Trong b\u1ed1i c\u1ea3nh c\u00e1c m\u1ed1i \u0111e d\u1ecda hi\u1ec7n \u0111\u1ea1i, m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n (ransomware) \u0111\u00e3 ti\u1ebfn h\u00f3a t\u1eeb vi\u1ec7c m\u00e3 h\u00f3a c\u01a1 h\u1ed9i sang c\u00e1c chi\u1ebfn d\u1ecbch t\u1ed1ng ti\u1ec1n \u0111a m\u1ee5c ti\u00eau c\u00f3 ch\u1ee7 \u0111\u00edch cao. C\u00e1c m\u1ed1i \u0111e d\u1ecda n\u00e2ng cao (APT) v\u00e0 c\u00e1c t\u1ed5 ch\u1ee9c ransomware hi\u1ec7n \u0111ang t\u00edch c\u1ef1c s\u0103n l\u00f9ng c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng sao l\u01b0u v\u00e0 l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u trong th\u1eddi gian ch\u00fang x\u00e2m nh\u1eadp h\u1ec7 th\u1ed1ng. N\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng x\u00e2m nh\u1eadp c\u01a1 s\u1edf d\u1eef li\u1ec7u ch\u00ednh c\u1ee7a b\u1ea1n v\u00e0 \u0111\u1ed3ng th\u1eddi x\u00f3a ho\u1eb7c m\u00e3 h\u00f3a c\u00e1c kho l\u01b0u tr\u1eef sao l\u01b0u, t\u1ed5 ch\u1ee9c c\u1ee7a b\u1ea1n s\u1ebd ph\u1ea3i \u0111\u1ed1i m\u1eb7t v\u1edbi t\u00ecnh tr\u1ea1ng m\u1ea5t d\u1eef li\u1ec7u th\u1ea3m kh\u1ed1c.<\/p>\n
\u0110\u1ed1i v\u1edbi c\u00e1c Qu\u1ea3n tr\u1ecb vi\u00ean C\u01a1 s\u1edf d\u1eef li\u1ec7u (DBA) v\u00e0 k\u1ef9 s\u01b0 DevOps, chi\u1ebfn l\u01b0\u1ee3c sao l\u01b0u 3-2-1 truy\u1ec1n th\u1ed1ng kh\u00f4ng c\u00f2n \u0111\u1ee7. \u0110\u1ec3 \u0111\u1ea3m b\u1ea3o kh\u1ea3 n\u0103ng ph\u1ee5c h\u1ed3i d\u1eef li\u1ec7u, c\u00e1c nh\u00f3m c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng ph\u1ea3i \u00e1p d\u1ee5ng quy t\u1eafc 3-2-1-1, trong \u0111\u00f3 s\u1ed1 “1” cu\u1ed1i c\u00f9ng \u0111\u1ea1i di\u1ec7n cho l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn (immutable storage)<\/strong>.<\/p>\n B\u00e0i vi\u1ebft n\u00e0y cung c\u1ea5p m\u1ed9t c\u00e1i nh\u00ecn chuy\u00ean s\u00e2u v\u1ec1 k\u1ef9 thu\u1eadt, c\u00e1ch thi\u1ebft k\u1ebf, tri\u1ec3n khai v\u00e0 qu\u1ea3n l\u00fd l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn cho c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u nh\u1eb1m \u0111\u1ea3m b\u1ea3o kh\u1ea3 n\u0103ng ch\u1ed1ng ch\u1ecbu ransomware tuy\u1ec7t \u0111\u1ed1i.<\/p>\n L\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn d\u1ef1a tr\u00ean ki\u1ebfn tr\u00fac Ghi m\u1ed9t l\u1ea7n – \u0110\u1ecdc nhi\u1ec1u l\u1ea7n (WORM). Khi d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c ghi v\u00e0o m\u1ed9t m\u1ee5c ti\u00eau b\u1ea5t bi\u1ebfn, n\u00f3 kh\u00f4ng th\u1ec3 b\u1ecb s\u1eeda \u0111\u1ed5i, m\u00e3 h\u00f3a ho\u1eb7c x\u00f3a b\u1edfi b\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng n\u00e0o\u2014k\u1ec3 c\u1ea3 qu\u1ea3n tr\u1ecb vi\u00ean c\u00f3 \u0111\u1eb7c quy\u1ec1n root ho\u1eb7c c\u00e1c t\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5 \u0111\u00e3 b\u1ecb x\u00e2m nh\u1eadp\u2014cho \u0111\u1ebfn khi th\u1eddi gian kh\u00f3a \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1eb1ng to\u00e1n h\u1ecdc h\u1ebft h\u1ea1n.