Arkeia Network Backup Agent Remote Access

hdm writes "The Metasploit Project has published a security analysis of the Arkeia Network Backup Client. Anyone able to connect to TCP port 617 can gain read/write access to the filesystem of any host running the Arkeia agent software. This appears to be an intentional design decision on the part of the Arkeia developers. A long-winded description of this issue, complete with screen shots, demonstration code, and packet captures can be found in the research article. Arkeia has been credited with being the first commercial backup product for the Linux platform."

Re:One more strike

[bferrell]

Arcserve is nice. But what about bacula?

http://www.bacula.org/

Easy: Use QuickPar or some form of PAR2

[jvbunte]

Here is an instance of the warez-monkies indirectly contributing something useful. PAR2 is essentially a RAID5 type data parity for files. Warezpups use it to add a layer of parity to their hundreds of RAR files (or whatever). If one (or more) RAR's go bad, the parity files can be used to reconstuct the bad file. Much like RAID5 however, there is a space sacrifice for this extra parity layer.

http://sourceforge.net/projects/parchive/

Its frequently used on USENET binaries groups now as well to solve the missing part problems.

I'm sure this exact strategy could be integrated into your backup solution with minimal effort.

Arkeia Backs-up Great - Restore Is a Problem

[zentec]

I ran Arkeia with a large web hosting firm for about 2 years mixed with Linux and Windows machines. We tested the backups extensively before deployment and spent $18,000 with Knox for licenses.

All seemed well until we needed to restore data. The logging indicated a perfect backup, but time and time again our restores were either failing or incomplete. On Windows, it simply wouldn't restore anything.

The solution, according to Arkeia was to purchase an upgrade ($12,000) which would solve all our problems. And since we refused to spend another 15% for a support agreement, that was our only alternative. I don't think so.

Needless to say, we went with someone else. Veritas had a great enterprise solution that worked with Linux and Windows (the server app runs only on Windows) and supports a huge array of tape drives. And it was one-third the price.

I can't definetly recall, but the Veritas agent also has some security peculiarities that raised some eyebrows. If you run any enterprise backup, I guess the answer is to make sure you're firewalled.

In this day and age of cheap disk drives, I wonder if anyone is using USB or Firewire drives and just using those for back-ups. A Lacie 250 gig Firewire drive is <$200.

Re:Hum off topic'ish.

[mmurphy000]

how do you handle complicated tape library management (ie: tape robots, backup aging, onsite/offsite backups) automatically without having to use software more complicated than the basic Unix command line utilities?

By not using tape. rsnapshot going to a sufficiently-large RAID array or drive covers your regular backups, including aging. A separate rsnapshot or rsync can do nicely for offsites, pushing the backups to another server. For enterprises, this approach probably is insufficient, but for smaller firms (e.g., ~70 employees, 5 offices), this works well.