M\u016bsdienu apdraud\u0113jumu vid\u0113 izspied\u0113jv\u012brusi ir att\u012bst\u012bju\u0161ies no oport\u016bnistiskas \u0161ifr\u0113\u0161anas l\u012bdz m\u0113r\u0137tiec\u012bg\u0101m, daudzpak\u0101pju izspie\u0161anas kampa\u0146\u0101m. Uzlaboto past\u0101v\u012bgo draudu (APT) grupas un izspied\u0113jv\u012brusu sindik\u0101ti tagad akt\u012bvi mekl\u0113 rezerves kopiju infrastrukt\u016bru un datub\u0101\u017eu arh\u012bvus savas uztur\u0113\u0161an\u0101s laik\u0101 sist\u0113m\u0101. Ja uzbruc\u0113js kompromit\u0113 j\u016bsu prim\u0101ro datub\u0101zi un vienlaikus izdz\u0113\u0161 vai \u0161ifr\u0113 j\u016bsu rezerves kopiju kr\u0101tuves, j\u016bsu organiz\u0101cija saskaras ar katastrof\u0101lu datu zudumu.<\/p>\n
Datub\u0101\u017eu administratoriem (DBA) un DevOps in\u017eenieriem tradicion\u0101l\u0101 3-2-1 rezerves kopiju strat\u0113\u0123ija vairs nav pietiekama. Lai garant\u0113tu datu izdz\u012bvo\u0161anu, infrastrukt\u016bras komand\u0101m ir j\u0101pie\u0146em 3-2-1-1 noteikums, kur p\u0113d\u0113jais “1” apz\u012bm\u0113 nemain\u012bgu (immutable) kr\u0101tuvi<\/strong>.<\/p>\n \u0160aj\u0101 rakst\u0101 ir sniegts visaptvero\u0161s, tehnisks ieskats nemain\u012bgas kr\u0101tuves arhitekt\u016bras izstr\u0101d\u0113, ievie\u0161an\u0101 un p\u0101rvald\u012bb\u0101 datub\u0101\u017eu arh\u012bviem, lai nodro\u0161in\u0101tu absol\u016btu notur\u012bbu pret izspied\u0113jv\u012brusiem.<\/p>\n Nemain\u012bga kr\u0101tuve balst\u0101s uz WORM (Write-Once-Read-Many \u2013 rakst\u012bt vienreiz, las\u012bt daudzk\u0101rt) arhitekt\u016bru. Kad dati ir ierakst\u012bti nemain\u012bg\u0101 m\u0113r\u0137viet\u0101, tos nevar modific\u0113t, \u0161ifr\u0113t vai izdz\u0113st neviens lietot\u0101js, tostarp administratori ar root privil\u0113\u0123ij\u0101m vai kompromit\u0113ti pakalpojumu konti, l\u012bdz beidzas matem\u0101tiski noteiktais laika ierobe\u017eojums.<\/p>\n Ievie\u0161ot nemain\u012bgumu, \u012bpa\u0161i m\u0101ko\u0146a objektu kr\u0101tuv\u0113s, piem\u0113ram, AWS S3, Azure Blob vai S3 sader\u012bg\u0101s lok\u0101l\u0101s SAN sist\u0113m\u0101s, ir j\u0101saprot at\u0161\u0137ir\u012bba starp saglab\u0101\u0161anas re\u017e\u012bmiem:<\/p>\n Robust\u0101 datub\u0101\u017eu arhiv\u0113\u0161anas arhitekt\u016bra atdala akt\u012bv\u0101s datub\u0101\u017eu darb\u012bbas no nemain\u012bg\u0101 arh\u012bva l\u012bme\u0146a. J\u016bs nevarat piem\u0113rot nemain\u012bgumu akt\u012bviem datub\u0101\u017eu failiem (piem\u0113ram, T\u0101 viet\u0101 nemain\u012bgums tiek piem\u0113rots: J\u016bs varat ieviest nemain\u012bgu kr\u0101tuvi da\u017e\u0101dos infrastrukt\u016bras l\u012bme\u0146os: Lai aizsarg\u0101tu datub\u0101\u017eu izg\u0101zumus (dumps) un transakciju \u017eurn\u0101lus AWS, jums ir j\u0101iesp\u0113jo Object Lock br\u012bd\u012b, kad tiek izveidots “bucket” (kr\u0101tuves konteiners).