<\/p>\n Khi tri\u1ec3n khai t\u00ednh b\u1ea5t bi\u1ebfn, \u0111\u1eb7c bi\u1ec7t l\u00e0 trong l\u01b0u tr\u1eef \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u00e1m m\u00e2y nh\u01b0 AWS S3, Azure Blob ho\u1eb7c c\u00e1c SAN t\u1ea1i ch\u1ed7 t\u01b0\u01a1ng th\u00edch v\u1edbi S3, b\u1ea1n ph\u1ea3i hi\u1ec3u s\u1ef1 kh\u00e1c bi\u1ec7t gi\u1eefa c\u00e1c ch\u1ebf \u0111\u1ed9 l\u01b0u gi\u1eef:<\/p>\n M\u1ed9t ki\u1ebfn tr\u00fac l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u m\u1ea1nh m\u1ebd s\u1ebd t\u00e1ch bi\u1ec7t c\u00e1c ho\u1ea1t \u0111\u1ed9ng c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111ang ch\u1ea1y v\u1edbi t\u1ea7ng l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn. B\u1ea1n kh\u00f4ng th\u1ec3 \u00e1p d\u1ee5ng t\u00ednh b\u1ea5t bi\u1ebfn cho c\u00e1c t\u1ec7p c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111ang ho\u1ea1t \u0111\u1ed9ng (nh\u01b0 Thay v\u00e0o \u0111\u00f3, t\u00ednh b\u1ea5t bi\u1ebfn \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng cho: B\u1ea1n c\u00f3 th\u1ec3 tri\u1ec3n khai l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn tr\u00ean c\u00e1c t\u1ea7ng c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng kh\u00e1c nhau: \u0110\u1ec3 b\u1ea3o v\u1ec7 c\u00e1c b\u1ea3n dump c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0 nh\u1eadt k\u00fd giao d\u1ecbch trong AWS, b\u1ea1n ph\u1ea3i b\u1eadt Object Lock t\u1ea1i th\u1eddi \u0111i\u1ec3m t\u1ea1o bucket.<\/p>\n Tr\u01b0\u1edbc ti\u00ean, h\u00e3y t\u1ea1o bucket v\u1edbi Object Lock \u0111\u01b0\u1ee3c b\u1eadt:<\/p>\n Ti\u1ebfp theo, c\u1ea5u h\u00ecnh ch\u00ednh s\u00e1ch l\u01b0u gi\u1eef m\u1eb7c \u0111\u1ecbnh. \u0110\u1ed1i v\u1edbi c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u, kh\u00f3a tu\u00e2n th\u1ee7 30 ng\u00e0y l\u00e0 m\u1ee9c c\u01a1 b\u1ea3n ti\u00eau chu\u1ea9n, \u0111\u1ea3m b\u1ea3o b\u1ea1n c\u00f3 m\u1ed9t th\u00e1ng sao l\u01b0u kh\u00f4ng th\u1ec3 thay \u0111\u1ed5i.<\/p>\n Khi t\u1eadp l\u1ec7nh ho\u1eb7c t\u00e1c nh\u00e2n sao l\u01b0u c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n \u0111\u1ea9y t\u1ec7p v\u00e0o bucket n\u00e0y, S3 s\u1ebd t\u1ef1 \u0111\u1ed9ng t\u00ednh to\u00e1n N\u1ebfu b\u1ea1n \u0111ang l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0o m\u00e1y ch\u1ee7 sao l\u01b0u Linux t\u1ea1i ch\u1ed7, b\u1ea1n c\u00f3 th\u1ec3 \u0111\u1ea1t \u0111\u01b0\u1ee3c t\u00ednh b\u1ea5t bi\u1ebfn gi\u1ea3 b\u1eb1ng l\u1ec7nh S\u1eed d\u1ee5ng L\u01b0u \u00fd: M\u1eb7c d\u00f9 S\u1eed d\u1ee5ng ZFS Snapshots:<\/strong> \u0110\u1ec3 \u0111\u1ea1t \u0111\u01b0\u1ee3c Ph\u1ee5c h\u1ed3i t\u1ea1i th\u1eddi \u0111i\u1ec3m c\u1ee5 th\u1ec3 (PITR), b\u1ea1n ph\u1ea3i li\u00ean t\u1ee5c l\u01b0u tr\u1eef nh\u1eadt k\u00fd giao d\u1ecbch v\u00e0o b\u1ed9 l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn c\u1ee7a m\u00ecnh.