← Back to Garden

Anti-Ransomware Protection with Immutable ZFS Backups

#SecOps#ZFS#Proxmox#SysAdmin

ZFS_SEND | SSH > ZFS_RECV

In the era of automated ransomware and disk wipers, a network drive (NAS) mounted via SMB/NFS is no longer a valid backup. If your server is compromised, the attacker will simply encrypt the network drive.

The only real On-Premise defense is Immutable Backups (Pull-based). ZFS makes this ridiculously easy and efficient.

The Defense Architecture

Server A (Production): Proxmox running our containers and virtual machines. It takes local snapshots every hour.

Server B (Vault): An older machine, running on a different VLAN, dedicated exclusively to storage.

The key is that Server A does not have access to Server B. It is Server B (the Vault) that connects via SSH to production, “pulls” the snapshot, and closes the connection.

The Magic Command (zfs send/recv)

ZFS allows sending the exact binary difference between two snapshots through a secure tunnel.

This script runs on the Vault (Pull)

We fetch the incremental difference from the last Production snapshot

ssh [email protected] “zfs send -i zpool/data@snap1 zpool/data@snap2” | zfs receive vault/backups/data

Why does this stop Ransomware?

If an attacker breaches Server A (Production) and encrypts all of zpool/data, nothing happens. When attempting to access the Vault, they will find that the connection is blocked (only the Vault can initiate sessions outward, not the other way around). To restore, we simply rollback to the previous snapshot in the Vault and rebuild.

“If you haven’t tested restoring your backup, you don’t have a backup; you have hope.”

TUXBOT@SYSTEM:~$ ./chat
> SYSTEM INITIALIZED. FLEET STATUS: ACTIVE.
🐧🤖 [Tuxbot]: Hello, I am Tuxbot. Your Ghost in the Shell for dragont.ec. What do you want to query today?
>