<\/p>\n Vispirms izveidojiet “bucket” ar iesp\u0113jotu Object Lock:<\/p>\n P\u0113c tam konfigur\u0113jiet noklus\u0113juma saglab\u0101\u0161anas politiku. Datub\u0101\u017eu arh\u012bviem 30 dienu atbilst\u012bbas blo\u0137\u0113\u0161ana ir standarta b\u0101zes l\u012bnija, kas nodro\u0161ina, ka jums ir m\u0113nesi ilgas nemain\u012bgas rezerves kopijas.<\/p>\n Kad j\u016bsu datub\u0101zes rezerves kopiju skripts vai a\u0123ents nos\u016bta failu uz \u0161o “bucket”, S3 autom\u0101tiski apr\u0113\u0137ina Ja arhiv\u0113jat datub\u0101zes uz lok\u0101la Linux rezerves kopiju servera, varat pan\u0101kt pseido-nemain\u012bbu, izmantojot Izmantojot Linux Piez\u012bme: Lai gan Izmantojot ZFS momentuz\u0146\u0113mumus:<\/strong> Lai pan\u0101ktu atjauno\u0161anu uz noteiktu laika punktu (PITR), jums ir nep\u0101rtraukti j\u0101arhiv\u0113 transakciju \u017eurn\u0101li sav\u0101 nemain\u012bgaj\u0101 kr\u0101tuv\u0113.<\/p>\n J\u016bsu Svar\u012bgs apsv\u0113rums:<\/em> Ja j\u016bsu S3 “bucket” piem\u0113ro 30 dienu atbilst\u012bbas blo\u0137\u0113\u0161anu, bet SQL Server atbalsta nat\u012bvas rezerves kopijas tie\u0161i uz S3 sader\u012bgu objektu kr\u0101tuvi. Varat konfigur\u0113t SQL Server Agent darbu, lai rakst\u012btu Nemain\u012bgo saglab\u0101\u0161anas karodzi\u0146u p\u0101rvald\u012bba, piek\u013cuves atsl\u0113gu rot\u0101cija un sinhroniz\u0101cijas nodro\u0161in\u0101\u0161ana starp datub\u0101\u017eu saglab\u0101\u0161anas politik\u0101m un kr\u0101tuvju blo\u0137\u0113\u0161anu, izmantojot piel\u0101gotus skriptus, ir \u013coti pak\u013cauta k\u013c\u016bd\u0101m. Viena nepareiza konfigur\u0101cija cron darb\u0101 vai API izsaukum\u0101 var atst\u0101t j\u016bsu arh\u012bvus neaizsarg\u0101tus vai izrais\u012bt strauju m\u0101ko\u0146a kr\u0101tuves izmaksu pieaugumu d\u0113\u013c atst\u0101tiem, blo\u0137\u0113tiem objektiem.<\/p>\n Uz\u0146\u0113muma l\u012bme\u0146a rezerves kopiju platformas, piem\u0113ram, CloudSave, vienk\u0101r\u0161o \u0161o arhitekt\u016bru. CloudSave nat\u012bvi integr\u0113jas ar AWS S3 Object Lock, Azure Blob Immutable Storage un lok\u0101l\u0101m S3 sader\u012bg\u0101m API.<\/p>\n Konfigur\u0113jot datub\u0101zes rezerves kopiju pl\u0101nu CloudSave: Lai nodro\u0161in\u0101tu, ka j\u016bsu nemain\u012bg\u0101 arhitekt\u016bra ir patiesi notur\u012bga, iev\u0113rojiet \u0161\u0101du sist\u0113mu in\u017eenierijas lab\u0101ko praksi:<\/p>\n Nemain\u012bg\u0101s blo\u0137\u0113\u0161anas ir matem\u0101tiski piesaist\u012btas laika z\u012bmogiem. Ja NTP (Network Time Protocol) pakalpojums j\u016bsu kr\u0101tuvju mas\u012bv\u0101 vai rezerves kopiju server\u012b ir kompromit\u0113ts vai nob\u012bd\u0101s, tas var izrais\u012bt blo\u0137\u0113\u0161anas priek\u0161laic\u012bgu beig\u0161anos vai to, ka t\u0101s nekad nebeidzas. Nodro\u0161iniet, ka j\u016bsu kr\u0101tuvju infrastrukt\u016bra izmanto autentific\u0113tus, redundantus NTP avotus.