<\/p>\n Trong t\u1ec7p C\u00e2n nh\u1eafc quan tr\u1ecdng:<\/em> N\u1ebfu bucket S3 c\u1ee7a b\u1ea1n th\u1ef1c thi kh\u00f3a Tu\u00e2n th\u1ee7 30 ng\u00e0y, nh\u01b0ng SQL Server h\u1ed7 tr\u1ee3 sao l\u01b0u g\u1ed1c tr\u1ef1c ti\u1ebfp v\u00e0o l\u01b0u tr\u1eef \u0111\u1ed1i t\u01b0\u1ee3ng t\u01b0\u01a1ng th\u00edch v\u1edbi S3. B\u1ea1n c\u00f3 th\u1ec3 c\u1ea5u h\u00ecnh m\u1ed9t t\u00e1c v\u1ee5 SQL Server Agent \u0111\u1ec3 ghi c\u00e1c t\u1ec7p Vi\u1ec7c qu\u1ea3n l\u00fd c\u00e1c c\u1edd l\u01b0u gi\u1eef b\u1ea5t bi\u1ebfn, xoay v\u00f2ng kh\u00f3a truy c\u1eadp v\u00e0 \u0111\u1ea3m b\u1ea3o \u0111\u1ed3ng b\u1ed9 h\u00f3a gi\u1eefa c\u00e1c ch\u00ednh s\u00e1ch l\u01b0u gi\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0 kh\u00f3a l\u01b0u tr\u1eef th\u00f4ng qua c\u00e1c t\u1eadp l\u1ec7nh t\u00f9y ch\u1ec9nh r\u1ea5t d\u1ec5 x\u1ea3y ra l\u1ed7i. M\u1ed9t c\u1ea5u h\u00ecnh sai trong cron job ho\u1eb7c l\u1ec7nh g\u1ecdi API c\u00f3 th\u1ec3 khi\u1ebfn c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u1ee7a b\u1ea1n b\u1ecb l\u1ed9 ho\u1eb7c d\u1eabn \u0111\u1ebfn chi ph\u00ed l\u01b0u tr\u1eef \u0111\u00e1m m\u00e2y t\u0103ng v\u1ecdt do c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng b\u1ecb kh\u00f3a kh\u00f4ng c\u00f2n \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng.<\/p>\n C\u00e1c n\u1ec1n t\u1ea3ng sao l\u01b0u doanh nghi\u1ec7p nh\u01b0 CloudSave \u0111\u01a1n gi\u1ea3n h\u00f3a ki\u1ebfn tr\u00fac n\u00e0y. CloudSave t\u00edch h\u1ee3p s\u1eb5n v\u1edbi AWS S3 Object Lock, Azure Blob Immutable Storage v\u00e0 c\u00e1c API t\u01b0\u01a1ng th\u00edch v\u1edbi S3 t\u1ea1i ch\u1ed7.<\/p>\n Khi c\u1ea5u h\u00ecnh k\u1ebf ho\u1ea1ch sao l\u01b0u c\u01a1 s\u1edf d\u1eef li\u1ec7u trong CloudSave: \u0110\u1ec3 \u0111\u1ea3m b\u1ea3o ki\u1ebfn tr\u00fac b\u1ea5t bi\u1ebfn c\u1ee7a b\u1ea1n th\u1ef1c s\u1ef1 ki\u00ean c\u01b0\u1eddng, h\u00e3y tu\u00e2n th\u1ee7 c\u00e1c ph\u01b0\u01a1ng ph\u00e1p hay nh\u1ea5t v\u1ec1 k\u1ef9 thu\u1eadt h\u1ec7 th\u1ed1ng sau \u0111\u00e2y:<\/p>\n C\u00e1c kh\u00f3a b\u1ea5t bi\u1ebfn \u0111\u01b0\u1ee3c g\u1eafn k\u1ebft to\u00e1n h\u1ecdc v\u1edbi d\u1ea5u th\u1eddi gian. N\u1ebfu d\u1ecbch v\u1ee5 NTP (Giao th\u1ee9c th\u1eddi gian m\u1ea1ng) tr\u00ean m\u1ea3ng l\u01b0u tr\u1eef ho\u1eb7c m\u00e1y ch\u1ee7 sao l\u01b0u c\u1ee7a b\u1ea1n b\u1ecb x\u00e2m nh\u1eadp ho\u1eb7c sai l\u1ec7ch, n\u00f3 c\u00f3 th\u1ec3 khi\u1ebfn c\u00e1c kh\u00f3a h\u1ebft h\u1ea1n s\u1edbm ho\u1eb7c kh\u00f4ng bao gi\u1edd h\u1ebft h\u1ea1n. \u0110\u1ea3m b\u1ea3o c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng l\u01b0u tr\u1eef c\u1ee7a b\u1ea1n s\u1eed d\u1ee5ng c\u00e1c ngu\u1ed3n NTP \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c v\u00e0 d\u1ef1 ph\u00f2ng.