\u00cd n\u00fat\u00edma \u00f3gnarlandslagi hefur lausnarhugb\u00fana\u00f0ur (ransomware) \u00fer\u00f3ast \u00far t\u00e6kif\u00e6rissinnu\u00f0um dulk\u00f3\u00f0unar\u00e1r\u00e1sum yfir \u00ed mj\u00f6g markvissar herfer\u00f0ir me\u00f0 marg\u00fe\u00e6ttum fj\u00e1rk\u00fagunum. H\u00e1\u00fer\u00f3a\u00f0ar vi\u00f0varandi \u00f3gnir (APT) og lausnarhugb\u00fana\u00f0arh\u00f3par leita n\u00fa virkt a\u00f0 afritunarinnvi\u00f0um og gagnagrunnss\u00f6fnum \u00e1 me\u00f0an \u00feeir eru inni \u00ed kerfum. Ef \u00e1r\u00e1sara\u00f0ili kemst yfir a\u00f0algagnagrunninn \u00feinn og ey\u00f0ir e\u00f0a dulk\u00f3\u00f0ar afritunargeymslur \u00fe\u00ednar samt\u00edmis, stendur fyrirt\u00e6ki\u00f0 \u00feitt frammi fyrir skelfilegu gagnatapi.<\/p>\n
Fyrir gagnagrunnsstj\u00f3ra (DBA) og DevOps-verkfr\u00e6\u00f0inga er hef\u00f0bundna 3-2-1 afritunarstefnan ekki lengur n\u00e6gjanleg. Til a\u00f0 tryggja a\u00f0 g\u00f6gn lifi af ver\u00f0a innvi\u00f0ateymi a\u00f0 taka upp 3-2-1-1 regluna, \u00fear sem s\u00ed\u00f0asti \u201e1\u201c-inn stendur fyrir \u00f3breytanlega geymslu (immutable storage)<\/strong>.<\/p>\n \u00deessi grein veitir yfirgripsmikla, t\u00e6knilega d\u00fdfu \u00ed h\u00f6nnun, innlei\u00f0ingu og stj\u00f3rnun \u00e1 \u00f3breytanlegri geymslu fyrir gagnagrunnss\u00f6fn til a\u00f0 tryggja algj\u00f6ra vi\u00f0n\u00e1ms\u00fer\u00f3tt gegn lausnarhugb\u00fana\u00f0i.<\/p>\n \u00d3breytanleg geymsla byggir \u00e1 WORM-arkitekt\u00far (Write-Once-Read-Many). \u00deegar g\u00f6gn hafa veri\u00f0 skrifu\u00f0 \u00e1 \u00f3breytanlegan \u00e1fangasta\u00f0 er ekki h\u00e6gt a\u00f0 breyta \u00feeim, dulk\u00f3\u00f0a e\u00f0a ey\u00f0a af neinum notanda \u2013 \u00fear me\u00f0 tali\u00f0 stj\u00f3rnendum me\u00f0 r\u00f3tara\u00f0gang (root) e\u00f0a kompromitteru\u00f0um \u00fej\u00f3nustureikningum \u2013 fyrr en st\u00e6r\u00f0fr\u00e6\u00f0ilega \u00fatf\u00e6r\u00f0 t\u00edmal\u00e1s rennur \u00fat.<\/p>\n \u00deegar \u00f3breytanleiki er innleiddur, s\u00e9rstaklega \u00ed sk\u00fdjageymslum eins og AWS S3, Azure Blob e\u00f0a S3-samh\u00e6f\u00f0um SAN-kerfum \u00e1 sta\u00f0num, ver\u00f0ur \u00fe\u00fa a\u00f0 skilja muninn \u00e1 var\u00f0veislustillingum:<\/p>\n \u00d6flugur arkitekt\u00far fyrir gagnagrunnss\u00f6fn a\u00f0skilur virka gagnagrunnsstarfsemi fr\u00e1 \u00f3breytanlega geymslulaginu. \u00de\u00fa getur ekki beitt \u00f3breytanleika \u00e1 virkar gagnagrunnsskr\u00e1r (eins og \u00cd sta\u00f0inn er \u00f3breytanleika beitt \u00e1: \u00de\u00fa getur innleitt \u00f3breytanlega geymslu \u00e1 mismunandi innvi\u00f0astigum: Til a\u00f0 vernda gagnagrunnss\u00f6fn og f\u00e6rsluskr\u00e1r \u00ed AWS ver\u00f0ur \u00fe\u00fa a\u00f0 virkja Object Lock \u00feegar f\u00f6tu (bucket) er b\u00fai\u00f0 til.