<\/p>\n Akredit\u0101cijas datiem, ko izmanto rakst\u012b\u0161anai uz nemain\u012bgo “bucket”, j\u0101b\u016bt tikai Piem\u0113rs minim\u0101lo privil\u0113\u0123iju IAM politikai datub\u0101zes rezerves kopiju a\u0123entam:<\/p>\n Neiestatiet atbilst\u012bbas blo\u0137\u0113\u0161anu uz p\u0101rm\u0113r\u012bgi ilgiem periodiem (piem., 7 gadiem atbilst\u012bbas nodro\u0161in\u0101\u0161anai) sav\u0101 prim\u0101raj\u0101 \u0101tr\u0101s atjauno\u0161anas l\u012bmen\u012b. Datub\u0101zes \u0123ener\u0113 milz\u012bgu daudzumu WAL\/transakciju \u017eurn\u0101lu datu. \u0160o datu blo\u0137\u0113\u0161ana gadiem ilgi rad\u012bs eksponenci\u0101lu kr\u0101tuves izmaksu pieaugumu. Nemain\u012bgums garant\u0113, ka datus nevar izdz\u0113st, bet tas negarant\u0113, ka dati ir br\u012bvi no lo\u0123iskiem boj\u0101jumiem. Jums ir j\u0101automatiz\u0113 savu nemain\u012bgo datub\u0101\u017eu arh\u012bvu atjauno\u0161ana izol\u0113t\u0101, no t\u012bkla atdal\u012bt\u0101 (air-gapped) VPC vai VLAN. Palaidiet Aizsardz\u012bba pret izspied\u0113jv\u012brusiem ir vingrin\u0101jums, pie\u0146emot, ka ielau\u0161an\u0101s notiks. L\u012bdz br\u012bdim, kad j\u016bsu SIEM sist\u0113m\u0101 atskan br\u012bdin\u0101jums, draudu dal\u012bbnieki, visticam\u0101k, jau ir m\u0113\u0123in\u0101ju\u0161i kompromit\u0113t j\u016bsu rezerves kopiju infrastrukt\u016bru. Izstr\u0101d\u0101jot savu datub\u0101\u017eu arh\u012bvu arhitekt\u016bru, izmantojot nemain\u012bgu kr\u0101tuvi atbilst\u012bbas re\u017e\u012bm\u0101, j\u016bs at\u0146emat uzbruc\u0113jiem to galveno sviru. Neatkar\u012bgi no t\u0101, vai izmantojat nat\u012bvas m\u0101ko\u0146a API, ZFS aiztures vai uz\u0146\u0113muma or\u0137estr\u0113\u0161anas platformu, piem\u0113ram, CloudSave, WORM kr\u0101tuves ievie\u0161ana vairs nav izv\u0113les iesp\u0113ja \u2014 tas ir oblig\u0101ts m\u016bsdienu datub\u0101\u017eu administr\u0113\u0161anas un katastrofu seku nov\u0113r\u0161anas p\u012bl\u0101rs.<\/p>\n","protected":false},"excerpt":{"rendered":" ** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Immutable Database Storage to Defeat Ransomware","rank_math_description":"** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.","rank_math_focus_keyword":"immutable database storage","footnotes":""},"categories":[535],"tags":[4665,4666,4667,1319,4668,4669],"class_list":["post-6381","post","type-post","status-publish","format-standard","hentry","category-database-backup","tag-3-2-1-1-backup","tag-data-survivability","tag-database-archives","tag-enterprise-backup","tag-immutable-storage","tag-ransomware-protection"],"yoast_head":"\nNemain\u012bgas kr\u0101tuves meh\u0101nika<\/h2>\n
Atbilst\u012bbas re\u017e\u012bms (Compliance Mode) pret P\u0101rvald\u012bbas re\u017e\u012bmu (Governance Mode)<\/h3>\n
\n