<\/p>\n Th\u00f4ng tin x\u00e1c th\u1ef1c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ghi v\u00e0o bucket b\u1ea5t bi\u1ebfn ch\u1ec9 \u0111\u01b0\u1ee3c c\u00f3 quy\u1ec1n V\u00ed d\u1ee5 v\u1ec1 ch\u00ednh s\u00e1ch IAM \u0111\u1eb7c quy\u1ec1n t\u1ed1i thi\u1ec3u cho m\u1ed9t t\u00e1c nh\u00e2n sao l\u01b0u c\u01a1 s\u1edf d\u1eef li\u1ec7u:<\/p>\n Kh\u00f4ng \u0111\u1eb7t kh\u00f3a tu\u00e2n th\u1ee7 trong th\u1eddi gian qu\u00e1 d\u00e0i (v\u00ed d\u1ee5: 7 n\u0103m \u0111\u1ec3 tu\u00e2n th\u1ee7) tr\u00ean t\u1ea7ng ph\u1ee5c h\u1ed3i nhanh ch\u00ednh c\u1ee7a b\u1ea1n. C\u01a1 s\u1edf d\u1eef li\u1ec7u t\u1ea1o ra l\u01b0\u1ee3ng d\u1eef li\u1ec7u WAL\/nh\u1eadt k\u00fd giao d\u1ecbch kh\u1ed5ng l\u1ed3. Kh\u00f3a d\u1eef li\u1ec7u n\u00e0y trong nhi\u1ec1u n\u0103m s\u1ebd d\u1eabn \u0111\u1ebfn chi ph\u00ed l\u01b0u tr\u1eef t\u0103ng theo c\u1ea5p s\u1ed1 nh\u00e2n. T\u00ednh b\u1ea5t bi\u1ebfn \u0111\u1ea3m b\u1ea3o d\u1eef li\u1ec7u kh\u00f4ng th\u1ec3 b\u1ecb x\u00f3a, nh\u01b0ng kh\u00f4ng \u0111\u1ea3m b\u1ea3o d\u1eef li\u1ec7u kh\u00f4ng b\u1ecb h\u1ecfng logic. B\u1ea1n ph\u1ea3i t\u1ef1 \u0111\u1ed9ng h\u00f3a vi\u1ec7c kh\u00f4i ph\u1ee5c c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u b\u1ea5t bi\u1ebfn c\u1ee7a m\u00ecnh v\u00e0o m\u1ed9t VPC ho\u1eb7c VLAN c\u00f4 l\u1eadp. Ch\u1ea1y Ph\u00f2ng th\u1ee7 ransomware l\u00e0 m\u1ed9t b\u00e0i t\u1eadp v\u1ec1 vi\u1ec7c gi\u1ea3 \u0111\u1ecbnh s\u1ef1 x\u00e2m nh\u1eadp. V\u00e0o th\u1eddi \u0111i\u1ec3m c\u1ea3nh b\u00e1o \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t trong SIEM c\u1ee7a b\u1ea1n, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 kh\u1ea3 n\u0103ng \u0111\u00e3 c\u1ed1 g\u1eafng x\u00e2m nh\u1eadp c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng sao l\u01b0u c\u1ee7a b\u1ea1n. B\u1eb1ng c\u00e1ch thi\u1ebft k\u1ebf c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n b\u1eb1ng l\u01b0u tr\u1eef b\u1ea5t bi\u1ebfn \u1edf Ch\u1ebf \u0111\u1ed9 Tu\u00e2n th\u1ee7, b\u1ea1n t\u01b0\u1edbc b\u1ecf \u0111\u00f2n b\u1ea9y ch\u00ednh c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. Cho d\u00f9 b\u1ea1n s\u1eed d\u1ee5ng API \u0111\u00e1m m\u00e2y g\u1ed1c, ZFS holds hay n\u1ec1n t\u1ea3ng \u0111i\u1ec1u ph\u1ed1i doanh nghi\u1ec7p nh\u01b0 CloudSave, vi\u1ec7c tri\u1ec3n khai l\u01b0u tr\u1eef WORM kh\u00f4ng c\u00f2n l\u00e0 t\u00f9y ch\u1ecdn\u2014\u0111\u00f3 l\u00e0 m\u1ed9t tr\u1ee5 c\u1ed9t b\u1eaft bu\u1ed9c c\u1ee7a qu\u1ea3n tr\u1ecb c\u01a1 s\u1edf d\u1eef li\u1ec7u hi\u1ec7n \u0111\u1ea1i v\u00e0 ph\u1ee5c h\u1ed3i sau th\u1ea3m h\u1ecda.