<\/p>\n Fyrst skaltu b\u00faa til f\u00f6tuna me\u00f0 Object Lock virkt:<\/p>\n N\u00e6st skaltu stilla sj\u00e1lfgefna var\u00f0veislustefnu. Fyrir gagnagrunnss\u00f6fn er 30 daga samr\u00e6misl\u00e1s sta\u00f0la\u00f0ur grunnur, sem tryggir a\u00f0 \u00fe\u00fa hafir m\u00e1na\u00f0ar afrit sem ekki er h\u00e6gt a\u00f0 breyta.<\/p>\n \u00deegar afritunarforskriftin \u00fe\u00edn e\u00f0a umbo\u00f0sma\u00f0ur sendir skr\u00e1 \u00ed \u00feessa f\u00f6tu, reiknar S3 sj\u00e1lfkrafa \u00fat Ef \u00fe\u00fa ert a\u00f0 geyma gagnagrunna \u00e1 Linux-afritunar\u00fej\u00f3ni \u00e1 sta\u00f0num getur\u00f0u n\u00e1\u00f0 \u201egervi-\u00f3breytanleika\u201c me\u00f0 Notkun \u00e1 Linux Athugi\u00f0: \u00de\u00f3tt Notkun \u00e1 ZFS-skyndimyndum:<\/strong> Til a\u00f0 n\u00e1 endurheimt \u00e1 \u00e1kve\u00f0num t\u00edmapunkti (PITR) ver\u00f0ur \u00fe\u00fa st\u00f6\u00f0ugt a\u00f0 geyma f\u00e6rsluskr\u00e1r \u00ed \u00f3breytanlegri geymslu.<\/p>\n \u00cd Mikilv\u00e6gt atri\u00f0i:<\/em> Ef S3-fatan \u00fe\u00edn framfylgir 30 daga samr\u00e6misl\u00e1s, en SQL Server sty\u00f0ur innf\u00e6dd afrit beint \u00e1 S3-samh\u00e6f\u00f0a geymslu. \u00de\u00fa getur stillt SQL Server Agent verk til a\u00f0 skrifa A\u00f0 stj\u00f3rna \u00f3breytanlegum var\u00f0veisluf\u00e1num, sn\u00faa a\u00f0gangslyklum og tryggja samstillingu milli var\u00f0veislustefna gagnagrunna og geymslul\u00e1sa me\u00f0 s\u00e9rsni\u00f0num forskriftum er mj\u00f6g villugjarnt. Ein r\u00f6ng stilling \u00ed cron-verki e\u00f0a API-kalli getur skili\u00f0 afritin \u00fe\u00edn eftir \u00f3varin e\u00f0a leitt til himinh\u00e1rra sk\u00fdjageymslukostna\u00f0ar vegna muna\u00f0arlausra, l\u00e6stra hluta.<\/p>\n Afritunarvettvangar fyrir fyrirt\u00e6ki eins og CloudSave einfalda \u00feennan arkitekt\u00far. CloudSave sam\u00fe\u00e6ttist innbyggt vi\u00f0 AWS S3 Object Lock, Azure Blob Immutable Storage og S3-samh\u00e6f\u00f0 API \u00e1 sta\u00f0num.<\/p>\n \u00deegar \u00fe\u00fa stillir afritunar\u00e1\u00e6tlun fyrir gagnagrunn \u00ed CloudSave: Til a\u00f0 tryggja a\u00f0 \u00f3breytanlegur arkitekt\u00far \u00feinn s\u00e9 sannarlega vi\u00f0n\u00e1ms\u00fer\u00f3ttur, skaltu fylgja eftirfarandi verkfr\u00e6\u00f0ilegum bestu starfsvenjum:<\/p>\n \u00d3breytanlegir l\u00e1sar eru st\u00e6r\u00f0fr\u00e6\u00f0ilega bundnir vi\u00f0 t\u00edmastimpla. Ef NTP (Network Time Protocol) \u00fej\u00f3nustan \u00e1 geymsluklasanum \u00fe\u00ednum e\u00f0a afritunar\u00fej\u00f3ni er kompromitteru\u00f0 e\u00f0a skekkjast, getur \u00fea\u00f0 valdi\u00f0 \u00fev\u00ed a\u00f0 l\u00e1sar renni \u00fat fyrir t\u00edmann e\u00f0a renni aldrei \u00fat. Gakktu \u00far skugga um a\u00f0 geymsluinnvi\u00f0ir \u00fe\u00ednir noti sta\u00f0festa, \u00f3\u00fearfa NTP-gjafa.