s3:BypassGovernanceRetention<\/code>) var apiet \u0161o blo\u0137\u0113\u0161anu. Tas ir noder\u012bgi test\u0113\u0161anai, bet nepietiekami aizsardz\u012bbai pret izspied\u0113jv\u012brusiem<\/strong>, jo uzbruc\u0113ji bie\u017ei paaugstina privil\u0113\u0123ijas l\u012bdz dom\u0113na administratora vai root l\u012bmenim.<\/li>\nNemain\u012bgas rezerves kopiju cauru\u013cvada arhitekt\u016bra<\/h2>\n
.mdf<\/code>\/.ldf<\/code> SQL Server vai pg_data<\/code> direktorijai PostgreSQL), jo datub\u0101z\u0113m ir nepiecie\u0161ama past\u0101v\u012bga las\u012b\u0161anas\/rakst\u012b\u0161anas piek\u013cuve.<\/p>\n
\n1. Piln\u0101m un diferenci\u0101laj\u0101m rezerves kopij\u0101m:<\/strong> Datub\u0101zes b\u0101zes momentuz\u0146\u0113mumiem.
\n2. Transakciju \u017eurn\u0101liem \/ WAL failiem:<\/strong> Past\u0101v\u012bgai datub\u0101zes izmai\u0146u pl\u016bsmai, kas nepiecie\u0161ama atjauno\u0161anai uz noteiktu laika punktu (Point-in-Time Recovery \u2014 PITR).<\/p>\nKr\u0101tuvju m\u0113r\u0137i nemain\u012bgumam<\/h3>\n
\n* M\u0101ko\u0146a objektu kr\u0101tuve:<\/strong> AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
\n* Lok\u0101l\u0101 objektu kr\u0101tuve:<\/strong> MinIO, Cloudian vai Pure Storage FlashBlade, kas atbalsta S3 Object Lock API.
\n* Bloku\/failu kr\u0101tuve:<\/strong> ZFS ar tikai las\u0101miem momentuz\u0146\u0113mumiem un dele\u0123\u0113tu administr\u0113\u0161anu vai Linux failu atrib\u016btiem.<\/p>\nNemain\u012bgas kr\u0101tuves ievie\u0161ana: Tehniskie nor\u0101d\u012bjumi<\/h2>\n
1. M\u0101ko\u0146a objektu kr\u0101tuve: AWS S3 Object Lock<\/h3>\n
aws s3api create-bucket \n --bucket prod-db-archive-immutable \n --region us-east-1 \n --object-lock-enabled-for-bucket\n<\/code><\/pre>\naws s3api put-object-lock-configuration \n --bucket prod-db-archive-immutable \n --object-lock-configuration '{\n "ObjectLockEnabled": "Enabled",\n "Rule": {\n "DefaultRetention": {\n "Mode": "COMPLIANCE",\n "Days": 30\n }\n }\n }'\n<\/code><\/pre>\nRetain Until Date<\/code> (saglab\u0101t l\u012bdz datumam), pamatojoties uz objekta izveides laika z\u012bmogu plus 30 dien\u0101m.<\/p>\n2. Lok\u0101l\u0101 nemain\u012bba: ZFS un Linux atrib\u016bti<\/h3>\n
chattr<\/code> komandu, vai patiesu nemain\u012bbu, izmantojot ZFS momentuz\u0146\u0113mumus.<\/p>\nchattr<\/code>:<\/strong>
\n+i<\/code> (immutable) karodzi\u0146\u0161 nov\u0113r\u0161 faila modific\u0113\u0161anu, dz\u0113\u0161anu vai p\u0101rd\u0113v\u0113\u0161anu.<\/p>\n# Izveidot datub\u0101zes izg\u0101zumu\npg_dump -U postgres -Fc mydb > \/backups\/mydb_$(date +%F).dump\n\n# Padar\u012bt rezerves kopiju nemain\u012bgu\nsudo chattr +i \/backups\/mydb_$(date +%F).dump\n\n# P\u0101rbaud\u012bt atrib\u016btu\nlsattr \/backups\/mydb_$(date +%F).dump\n# Izvade: ----i---------e------- \/backups\/mydb_2023-10-27.dump\n<\/code><\/pre>\nchattr<\/code> aptur pamata izspied\u0113jv\u012brusu skriptus, izsmalcin\u0101ts uzbruc\u0113js ar root piek\u013cuvi var vienk\u0101r\u0161i izpild\u012bt chattr -i<\/code>. T\u0101p\u0113c tas ir j\u0101apvieno ar stingru RBAC un izol\u0113tiem rezerves kopiju t\u012bkliem.<\/em><\/p>\n