<\/p>\n","protected":false},"excerpt":{"rendered":" ** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Immutable Database Storage to Defeat Ransomware","rank_math_description":"** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.","rank_math_focus_keyword":"immutable database storage","footnotes":""},"categories":[767],"tags":[4810,4811,4812,1377,4813,4814],"class_list":["post-6414","post","type-post","status-publish","format-standard","hentry","category-database-backup","tag-3-2-1-1-backup","tag-data-survivability","tag-database-archives","tag-enterprise-backup","tag-immutable-storage","tag-ransomware-protection"],"yoast_head":"\nC\u01a1 ch\u1ebf c\u1ee7a L\u01b0u tr\u1eef B\u1ea5t bi\u1ebfn<\/h2>\n
Ch\u1ebf \u0111\u1ed9 Tu\u00e2n th\u1ee7 (Compliance Mode) so v\u1edbi Ch\u1ebf \u0111\u1ed9 Qu\u1ea3n tr\u1ecb (Governance Mode)<\/h3>\n
\n
s3:BypassGovernanceRetention<\/code>) c\u00f3 th\u1ec3 ghi \u0111\u00e8 kh\u00f3a. \u0110i\u1ec1u n\u00e0y h\u1eefu \u00edch cho vi\u1ec7c th\u1eed nghi\u1ec7m nh\u01b0ng kh\u00f4ng \u0111\u1ee7 \u0111\u1ec3 b\u1ea3o v\u1ec7 ch\u1ed1ng ransomware<\/strong>, v\u00ec k\u1ebb t\u1ea5n c\u00f4ng th\u01b0\u1eddng leo thang \u0111\u1eb7c quy\u1ec1n l\u00ean qu\u1ea3n tr\u1ecb vi\u00ean mi\u1ec1n ho\u1eb7c root.<\/li>\nThi\u1ebft k\u1ebf \u0110\u01b0\u1eddng \u1ed1ng Sao l\u01b0u B\u1ea5t bi\u1ebfn<\/h2>\n
.mdf<\/code>\/.ldf<\/code> trong SQL Server ho\u1eb7c th\u01b0 m\u1ee5c pg_data<\/code> trong PostgreSQL) v\u00ec c\u01a1 s\u1edf d\u1eef li\u1ec7u y\u00eau c\u1ea7u quy\u1ec1n truy c\u1eadp \u0111\u1ecdc\/ghi li\u00ean t\u1ee5c.<\/p>\n
\n1. C\u00e1c t\u1ec7p sao l\u01b0u \u0111\u1ea7y \u0111\u1ee7 v\u00e0 kh\u00e1c bi\u1ec7t (Full and Differential Backup Files):<\/strong> C\u00e1c b\u1ea3n ch\u1ee5p c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u01a1 s\u1edf.
\n2. Nh\u1eadt k\u00fd giao d\u1ecbch \/ T\u1ec7p WAL (Transaction Logs \/ WAL Files):<\/strong> Lu\u1ed3ng thay \u0111\u1ed5i c\u01a1 s\u1edf d\u1eef li\u1ec7u li\u00ean t\u1ee5c c\u1ea7n thi\u1ebft cho Ph\u1ee5c h\u1ed3i t\u1ea1i th\u1eddi \u0111i\u1ec3m c\u1ee5 th\u1ec3 (PITR).<\/p>\nM\u1ee5c ti\u00eau l\u01b0u tr\u1eef cho t\u00ednh b\u1ea5t bi\u1ebfn<\/h3>\n
\n* L\u01b0u tr\u1eef \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u00e1m m\u00e2y:<\/strong> AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
\n* L\u01b0u tr\u1eef \u0111\u1ed1i t\u01b0\u1ee3ng t\u1ea1i ch\u1ed7:<\/strong> MinIO, Cloudian ho\u1eb7c Pure Storage FlashBlade h\u1ed7 tr\u1ee3 API S3 Object Lock.