<\/p>\n Skilr\u00edkin sem notu\u00f0 eru til a\u00f0 skrifa \u00ed \u00f3breytanlegu f\u00f6tuna mega a\u00f0eins hafa D\u00e6mi um IAM-stefnu me\u00f0 l\u00e1gmarksr\u00e9ttindum fyrir afritunarumbo\u00f0smann gagnagrunns:<\/p>\n Ekki setja samr\u00e6misl\u00e1sa \u00ed \u00f3h\u00f3flega langan t\u00edma (t.d. 7 \u00e1r fyrir samr\u00e6mi) \u00e1 a\u00f0al-endurheimtarlaginu \u00fe\u00ednu. Gagnagrunnar b\u00faa til gr\u00ed\u00f0arlegt magn af WAL\/f\u00e6rsluskr\u00e1arg\u00f6gnum. A\u00f0 l\u00e6sa \u00feessum g\u00f6gnum \u00ed m\u00f6rg \u00e1r mun lei\u00f0a til veldisvaxandi geymslukostna\u00f0ar. \u00d3breytanleiki tryggir a\u00f0 g\u00f6gnunum ver\u00f0i ekki eytt, en hann tryggir ekki a\u00f0 g\u00f6gnin s\u00e9u laus vi\u00f0 r\u00f6kr\u00e9ttar skemmdir. \u00de\u00fa ver\u00f0ur a\u00f0 gera sj\u00e1lfvirka endurheimt \u00e1 \u00f3breytanlegum gagnagrunnss\u00f6fnum \u00fe\u00ednum \u00ed einangra\u00f0, loftgirt (air-gapped) VPC e\u00f0a VLAN. Keyr\u00f0u V\u00f6rn gegn lausnarhugb\u00fana\u00f0i sn\u00fdst um a\u00f0 gera r\u00e1\u00f0 fyrir broti. \u00deegar vi\u00f0v\u00f6run fer \u00ed gang \u00ed SIEM-kerfinu \u00fe\u00ednu hafa \u00f3gnara\u00f0ilar l\u00edklega \u00feegar reynt a\u00f0 komast yfir afritunarinnvi\u00f0i \u00fe\u00edna. Me\u00f0 \u00fev\u00ed a\u00f0 hanna gagnagrunnss\u00f6fnin \u00fe\u00edn me\u00f0 \u00f3breytanlegri geymslu \u00ed samr\u00e6misstillingu, sviptir \u00fe\u00fa \u00e1r\u00e1sara\u00f0ila helsta vopni \u00feeirra. Hvort sem \u00fe\u00fa notar innbygg\u00f0 sk\u00fdja-API, ZFS-hold e\u00f0a fyrirt\u00e6kjastj\u00f3rnunarvettvang eins og CloudSave, \u00fe\u00e1 er innlei\u00f0ing \u00e1 WORM-geymslu ekki lengur valfrj\u00e1ls\u2014h\u00fan er \u00f3fr\u00e1v\u00edkjanlegur hluti af n\u00fat\u00edma gagnagrunnsstj\u00f3rnun og hamfarabata.<\/p>\n","protected":false},"excerpt":{"rendered":" ** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Immutable Database Storage to Defeat Ransomware","rank_math_description":"** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.","rank_math_focus_keyword":"immutable database storage","footnotes":""},"categories":[479],"tags":[4630,4631,4632,1305,4633,4634],"class_list":["post-6374","post","type-post","status-publish","format-standard","hentry","category-database-backup","tag-3-2-1-1-backup","tag-data-survivability","tag-database-archives","tag-enterprise-backup","tag-immutable-storage","tag-ransomware-protection"],"yoast_head":"\nV\u00e9lfr\u00e6\u00f0i \u00f3breytanlegrar geymslu<\/h2>\n
Samr\u00e6misstilling (Compliance Mode) vs. Stj\u00f3rnunarstilling (Governance Mode)<\/h3>\n
\n
s3:BypassGovernanceRetention<\/code>) sni\u00f0gengi\u00f0 l\u00e1sinn. \u00deetta er gagnlegt vi\u00f0 pr\u00f3fanir en \u00f3fulln\u00e6gjandi fyrir v\u00f6rn gegn lausnarhugb\u00fana\u00f0i<\/strong>, \u00fear sem \u00e1r\u00e1sara\u00f0ilar h\u00e6kka oft heimildir s\u00ednar \u00ed l\u00e9nsstj\u00f3ra e\u00f0a r\u00f3tara\u00f0gang.<\/li>\nH\u00f6nnun \u00e1 \u00f3breytanlegu afritunarferli<\/h2>\n