\nZFS nodro\u0161ina daudz sp\u0113c\u012bg\u0101ku aizsardz\u012bbu. Izveidojot momentuz\u0146\u0113mumu un uzliekot tam “aizturi” (hold), j\u016bs nov\u0113r\u0161at momentuz\u0146\u0113muma izn\u012bcin\u0101\u0161anu.<\/p>\n# Izveidot rezerves kopiju datu kopas momentuz\u0146\u0113mumu\nzfs snapshot tank\/db_backups@archive_$(date +%F)\n\n# Uzlikt aizturi momentuz\u0146\u0113mumam, lai nov\u0113rstu dz\u0113\u0161anu\nzfs hold keep_30_days tank\/db_backups@archive_$(date +%F)\n\n# Pat root nevar izn\u012bcin\u0101t \u0161o momentuz\u0146\u0113mumu, neatbr\u012bvojot aizturi\nzfs destroy tank\/db_backups@archive_$(date +%F)\n# Izvade: cannot destroy 'tank\/db_backups@archive_...': dataset is busy\n<\/code><\/pre>\nDatub\u0101z\u0113m specifiskas arhiv\u0113\u0161anas strat\u0113\u0123ijas<\/h2>\n
PostgreSQL WAL arhiv\u0113\u0161ana ar pgBackRest<\/h3>\n
pgBackRest<\/code> ir \u013coti uzticams rezerves kopiju r\u012bks PostgreSQL, kas nat\u012bvi atbalsta S3 sader\u012bgu kr\u0101tuvi. Lai aizsarg\u0101tu savus Write-Ahead Logs (WAL), konfigur\u0113jiet pgBackRest<\/code> s\u016bt\u012bt datus tie\u0161i uz j\u016bsu nemain\u012bgo S3 “bucket”.<\/p>\npgbackrest.conf<\/code> fail\u0101:<\/p>\n[global]\nrepo1-type=s3\nrepo1-s3-bucket=prod-db-archive-immutable\nrepo1-s3-region=us-east-1\nrepo1-s3-endpoint=s3.amazonaws.com\nrepo1-s3-key=AKIAIOSFODNN7EXAMPLE\nrepo1-s3-key-secret=wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n\n# Nodro\u0161iniet, ka saglab\u0101\u0161anas termi\u0146\u0161 atbilst j\u016bsu S3 Object Lock konfigur\u0101cijai\nrepo1-retention-full=2\nrepo1-retention-archive=2\n\n[prod_cluster]\npg1-path=\/var\/lib\/postgresql\/14\/main\n<\/code><\/pre>\npgBackRest<\/code> m\u0113\u0123ina izbeigt un izdz\u0113st WAL failus p\u0113c 14 dien\u0101m, pamatojoties uz repo1-retention-archive<\/code>, dz\u0113\u0161anas API izsaukumi neizdosies. Jums ir j\u0101p\u0101rliecin\u0101s, ka j\u016bsu rezerves kopiju programmat\u016bras saglab\u0101\u0161anas politika ir vien\u0101da vai gar\u0101ka par kr\u0101tuves l\u012bme\u0146a nemain\u012bgo blo\u0137\u0113\u0161anu.<\/p>\nMicrosoft SQL Server: Rezerves kopija uz URL<\/h3>\n
.bak<\/code> un .trn<\/code> failus tie\u0161i uz nemain\u012bgu “bucket”.<\/p>\nCREATE CREDENTIAL [s3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com]\nWITH IDENTITY = 'S3 Access Key',\nSECRET = 'AccessKeyID:SecretAccessKey';\nGO\n\nBACKUP DATABASE [ProductionDB]\nTO URL = 's3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com\/ProductionDB_Full.bak'\nWITH FORMAT, COMPRESSION, STATS = 10;\nGO\n<\/code><\/pre>\nAutomatiz\u0101cija un or\u0137estr\u0113\u0161ana ar CloudSave<\/h2>\n
\n1. Platforma autom\u0101tiski apstr\u0101d\u0101 VSS (Volume Shadow Copy Service) klus\u0113\u0161anu SQL Server vai pg_start_backup()<\/code> API PostgreSQL.
