login if after that to access the programs (if you were crafty enough to get around the vnc password.)

 

It seems like a lot of work to do, but really takes 2-3 minutes to get going, and 15 seconds to disconnect. A fully automated setup would be nice, but I'd rather do this, working within the confines of my environment, vs not having offsite backups at all. I suppose I could leave the vpn connected all the time, but like feel more secure doing it the way.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.