Is reverse cluster copy or normal copy possible?

SYSTEM INFORMATION
OS type and version alma 8 latest
Webmin version latest

To be in compliance with the NIS2 directive (in Europe), organizations must guarantee that logs are complete, accurate, and safeguarded against any unauthorized modifications or disruptions

This means storing logs off server. The most simple solution to this is copy /var/log to a different server. I can copy 1 file to xx servers with the cluster copy module. But i was wondering is there a possibility to copy a file (or directory) from several remote servers to 1 server?

I know it would be possible to have syslog store off server, i know it is possible copy the logs from the server to another server, but all configuration on a server itself would mean that that server can log in to the remote server and that is not the idea. A hacker could still (in theorie) change the logs on the remote server if a server has the possibility to connect with that remote server (to copy the logs).

Hence my question: is a form of reverse cluster copy possible? Or even a reverse copy from 1 server at the time? The backup server would connect to the remote server to fetch the logs. The remote server cannot log in at the backup server.

Regards
Jan

1 Like

The service at rsync.net has a feature that prevents hackers from doing exactly this: once a server dumps a backup (of data, logs, or whatever) on the storage of rsync.net, a hacker cannot log in even with the same credentials as the valid user to delete or alter the backups that are stored with rsync. Those files are immutable.

You might want to use this service to become immediately compliant with NIS2, while you work out how reverse cluster copy can be used with Virtualmin.

Unfortunatly this is not an option and you will not be nis2 compliant is you use them.

  1. nis2 says logs should be kept for a minimum of 18 months

  2. they store data outside the EU, so you wont be GDPR compliant anymore

  • Fremont, California, USA - Our Silicon Valley location - inside the core Hurricane Electric (he.net) datacenter.
  • Denver, Colorado, USA - On the west coast ? Store your backups in flood-free, seismically stable Denver.
  • Zurich, Switzerland - Equinix ZH4. Great european routing through init7.net.
  • Tseung Kwan O, Hong Kong - The very best datacenter in Hong Kong, with connectivity from Hurricane Electric.

I have a backup server normally off. It turns on once a day, first uses rsync to copy yesterdays backup to an external drive adding to what’s already there, then rsync to collect todays data from the servers then turns off. As well as logs, it backs up /etc/ and some other data as well, eg DNS zone files for my own use.

I have a script that trims old logs - much older than they need to be, but mainly to stop the drives getting full. In Australia we have to keep data for 2 years.

There is no remote access available to the backup server.

That would be an option for one or a few servers. But we have 50+ servers with a combined backup total of 65+ TB on backups that we keep for 14 days for our customers. done on 4 backup servers. It is the user login and dns changes (no idea why) data that has to be kept by nis2 for 18 months minimal so i want to backup this separate.

I wondered if it would be possible to have webmin fetch them from all servers because we have a cluster with all servers configured in it for configuration purpose. Very handy for when a new aibot crawler starts messing with servers, just add the user-agent to the fail2ban jail, copy the jail to all servers and restart fail2ban.

At the moment the backup servers login to the servers with ssh key, so on the server itself there is only a public ssh key. Not usefull for a hacker. Servers can not login to the backup server.

I think i create a new rsnapshot to fetch all the necessary logs on the server. A lot more work then 1 reverse cluster copy, but it is what it is. Thank you all for thinking about it.

Maybe is copy from a server (cluster and/or otherwise) an idea to incorporate into webmin.

Regards
Jan

does webmin->cluster->cluster copy files work for you ? as I guess all your servers are in a webmin cluster. I have files being transferred between servers on a schedule which appears to work fine

This is to copy files from a server (that has the cluster config on it) to 1 or more servers in the cluster. This is what we use all the time to copy new configuration to remote server.

The idea was to reverse this: copy a file that is on the servers in the cluster to the server that has the cluster config on it.

So not from 1 to many (as it is now), but from many to 1.

regards
Jan

A bit of work I know but maybe you could setup a cluster copy on the many to 1, I’ve never tried that but I guess it will work. It’s just working out how to automate the initial setup perhaps there is something in the webmin cli that you could use.
if possible you could cluster copy your script to the many from the one & execute it (automated the setup)

1 Like

That would be possible, but not wanted because the many would then connect to the 1 and that is exactly what i am trying to avoid. If a servers is hacked then that hacker would have potentially access to the logs on the remote server. Not only he could alter them, but he would have access to all the logs from all the other servers as well.

regards
Jan

NIS2 is a Directive, meaning it does not apply to organisations but first must be translated into National law, unlike a regulation like GDPR.

