I was messing with Duplicati on one of my computers (love the software, use it on most of my end devices) and thought of something. What happens if a malware or ransomware makes the Duplicati application inaccessible?
In this hypothetical scenario, I would just reinstall the OS, install Duplicati, and pull the backups
What about in the event there was a malicious actor using the machine via RDP, TeamViewer, or even SSH and were to stubble upon the Duplicati web UI. Can they from that UI delete backups, change backup configurations, etc.
Can the malicious actor go into the program files and find stuff like passwords, hashes, sensitive information, etc?
You can slow them down a little with GUI password, but live attacks are bad.
I think ransomware is often automated, but if you’re the unlucky exception…
The intruder on the system may act as you, or might have even more power.
Even if they’re just you, they likely have access to local sensitive information.
Getting to remote could use the GUI or knowledge of Duplicati’s info storage.
Duplicati doesn’t support S3 object lock but some add their own immutability.
Not having the backup easily accessible as if it was local files is a good start.
One of my backups is offline on a USB drive. It can break, but not by remote.
Online destinations can have other protections, but it depends on worry level.
Sometimes using it like cold storage helps, with careful cleanups infrequently.
This sounds bad but hear me out. I’m less worried about them having access to the data on the local system and more worried about them deleting the data on the local system then logging into Duplicati and deleting the backups.
Is it possible to bypass the password in the web UI by looking through the program files. If they just encrypt Duplicati or even delete it, that’s fine because we may still have the backups.
Reading the manual will suffice for that. Duplicati.Server.exe has a --webservice-password option.
A skilled attacker in your system is bad. You can make your backup hard to get, and also back IT up.
Second backup (or sync, e.g. rclone if you’re more daring) should initiate from well-secured system.
Any time you’re pushing stuff out, there’s always the risk of an attacker following the login credentials.
Complete protection of outgoing login credentials is impossible, as the remote service will need them.
Another general rule for important stuff is to have multiple backups. Maybe one of them will survive…
EDIT:
Duplicati runs best when installed on the computer it’s backing up, but this means it pushes data out.
Sometimes (given enough desire), a remote backup over a LAN from a trusted backup host is better.
Duplicati is a ‘trust no one’ system, but it should be understood as ‘trust no one… other’s people computer’. If you can’t trust your own computer, you can’t trust your online backup.
The only protection is to duplicate your online backup on something that is not online for your not so trusted computer.
As already said, this can be an offline support like an USB key in your pocket.
Or you can have a duplication of your online backup that is done by an external service. You can have a cloud backing up your computer using Duplicati, and another cloud backing up the first cloud. Only you must have the access key (password or something like that) for the second cloud, of course, this must be done using cloning tools external to your backed up computer (else the access key would have to be stored on this computer). This is not breaking the ‘trust no one’ model, since both clouds are only handling encrypted data.
Duplicati does not provide active protection against loss of backup data when your local system is compromised. Depending on your situation, there are some thing you can do to improve security of your backup data:
Regularly copy your backup data to an offline medium. On a NAS, you can schedule a task to synchronize the backup folder to an external disk, or do this manually.
Use Offline media for storing your backups. In case of USB harddisks/SSD’s, you can move the local database to the backup disk. This is not officially supported, but if multiple external disks contain their own local database, you can use rotating backup disks with Duplicati.
If the backend’s file system supports snapshots (for example BTRFS on a Synology NAS), you can schedule a daily snapshot of the backup data. If your backup data is encrypted by ransomware, you can revert to a previously created snapshot.
Please note that you do not use an admin account to upload your backup data. Avoid local network transfer to your backend (SMB, whether or not via a VPN). Create a user account that allows access to only the shared folder containing data from the current backup job using for example the WebDAV protocol over HTTPS.
Deciding how you want backups, restores, and administration to work would be good to think about.
For example, if you have a Duplicati Task Manager CLI job to do backups, it has no UI to fret about, however this also limits the users in what they can do, for example if you want do-it-yourself restore.
This doesn’t prevent the hack-deep-into system attacks, but slows the very-capable-open-UI attacks. Password change attacks require Duplicati restarts, and this requires SYSTEM if Duplicati uses that.
You still need to use a password on the GUI to keep the attacker from using open UI to run Duplicati.
We know nothing of the use case or the budget, but ease-of-use and security often involve tradeoffs.