.mdf<\/code>\/.ldf<\/code> \u00ed SQL Server e\u00f0a pg_data<\/code> m\u00f6ppuna \u00ed PostgreSQL) vegna \u00feess a\u00f0 gagnagrunnar krefjast st\u00f6\u00f0ugs les-\/skrifa\u00f0gangs.<\/p>\n
\n1. Full og mismunadrifin afrit (Full and Differential Backup Files):<\/strong> Grunnmyndir af gagnagrunninum.
\n2. F\u00e6rsluskr\u00e1r \/ WAL-skr\u00e1r:<\/strong> St\u00f6\u00f0ugur straumur gagnagrunnsbreytinga sem \u00fearf fyrir endurheimt \u00e1 \u00e1kve\u00f0num t\u00edmapunkti (Point-in-Time Recovery – PITR).<\/p>\nGeymslu\u00e1fangasta\u00f0ir fyrir \u00f3breytanleika<\/h3>\n
\n* Sk\u00fdjageymsla (Object Storage):<\/strong> AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
\n* Geymsla \u00e1 sta\u00f0num (On-Premises Object Storage):<\/strong> MinIO, Cloudian e\u00f0a Pure Storage FlashBlade sem sty\u00f0ja S3 Object Lock API.
\n* Blokk-\/skr\u00e1ageymsla:<\/strong> ZFS me\u00f0 skrifv\u00f6r\u00f0um skyndimyndum (snapshots) og framseldri stj\u00f3rnun, e\u00f0a Linux skr\u00e1areiginleikar.<\/p>\nInnlei\u00f0ing \u00e1 \u00f3breytanlegri geymslu: T\u00e6knilegar lei\u00f0beiningar<\/h2>\n
1. Sk\u00fdjageymsla: AWS S3 Object Lock<\/h3>\n
aws s3api create-bucket \n --bucket prod-db-archive-immutable \n --region us-east-1 \n --object-lock-enabled-for-bucket\n<\/code><\/pre>\naws s3api put-object-lock-configuration \n --bucket prod-db-archive-immutable \n --object-lock-configuration '{\n "ObjectLockEnabled": "Enabled",\n "Rule": {\n "DefaultRetention": {\n "Mode": "COMPLIANCE",\n "Days": 30\n }\n }\n }'\n<\/code><\/pre>\nRetain Until Date<\/code> byggt \u00e1 t\u00edmastimpli skr\u00e1arstofnunar pl\u00fas 30 dagar.<\/p>\n2. \u00d3breytanleiki \u00e1 sta\u00f0num: ZFS og Linux eiginleikar<\/h3>\n
chattr<\/code> skipuninni, e\u00f0a raunverulegum \u00f3breytanleika me\u00f0 ZFS-skyndimyndum.<\/p>\nchattr<\/code>:<\/strong>
\n+i<\/code> (immutable) f\u00e1ninn kemur \u00ed veg fyrir breytingar, ey\u00f0ingu e\u00f0a endurnefningu skr\u00e1a.<\/p>\n# Taka afrit af gagnagrunni\npg_dump -U postgres -Fc mydb > \/backups\/mydb_$(date +%F).dump\n\n# Gera afriti\u00f0 \u00f3breytanlegt\nsudo chattr +i \/backups\/mydb_$(date +%F).dump\n\n# Sta\u00f0festa eiginleikann\nlsattr \/backups\/mydb_$(date +%F).dump\n# \u00dattak: ----i---------e------- \/backups\/mydb_2023-10-27.dump\n<\/code><\/pre>\nchattr<\/code> st\u00f6\u00f0vi einfaldar lausnarhugb\u00fana\u00f0arforskriftir, getur h\u00e1\u00fer\u00f3a\u00f0ur \u00e1r\u00e1sara\u00f0ili me\u00f0 r\u00f3tara\u00f0gang einfaldlega keyrt chattr -i<\/code>. \u00deess vegna ver\u00f0ur \u00feetta a\u00f0 vera sameina\u00f0 str\u00f6ngu RBAC og einangru\u00f0um afritunarnetum.<\/em><\/p>\n