(or so I have been told which probably means not in my lifetime)

though I concur with much of it’s intentions I am really not sure of its application to the sort of VS that I deal with (where the vast majority are global non-EU. But thanks for the heads up (I had forgotten its implementation date)

nis2 will become law in European countries very soon. Probably in most somewhere in 2025. According to the EU it should have already been law.

https://ec.europa.eu/commission/presscorner/detail/en/ip_24_5342

Today’s adoption of the implementing regulation coincides with the deadline for Member States to transpose the NIS2 Directive into national law. As of tomorrow, 18 October 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures.

Regards
Jan

Thanks, but the key words there are “Member States” I have only one client in the UK (so it does not apply -thanks to Brexit) and one in Germany (too small to care - a family business who have strong opinion about the EU) I cannot see it applying to either. The rest are well outside EU.

From the perspective of VM providers and Registrars it may well encompass me or more specifically it will be their problem as they will be the service provider to me (Gandi, Ionos, Virgin Media, etc)

So ??? How egocentric can someone be??? The question and/or statement was not if you must comply, the question was about a possibility in webmin so we can comply.

We are in the netherlands and offer registration services and offer dns services so nis2 is something we must comply to. Not doing so can result in a penalty of max 7 million euro or 1,7% of our gross revenue. That’s theoretical, but better safe then sorry.

But to be correct: it applies to everyone that does business in a eu member state and meets the criteria. If you register there domain name for them or provide there dns then it will apply to you. You clients may not care, but you should.

https://eur-lex.europa.eu/eli/dir/2022/2555

article 6: definitions
(20)

‘DNS service provider’ means an entity that provides:
(a) publicly available recursive domain name resolution services for internet end-users; or
(b) authoritative domain name resolution services for third-party use, with the exception of root name servers;

(22) ‘entity providing domain name registration services’ means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;

Regards
Jan

Verry.

But appreciate your OP - I’m not sure the title hit those that perhaps need or appreciate the alert.

For me not being part of the EU. They can do their worst and meet my legal team as it gets tha same response as passed back to me by them. simply #!*#!*#!*#!* or words to that effect.

I understand that you are in the EU (which is why NIS2 Directives can affect you, especially if you meet the penalty taxation criteria).

This seems rather an exceptional request: where making normal backups to another server/tape/hard disk is effectively considered inadequate/outlawed by the EU just because it can be accessed by someone.

Backups where not mandatory, but they will become mandatory: under nis2 backups need to be ransomware proof. So it will become mandatory to have off-server backups where no one can tamper with them.

But there is a big difference between a backup to restore a website/e-mail/dns, etc
 with a retention of 14 days and 18 months worth of login and dns changes data.

Regards
Jan

YES that is what I take from the Directive (and the point I was trying to make there)

I always assume (tongue in cheek) that everyone has a disaster recovery plan in effect and performs regular backups.
But this is a completely different requirement - not only with the time period of 18 months. But the issue of keeping that data inaccessible by anyone. (other than Big Brother)

Perhaps I would have started the topic as “How are Webmin/Virtualmin Users Expecting to comply with EU NIS2 Directive?” or similar to gather a wider input :man_shrugging:

But that would be beside the point. I know how webmin/virtualmin/plesk/cpanel/directadmin/etc
/etc
 users are being expected to comply with the directive. That is in the directive.

  1. make a backup that hackers cant change when they hack a website/server so the service can be up and running again in the shortest time possible.

  2. make a backup of log files that hold login data (and dns changes data for some data for some reason) and keep them in a save place as stated in the directive.

I had an idea on how to accomplish #2 and that was what my question was about. I am not a nis2 consultant so i have no desire to solve this for every European user on the forum. And i am not going into a discussion about the nature of the directive, i don’t care if its good or bad, it is what it is so must find a way to comply with it.

Regards
Jan

1 Like

I really do appreciate where you’re coming from on this, I just do not think it is getting the involvement of the wider community that it warrants.

You obviously have captured my attention (but as someone who has no real concern) I am unsure if I can be of any real substantive contribution.

Other than @calport 's initial suggestion of rsync.net which you rejected on very valid reasons. I think @jimr1 's suggestion in

is the way to go. But I do agree it would seem to be a lot of work. (for little return) well beyond “Blue Sky”.

I wish you luck finding a solution.