I read about the new version of duplicati and so far it sounds very promising! I thought I’d give it a try but the following question occured to me:
Is it possible to protect my duplicati backups on a remote backup (e.g. a NAS) against deletion in case my computer is hacked and my (non-root)login credentials for the NAS are stolen? An example would be ransomware that infects my computer and then also encrypts the backups on the NAS.
As a solution I was thinking about something like running a cron job every night on the NAS that would set the permissions for all new backups to read only for my backup user account. Would duplicati still be able to work normally under such circumstances? What I want to achieve could be seen as a kind of “write only backup”
If you configure Duplicati to retain ALL versions, then yes, I think your idea would work. You may also need to enable the --no-auto-compact option, but maybe that isn’t necessary if you aren’t pruning older versions. Duplicati only needs to delete files when doing one of those two operations: pruning older versions and performing a compaction.
Alternatively, you could use a protocol that ransomware is unlikely to exploit. Instead of using regular SMB (Windows networking) you could use WebDAV or SFTP, for instance, with a specific username and password. I don’t believe any ransomware would try to use such a protocol, and even if it did, if you have it protected with a user/pw you should be fine.
In addition, on my NAS I utilize filesystem snapshots. If something were to happen to my backup data I could recover from a previous snapshot.
If you control the NAS, and the NAS runs on ZFS, which is common enough for NASs, then you can simply add a cron job to do snapshots. On ZFS, snapshots are read-only, and can only be deleted by a user authorized to delete them (such as root). Your common Duplicati user probably can’t, unless it was set specifically to be able to do so.
If the @ericxjo idea (thanks!) can’t be done, be careful about the details of the permission plan. Read-only files can be deleted if the directory they are in allows it. chmod to set the sticky bit helps some, but possibly not if the ransomware runs as the same user as Duplicati was when it wrote the file over SMB. chattr to set the immutable attribute sounds like it should be very well locked, and I think some use that.
Btrfs also supports snapshots. Should be pretty easy to find a NAS that supports one of the two filesystems. I personally use a Synology NAS with Btrfs.
I back up to a friends house, and we found another solution for us. A certain FTP/root jail setups are very straightforward to make and forbids deletion. That way, you don’t have to do any of this file attribute stuff if you prefer that approach.