\nZFS veitir mun sterkari v\u00f6rn. Me\u00f0 \u00fev\u00ed a\u00f0 taka skyndimynd og setja \u201ehold\u201c \u00e1 hana kemur\u00f0u \u00ed veg fyrir a\u00f0 henni s\u00e9 eytt.<\/p>\n# Taka skyndimynd af afritunargagnasafninu\nzfs snapshot tank\/db_backups@archive_$(date +%F)\n\n# Setja hold \u00e1 skyndimyndina til a\u00f0 koma \u00ed veg fyrir ey\u00f0ingu\nzfs hold keep_30_days tank\/db_backups@archive_$(date +%F)\n\n# Jafnvel r\u00f3tarnotandi getur ekki eytt \u00feessari skyndimynd \u00e1n \u00feess a\u00f0 losa hold-i\u00f0\nzfs destroy tank\/db_backups@archive_$(date +%F)\n# \u00dattak: cannot destroy 'tank\/db_backups@archive_...': dataset is busy\n<\/code><\/pre>\nAfritunarstefnur fyrir gagnagrunna<\/h2>\n
PostgreSQL WAL-geymsla me\u00f0 pgBackRest<\/h3>\n
pgBackRest<\/code> er mj\u00f6g \u00e1rei\u00f0anlegt afritunart\u00f3l fyrir PostgreSQL sem sty\u00f0ur innbyggt S3-samh\u00e6f\u00f0a geymslu. Til a\u00f0 vernda Write-Ahead Logs (WAL) skr\u00e1arnar \u00fe\u00ednar skaltu stilla pgBackRest<\/code> til a\u00f0 senda \u00fe\u00e6r beint \u00ed \u00f3breytanlegu S3-f\u00f6tuna \u00fe\u00edna.<\/p>\npgbackrest.conf<\/code> skr\u00e1nni \u00feinni:<\/p>\n[global]\nrepo1-type=s3\nrepo1-s3-bucket=prod-db-archive-immutable\nrepo1-s3-region=us-east-1\nrepo1-s3-endpoint=s3.amazonaws.com\nrepo1-s3-key=AKIAIOSFODNN7EXAMPLE\nrepo1-s3-key-secret=wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n\n# Gakktu \u00far skugga um a\u00f0 var\u00f0veisla samr\u00e6mist S3 Object Lock stillingum \u00fe\u00ednum\nrepo1-retention-full=2\nrepo1-retention-archive=2\n\n[prod_cluster]\npg1-path=\/var\/lib\/postgresql\/14\/main\n<\/code><\/pre>\npgBackRest<\/code> reynir a\u00f0 l\u00e1ta WAL-skr\u00e1r renna \u00fat og ey\u00f0a \u00feeim eftir 14 daga byggt \u00e1 repo1-retention-archive<\/code>, munu ey\u00f0ingark\u00f6llin mistakast. \u00de\u00fa ver\u00f0ur a\u00f0 tryggja a\u00f0 var\u00f0veislustefna afritunarhugb\u00fana\u00f0arins s\u00e9 j\u00f6fn e\u00f0a lengri en \u00f3breytanlegi l\u00e1sinn \u00e1 geymslustiginu.<\/p>\nMicrosoft SQL Server: Afritun \u00e1 URL<\/h3>\n
.bak<\/code> og .trn<\/code> skr\u00e1r beint \u00ed \u00f3breytanlega f\u00f6tu.<\/p>\nCREATE CREDENTIAL [s3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com]\nWITH IDENTITY = 'S3 Access Key',\nSECRET = 'AccessKeyID:SecretAccessKey';\nGO\n\nBACKUP DATABASE [ProductionDB]\nTO URL = 's3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com\/ProductionDB_Full.bak'\nWITH FORMAT, COMPRESSION, STATS = 10;\nGO\n<\/code><\/pre>\nSj\u00e1lfvirkni og stj\u00f3rnun me\u00f0 CloudSave<\/h2>\n
\n1. Vettvangurinn s\u00e9r sj\u00e1lfkrafa um VSS (Volume Shadow Copy Service) fyrir SQL Server e\u00f0a pg_start_backup()<\/code> API fyrir PostgreSQL.
