I'm looking for a way to implement a more secure way of doing an offsite backup that will also protect my data against the situation where a malicious hacker has gained root access to my server. Even though the chance of that happening is smaller than other kinds of risks if SSH and password security is properly set up and the system is kept properly up-to-date, the amount of damage that can be permanently done is really high and therefore I'd like to find a solution to limit that.
I've already tried two ways of offsite backups:
a simple root-writable webdav mount (and configured in fstab) where the backed up data is copied onto. Problem: not really an offsite backup because the connection - and moreover access - to the offsite location is constantly left open as a folder in the filesystem. This is sufficient protection against many kinds of attacks if the mount has limited access privileges (read root only access), but doesn't protect against a malicious person with root access.
Borg backup through SSH with key authentication. Problem: connection to that offsite server can be done with the key that's stored on the host if the malicious user has root access to the host.
As a solution I'm thinking about these potential ways, but I don't know how and with what:
- Backups can only be written or appended to the destination but not deleted.
- The use of backup software that handles the offsite backups and doesn't support mass deletion of the offsite backups from the first host.
Solutions that aren't really interesting in my situation:
- An extra backup job on the offsite host which transfers them to a location that isn't accessible by the first host (due to technical limitations).
Can anyone give advice on how to implement a proper offsite backup for my case?