\n* L\u01b0u tr\u1eef kh\u1ed1i\/t\u1ec7p:<\/strong> ZFS v\u1edbi c\u00e1c b\u1ea3n ch\u1ee5p ch\u1ec9 \u0111\u1ecdc v\u00e0 qu\u1ea3n tr\u1ecb \u0111\u01b0\u1ee3c \u1ee7y quy\u1ec1n, ho\u1eb7c c\u00e1c thu\u1ed9c t\u00ednh t\u1ec7p c\u1ee7a Linux.<\/p>\nTri\u1ec3n khai L\u01b0u tr\u1eef B\u1ea5t bi\u1ebfn: H\u01b0\u1edbng d\u1eabn K\u1ef9 thu\u1eadt<\/h2>\n
1. L\u01b0u tr\u1eef \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u00e1m m\u00e2y: AWS S3 Object Lock<\/h3>\n
aws s3api create-bucket \n --bucket prod-db-archive-immutable \n --region us-east-1 \n --object-lock-enabled-for-bucket\n<\/code><\/pre>\naws s3api put-object-lock-configuration \n --bucket prod-db-archive-immutable \n --object-lock-configuration '{\n "ObjectLockEnabled": "Enabled",\n "Rule": {\n "DefaultRetention": {\n "Mode": "COMPLIANCE",\n "Days": 30\n }\n }\n }'\n<\/code><\/pre>\nRetain Until Date<\/code> d\u1ef1a tr\u00ean d\u1ea5u th\u1eddi gian t\u1ea1o \u0111\u1ed1i t\u01b0\u1ee3ng c\u1ed9ng th\u00eam 30 ng\u00e0y.<\/p>\n2. T\u00ednh b\u1ea5t bi\u1ebfn t\u1ea1i ch\u1ed7: ZFS v\u00e0 Thu\u1ed9c t\u00ednh Linux<\/h3>\n
chattr<\/code>, ho\u1eb7c t\u00ednh b\u1ea5t bi\u1ebfn th\u1ef1c s\u1ef1 b\u1eb1ng c\u00e1c b\u1ea3n ch\u1ee5p ZFS.<\/p>\nchattr<\/code> tr\u00ean Linux:<\/strong>
\nC\u1edd +i<\/code> (b\u1ea5t bi\u1ebfn) ng\u0103n ch\u1eb7n vi\u1ec7c s\u1eeda \u0111\u1ed5i, x\u00f3a ho\u1eb7c \u0111\u1ed5i t\u00ean t\u1ec7p.<\/p>\n# Dump c\u01a1 s\u1edf d\u1eef li\u1ec7u\npg_dump -U postgres -Fc mydb > \/backups\/mydb_$(date +%F).dump\n\n# L\u00e0m cho b\u1ea3n sao l\u01b0u tr\u1edf n\u00ean b\u1ea5t bi\u1ebfn\nsudo chattr +i \/backups\/mydb_$(date +%F).dump\n\n# X\u00e1c minh thu\u1ed9c t\u00ednh\nlsattr \/backups\/mydb_$(date +%F).dump\n# K\u1ebft qu\u1ea3: ----i---------e------- \/backups\/mydb_2023-10-27.dump\n<\/code><\/pre>\nchattr<\/code> ng\u0103n ch\u1eb7n c\u00e1c t\u1eadp l\u1ec7nh ransomware c\u01a1 b\u1ea3n, nh\u01b0ng m\u1ed9t k\u1ebb t\u1ea5n c\u00f4ng tinh vi c\u00f3 quy\u1ec1n root c\u00f3 th\u1ec3 ch\u1ec9 c\u1ea7n ch\u1ea1y chattr -i<\/code>. Do \u0111\u00f3, \u0111i\u1ec1u n\u00e0y ph\u1ea3i \u0111\u01b0\u1ee3c k\u1ebft h\u1ee3p v\u1edbi RBAC nghi\u00eam ng\u1eb7t v\u00e0 c\u00e1c m\u1ea1ng sao l\u01b0u c\u00f4 l\u1eadp.<\/em><\/p>\n
\nZFS cung c\u1ea5p kh\u1ea3 n\u0103ng ph\u00f2ng th\u1ee7 m\u1ea1nh m\u1ebd h\u01a1n nhi\u1ec1u. B\u1eb1ng c\u00e1ch t\u1ea1o m\u1ed9t b\u1ea3n ch\u1ee5p v\u00e0 \u0111\u1eb7t “gi\u1eef” (hold) tr\u00ean \u0111\u00f3, b\u1ea1n ng\u0103n kh\u00f4ng cho b\u1ea3n ch\u1ee5p b\u1ecb x\u00f3a.