If my Linux machine is not mounted to an NFS share hosted in my home server and my home server is in a different network, can ransomware infect the backups if I’m doing data-based full and incremental backups manually and not automatically?
This is the script I’m doing to do a full backup (the entire script is trimmed for brevity):
Of course, I have not had any security issues in my network. I am quite vigilant when it comes to staying safe online and I have about 300 email addresses (aliases that forward to my inbox) for my own domain name, so I have never fallen for phishing emails for decades. I do make use of NoScript, Pi-Hole, and uBlock Origin to protect myself online from malicious advertmsements. Plus, I do use strong passwords using password manager and I kept my Arch Linux desktop and Debian home server up-to-date.
As more and more users switch to Linux, the attack vector increases. So again, is date-based backups using rsync without mounting an NFS share a good strategy for preventing ransomware from accessing my backup files in my server?
I think this sort of depends what capabilities you’d expect the malware to have. Obviously if you can connect over ssh noninteractively, an attacker would too. And your script will show up in your shell history, so the existence won’t be obfuscated.
Personally I think it’s unlikely that workaday malware that normal people are likely to encounter would be so sophisticated, but I do usually engineer my backups to pull from hosts rather than push. That puts the backup responsibility on a server with no UI, which doesn’t browse the web and has restricted access to the internet. Even though I’m also very careful online, I’d rather not rely on myself to never make a hasty decision. When possible, I also prefer ZFS replication, since snapshots are read-only, which adds one more layer.
Oh, so I let my server pull in the files from the host and put it in date-marked backup folders instead of letting the host push the files. That makes sense, although I do enter my SSH password manually when I execute a script from my host to the server.
If I do pull files and folders from the host to my server, then I wouldn’t want my server to pull from my Steam library stored in the .local/share/Steam. I’ll need to do a search on how to exclude the Steam library though. And of course, I’d rather do it manually instead of automatically in case my Linux desktop gets infected with ransomware, but then all I can do is not be so dumb as to fall for malware attack in my network.
And by the way, thanks for the info about pulling in files/folders from the host to the server. That is something I probably might look into, but due to my vigilance, I’m probably okay with letting me executing the backup script that prompts for my password. It is a risk I’m willing to take.