\n2. Hann streymir afafritu\u00f0um, dulk\u00f3\u00f0u\u00f0um afritunarg\u00f6gnum beint \u00e1 geymslu\u00e1fangasta\u00f0inn.
\n3. CloudSave beitir WORM API-k\u00f6llunum (t.d. PutObjectRetention<\/code>) \u00e1 hverja skr\u00e1 fyrir sig, sem samr\u00e6mir l\u00e1slengd geymslunnar fullkomlega vi\u00f0 var\u00f0veislut\u00edmabili\u00f0 sem skilgreint er \u00ed stefnunni.
\n4. Ef \u00e1r\u00e1sara\u00f0ili kemst yfir CloudSave-stj\u00f3rnbor\u00f0i\u00f0 getur hann samt ekki eytt afritunum, \u00fear sem samr\u00e6misl\u00e1snum er framfylgt af undirliggjandi geymsluinnvi\u00f0um, ekki afritunarhugb\u00fana\u00f0inum.<\/p>\nBestu starfsvenjur fyrir \u00f3breytanleg gagnagrunnss\u00f6fn<\/h2>\n
1. Str\u00f6ng NTP-samstilling<\/h3>\n
2. Einangra IAM-hlutverk og skilr\u00edki<\/h3>\n
s3:PutObject<\/code> og s3:PutObjectRetention<\/code> heimildir. \u00deau \u00e6ttu aldrei<\/strong> a\u00f0 hafa s3:DeleteObject<\/code> e\u00f0a s3:PutBucketObjectLockConfiguration<\/code> heimildir.<\/p>\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": [\n "s3:PutObject",\n "s3:GetBucketObjectLockConfiguration"\n ],\n "Resource": [\n "arn:aws:s3:::prod-db-archive-immutable",\n "arn:aws:s3:::prod-db-archive-immutable\/*"\n ]\n }\n ]\n}\n<\/code><\/pre>\n3. St\u00e6r\u00f0 var\u00f0veislut\u00edmabilsins<\/h3>\n
\nNota\u00f0u frekar lagskipta n\u00e1lgun:
\n* Rekstrarendurheimtarlag:<\/strong> 14 til 30 daga \u00f3breytanleg var\u00f0veisla fyrir full afrit og skr\u00e1r.
\n* Langt\u00edmageymslulag:<\/strong> M\u00e1na\u00f0arleg full afrit flutt \u00ed Glacier\/Deep Archive me\u00f0 Vault Lock \u00ed 1-7 \u00e1r.<\/p>\n4. Reglulegar endurheimtarpr\u00f3fanir \u00ed einangru\u00f0um VPC-um<\/h3>\n
DBCC CHECKDB<\/code> (SQL Server) e\u00f0a pg_amcheck<\/code> (PostgreSQL) \u00e1 endurheimtu g\u00f6gnunum til a\u00f0 sta\u00f0festa bur\u00f0arvirki.<\/p>\nNi\u00f0ursta\u00f0a<\/h2>\n