<\/p>\n# T\u1ea1o b\u1ea3n ch\u1ee5p c\u1ee7a t\u1eadp d\u1eef li\u1ec7u sao l\u01b0u\nzfs snapshot tank\/db_backups@archive_$(date +%F)\n\n# \u0110\u1eb7t gi\u1eef tr\u00ean b\u1ea3n ch\u1ee5p \u0111\u1ec3 ng\u0103n x\u00f3a\nzfs hold keep_30_days tank\/db_backups@archive_$(date +%F)\n\n# Ngay c\u1ea3 root c\u0169ng kh\u00f4ng th\u1ec3 x\u00f3a b\u1ea3n ch\u1ee5p n\u00e0y n\u1ebfu kh\u00f4ng gi\u1ea3i ph\u00f3ng l\u1ec7nh gi\u1eef\nzfs destroy tank\/db_backups@archive_$(date +%F)\n# K\u1ebft qu\u1ea3: cannot destroy 'tank\/db_backups@archive_...': dataset is busy\n<\/code><\/pre>\nChi\u1ebfn l\u01b0\u1ee3c l\u01b0u tr\u1eef d\u00e0nh ri\u00eang cho c\u01a1 s\u1edf d\u1eef li\u1ec7u<\/h2>\n
L\u01b0u tr\u1eef WAL c\u1ee7a PostgreSQL v\u1edbi pgBackRest<\/h3>\n
pgBackRest<\/code> l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 sao l\u01b0u r\u1ea5t \u0111\u00e1ng tin c\u1eady cho PostgreSQL, h\u1ed7 tr\u1ee3 l\u01b0u tr\u1eef t\u01b0\u01a1ng th\u00edch v\u1edbi S3. \u0110\u1ec3 b\u1ea3o v\u1ec7 c\u00e1c Nh\u1eadt k\u00fd ghi tr\u01b0\u1edbc (WAL) c\u1ee7a b\u1ea1n, h\u00e3y c\u1ea5u h\u00ecnh pgBackRest<\/code> \u0111\u1ec3 \u0111\u1ea9y tr\u1ef1c ti\u1ebfp v\u00e0o bucket S3 b\u1ea5t bi\u1ebfn c\u1ee7a b\u1ea1n.<\/p>\npgbackrest.conf<\/code> c\u1ee7a b\u1ea1n:<\/p>\n[global]\nrepo1-type=s3\nrepo1-s3-bucket=prod-db-archive-immutable\nrepo1-s3-region=us-east-1\nrepo1-s3-endpoint=s3.amazonaws.com\nrepo1-s3-key=AKIAIOSFODNN7EXAMPLE\nrepo1-s3-key-secret=wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n\n# \u0110\u1ea3m b\u1ea3o th\u1eddi gian l\u01b0u gi\u1eef ph\u00f9 h\u1ee3p v\u1edbi c\u1ea5u h\u00ecnh S3 Object Lock c\u1ee7a b\u1ea1n\nrepo1-retention-full=2\nrepo1-retention-archive=2\n\n[prod_cluster]\npg1-path=\/var\/lib\/postgresql\/14\/main\n<\/code><\/pre>\npgBackRest<\/code> c\u1ed1 g\u1eafng h\u1ebft h\u1ea1n v\u00e0 x\u00f3a c\u00e1c t\u1ec7p WAL sau 14 ng\u00e0y d\u1ef1a tr\u00ean repo1-retention-archive<\/code>, c\u00e1c l\u1ec7nh g\u1ecdi API x\u00f3a s\u1ebd th\u1ea5t b\u1ea1i. B\u1ea1n ph\u1ea3i \u0111\u1ea3m b\u1ea3o ch\u00ednh s\u00e1ch l\u01b0u gi\u1eef c\u1ee7a ph\u1ea7n m\u1ec1m sao l\u01b0u l\u1edbn h\u01a1n ho\u1eb7c b\u1eb1ng kh\u00f3a b\u1ea5t bi\u1ebfn \u1edf c\u1ea5p l\u01b0u tr\u1eef.<\/p>\nMicrosoft SQL Server: Sao l\u01b0u t\u1edbi URL<\/h3>\n
.bak<\/code> v\u00e0 .trn<\/code> tr\u1ef1c ti\u1ebfp v\u00e0o m\u1ed9t bucket b\u1ea5t bi\u1ebfn.<\/p>\nCREATE CREDENTIAL [s3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com]\nWITH IDENTITY = 'S3 Access Key',\nSECRET = 'AccessKeyID:SecretAccessKey';\nGO\n\nBACKUP DATABASE [ProductionDB]\nTO URL = 's3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com\/ProductionDB_Full.bak'\nWITH FORMAT, COMPRESSION, STATS = 10;\nGO\n<\/code><\/pre>\nT\u1ef1 \u0111\u1ed9ng h\u00f3a v\u00e0 \u0110i\u1ec1u ph\u1ed1i v\u1edbi CloudSave<\/h2>\n
\n1. N\u1ec1n t\u1ea3ng t\u1ef1 \u0111\u1ed9ng x\u1eed l\u00fd vi\u1ec7c t\u1ea1m d\u1eebng VSS (Volume Shadow Copy Service) cho SQL Server ho\u1eb7c API pg_start_backup()<\/code> cho PostgreSQL.
