Bareos Director Hosted on Internet
Alexandre Denault
I’m working on a somewhat complicated Bareos setup and it would be must simpler/easier to host the Bareos Director over the Internet. Combined with Active Storage and File clients, it would simplify my multisite setup greatly.
That said, is the Bareos Director robust enough to be hosted over the Intenet? Is it secure? I would assure that any client without a private key recognized by the Director would not be able to interact with it.
Thanks,
Alex
Florian Panzer - PLUSTECH GmbH
We're runnig this setup (public director + client initiated fd
connections) with overall success.
No problems so far - apart from the usual* ;)
I'm sure nobody will gurarantee that there are no security flaws
- there most like are.
*) bareos-dir crashing on typo in config followed by reload
*) bareos-dir crashing because it's tuesday
Florian Panzer ----------------------------------- PLUSTECH GmbH Jäckstraße 35 96052 Bamberg Telefon: +49 951 299 09 716 https://plustech.de/ Geschäftsführung: Florian Panzer Amtsgericht Bamberg - HRB 9680 -----------------------------------
--
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/08188095-4800-413c-88b7-ccc66bc57bacn%40googlegroups.com.
Spadajspadaj
In case of multi-location setup you need to think about ways of limiting access and connection direction.
I have a "reverse" setup - I needed passive clients so I can initiate connections from director/sd _to_ fd. You might need the opposite, as I see, so it's pretty standard.
There is _always_ a risk when you're putting something open to
the internet so if you want to limit your exposure, think about
filtering the traffic on the network/OS level (limiting access to
bareos ports only to specific addreses) and of course you can
always think about setting up a VPN between your locations.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/4847a7d9-edf1-fb2e-be89-57b73be58bbc%40plustech.de.
Alexandre Denault
You received this message because you are subscribed to a topic in the Google Groups "bareos-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bareos-users/7P_SZrWBJ8U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bareos-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/02211794-f8b3-6c7e-17fc-28e38f377bb4%40gmail.com.
Alexandre Denault
Senior Director, Technology Operations
Ludia Inc.
Spadajspadaj
Well... yes, if you use TLS Verify Peer than TLS library is your first line of defence because you shouldn't be able to connect with a peer without a valid certificate. I don't see any mention about CRL in TLS configuration Directives though so you might want to think how you would like to address possible issue with compromised client (you can explicitly allow specified CN's with TLS Allowed CN option as a workaround).
In general, compromised client - unless abusing some error in the director software - shouldn't be able to exploit the director. As you can see on the picture in https://docs.bareos.org/IntroductionAndTutorial/WhatIsBareos.html#interactions-between-the-bareos-services even though it might be the FD that connects to the DIR (if you don't use passive clients), it's the Director that issues commands to the FD.
Of course a rogue fd could try to generate an endless stream of
data but you can mitigate it to some extent by - for example -
limiting job run time or fiddling with Maximum Volume Jobs and
Maximum Volume Bytes in case of file backed storage.
To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/CALT3ydaxDaZYy4Eg3QptEz_%2Bo8UXsEt87DJfUwFzzVy_AKWBog%40mail.gmail.com.