\n2. T\u0101 straum\u0113 dedubl\u0113tus, \u0161ifr\u0113tus rezerves kopiju datus tie\u0161i uz kr\u0101tuves m\u0113r\u0137i.
\n3. CloudSave dinamiski piem\u0113ro WORM API izsaukumus (piem., PutObjectRetention<\/code>) katram objektam atsevi\u0161\u0137i, perfekti saska\u0146ojot kr\u0101tuves blo\u0137\u0113\u0161anas ilgumu ar politik\u0101 defin\u0113to saglab\u0101\u0161anas grafiku.
\n4. Ja uzbruc\u0113js kompromit\u0113 CloudSave p\u0101rvald\u012bbas konsoli, vi\u0146\u0161 joproj\u0101m nevar izdz\u0113st rezerves kopijas, jo atbilst\u012bbas blo\u0137\u0113\u0161anu \u012bsteno pamat\u0101 eso\u0161\u0101 kr\u0101tuves infrastrukt\u016bra, nevis rezerves kopiju programmat\u016bra.<\/p>\nLab\u0101k\u0101 prakse nemain\u012bgiem datub\u0101\u017eu arh\u012bviem<\/h2>\n
1. Stingra NTP sinhroniz\u0101cija<\/h3>\n
2. Izol\u0113jiet IAM lomas un akredit\u0101cijas datus<\/h3>\n
s3:PutObject<\/code> un s3:PutObjectRetention<\/code> at\u013cauj\u0101m. Tiem nekad<\/strong> nevajadz\u0113tu b\u016bt s3:DeleteObject<\/code> vai s3:PutBucketObjectLockConfiguration<\/code> at\u013cauj\u0101m.<\/p>\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": [\n "s3:PutObject",\n "s3:GetBucketObjectLockConfiguration"\n ],\n "Resource": [\n "arn:aws:s3:::prod-db-archive-immutable",\n "arn:aws:s3:::prod-db-archive-immutable\/*"\n ]\n }\n ]\n}\n<\/code><\/pre>\n3. Saglab\u0101\u0161anas perioda noteik\u0161ana<\/h3>\n
\nT\u0101 viet\u0101 izmantojiet l\u012bme\u0146veida pieeju:
\n* Operat\u012bv\u0101s atjauno\u0161anas l\u012bmenis:<\/strong> 14 l\u012bdz 30 dienu nemain\u012bga saglab\u0101\u0161ana piln\u0101m kopij\u0101m un \u017eurn\u0101liem.
\n* Ilgtermi\u0146a arhiv\u0113\u0161anas l\u012bmenis:<\/strong> Ikm\u0113ne\u0161a pilnas rezerves kopijas, kas p\u0101rvietotas uz Glacier\/Deep Archive ar Vault Lock uz 1-7 gadiem.<\/p>\n4. Regul\u0101ra atjauno\u0161anas test\u0113\u0161ana izol\u0113tos (air-gapped) VPC<\/h3>\n
DBCC CHECKDB<\/code> (SQL Server) vai pg_amcheck<\/code> (PostgreSQL) uz atjaunotajiem datiem, lai p\u0101rbaud\u012btu struktur\u0101lo integrit\u0101ti.<\/p>\nSecin\u0101jums<\/h2>\n