\n2. N\u00f3 truy\u1ec1n d\u1eef li\u1ec7u sao l\u01b0u \u0111\u00e3 \u0111\u01b0\u1ee3c kh\u1eed tr\u00f9ng l\u1eb7p v\u00e0 m\u00e3 h\u00f3a tr\u1ef1c ti\u1ebfp \u0111\u1ebfn m\u1ee5c ti\u00eau l\u01b0u tr\u1eef.
\n3. CloudSave \u00e1p d\u1ee5ng linh ho\u1ea1t c\u00e1c l\u1ec7nh g\u1ecdi API WORM (v\u00ed d\u1ee5: PutObjectRetention<\/code>) tr\u00ean c\u01a1 s\u1edf t\u1eebng \u0111\u1ed1i t\u01b0\u1ee3ng, c\u0103n ch\u1ec9nh ho\u00e0n h\u1ea3o th\u1eddi gian kh\u00f3a l\u01b0u tr\u1eef v\u1edbi l\u1ecbch tr\u00ecnh l\u01b0u gi\u1eef \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh b\u1edfi ch\u00ednh s\u00e1ch.
\n4. N\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng x\u00e2m nh\u1eadp b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n qu\u1ea3n l\u00fd CloudSave, ch\u00fang v\u1eabn kh\u00f4ng th\u1ec3 x\u00f3a c\u00e1c b\u1ea3n sao l\u01b0u, v\u00ec kh\u00f3a tu\u00e2n th\u1ee7 \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1edfi c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng l\u01b0u tr\u1eef b\u00ean d\u01b0\u1edbi, ch\u1ee9 kh\u00f4ng ph\u1ea3i ph\u1ea7n m\u1ec1m sao l\u01b0u.<\/p>\nC\u00e1c ph\u01b0\u01a1ng ph\u00e1p hay nh\u1ea5t cho L\u01b0u tr\u1eef C\u01a1 s\u1edf d\u1eef li\u1ec7u B\u1ea5t bi\u1ebfn<\/h2>\n
1. \u0110\u1ed3ng b\u1ed9 h\u00f3a NTP nghi\u00eam ng\u1eb7t<\/h3>\n
2. C\u00f4 l\u1eadp c\u00e1c vai tr\u00f2 v\u00e0 th\u00f4ng tin x\u00e1c th\u1ef1c IAM<\/h3>\n
s3:PutObject<\/code> v\u00e0 s3:PutObjectRetention<\/code>. Ch\u00fang kh\u00f4ng bao gi\u1edd<\/strong> \u0111\u01b0\u1ee3c c\u00f3 quy\u1ec1n s3:DeleteObject<\/code> ho\u1eb7c s3:PutBucketObjectLockConfiguration<\/code>.<\/p>\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": [\n "s3:PutObject",\n "s3:GetBucketObjectLockConfiguration"\n ],\n "Resource": [\n "arn:aws:s3:::prod-db-archive-immutable",\n "arn:aws:s3:::prod-db-archive-immutable\/*"\n ]\n }\n ]\n}\n<\/code><\/pre>\n3. \u0110\u1ecbnh c\u1ee1 th\u1eddi gian l\u01b0u gi\u1eef<\/h3>\n
\nThay v\u00e0o \u0111\u00f3, h\u00e3y s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p ph\u00e2n t\u1ea7ng:
\n* T\u1ea7ng ph\u1ee5c h\u1ed3i v\u1eadn h\u00e0nh:<\/strong> 14 \u0111\u1ebfn 30 ng\u00e0y l\u01b0u gi\u1eef b\u1ea5t bi\u1ebfn cho c\u00e1c b\u1ea3n Full v\u00e0 Log.
\n* T\u1ea7ng l\u01b0u tr\u1eef d\u00e0i h\u1ea1n:<\/strong> C\u00e1c b\u1ea3n sao l\u01b0u \u0111\u1ea7y \u0111\u1ee7 h\u00e0ng th\u00e1ng \u0111\u01b0\u1ee3c chuy\u1ec3n sang Glacier\/Deep Archive v\u1edbi Vault Lock trong 1-7 n\u0103m.<\/p>\n4. Ki\u1ec3m tra ph\u1ee5c h\u1ed3i th\u01b0\u1eddng xuy\u00ean trong c\u00e1c VPC c\u00f4 l\u1eadp (Air-gapped)<\/h3>\n
DBCC CHECKDB<\/code> (SQL Server) ho\u1eb7c pg_amcheck<\/code> (PostgreSQL) tr\u00ean d\u1eef li\u1ec7u \u0111\u00e3 kh\u00f4i ph\u1ee5c \u0111\u1ec3 x\u00e1c minh t\u00ednh to\u00e0n v\u1eb9n c\u1ea5u tr\u00fac.<\/p>\nK\u1ebft lu\u1eadn<\/h2>\n