Hi all,

Soon I’ll be upgrading my server. I want to make sure the data stored on it is safe, so I’ve spent some time planning the storage. Here’s the current plan.

I’ll buy 2x3TB HDDs and put them in RAID 1, using ZFS (the snapshots will be what I use for backups). I’ll have another HDD in the server which will store the snapshots as backups.

Finally, I’ll have the ZFS snapshots sent to my personal PC as well, which will be in a remote location to the server.

As I understand it, that should check all the 3-2-1 boxes. I’m covered if either of the main hard drives fail, or if either of the backups fail, or if some other damage happens to the server.

Does this all make sense? Any feedback or advice is much appreciated. Feel free to ask questions, also. Thanks.

(I’ve also posted this on Reddit, but decided to post here too).

@dugite_code
3
edit-2
10M

The only thing you are not taking into account is a crypto-virus. All of your backups are online, you could get away with it as ZFS snapshots are versioned so you can roll back, but I always say it’s always a good idea to have a “air gaped” backup. I have 2 drives and a hard drive dock, I swap manually between the two twice a week and have versioned backups on them.

sseneca
creator
210M

I mention this on Reddit, but would it be enough to keep a LUKS encrypted hard drive on the remote PC that was only ever mounted during a transfer of the backup? In this case, the crypto-virus wouldn’t be able to reach it because it’d be unmounted and encrypted.

I’m basically trying to avoid buying too much hardware and make do which as much as I can, to avoid spending too much.

@dugite_code
210M

Realistically in a personal home situation you are only concerned with drive-by crypto virus infections with limited self propagation within your network (connected smb shares and the like) so something like this would hit the “good enough” mark.

Additionally I wouldn’t push from your server to your remote PC. I would Pull from your remote PC (using a limited set of credentials), it’s a minor change but it’s an important Network security consideration.

sseneca
creator
110M

Could you elaborate a bit on the push/pull part? What you said makes sense in terms of that being safer, but would running rsync on the remote PC to copy the backup from the server to the remote PC’s HDD count as “pulling” in this context?

@dugite_code
2
edit-2
10M

Yes running rsync on the remote PC pulling from the server is pulling in this context. Pushing would be if you had rsync on the server sending data to the remote PC.

From a Network security standpoint you want to avoid having any form of credential for your Backup computer on your Production computer (aka your server). This is simply because it’s difficult to ensure that a set of user credentials can only do the one thing (copy files for backup) rather that something more malicious such as delete your backup files or send a malicious payload. And as your backups should be in a higher security position with very limited access you can trust any commands from that machine will be less likely to ever be compromised.

@ajz
210M

would running rsync on the remote PC to copy the backup from the server to the remote PC’s HDD count as “pulling” in this context?

I’d say yes.

Run It Yourself
!selfhosted

    Overlaps somewhat with /c/floss_replacement and /c/privacy; crossposts welcome

    • 0 users online
    • 1 user / day
    • 2 users / week
    • 8 users / month
    • 68 users / 6 months
    • 675 subscribers
    • 56 Posts
    • 176 Comments
    • Modlog