typodupeerror

## Arkeia Network Backup Agent Remote Access168168

hdm writes "The Metasploit Project has published a security analysis of the Arkeia Network Backup Client. Anyone able to connect to TCP port 617 can gain read/write access to the filesystem of any host running the Arkeia agent software. This appears to be an intentional design decision on the part of the Arkeia developers. A long-winded description of this issue, complete with screen shots, demonstration code, and packet captures can be found in the research article. Arkeia has been credited with being the first commercial backup product for the Linux platform."
This discussion has been archived. No new comments can be posted.

## Arkeia Network Backup Agent Remote Access

• #### Somebody has to say it (Score:5, Interesting)

on Monday February 21, 2005 @07:14AM (#11734729)
Well, to state the obvious: Would this problem have survived for so long if Arkeia Network Backup had been open source software?

Large enterprises migrating to Linux now should be careful not to throw away the biggest advantage of their new platform by committing to all sorts of closed source software that happens to run on it.

For the time being, I guess I'll stick to my proven, open source (free software even) backup solution involving tar, gpg, and ssh.

• #### Re:Somebody has to say it (Score:5, Funny)

on Monday February 21, 2005 @08:49AM (#11735048) Homepage Journal

if Arkeia Network Backup had been open source software

Well, it kind of is open source software... install it and it opens up your source (and pretty much anything stored on your computer) to anyone who wants it!

Eric
• #### Re:Somebody has to say it (Score:3, Funny)

Well, it kind of is open source software... install it and it opens up your source (and pretty much anything stored on your computer) to anyone who wants it!

Looks like someone took Linus' quote and ran with it:

"Only wimps use tape backup. Real men let everyone else mirror their data!"
• #### Re:Somebody has to say it (Score:3, Informative)

> For the time being, I guess I'll stick to my proven, open source (free software even) backup solution involving tar, gpg, and ssh.

You aparently either run a limited number of basic backup jobs and/or have plenty of time to write backup scripts, which is not bad as you need something to make yourself look very good at your job.

And FYI Arkeia Light is free (as in "one can use it at no cost"), see arkeia.org.
• #### Re:Somebody has to say it (Score:3, Insightful)

Hmm - doesn't look like it fits my bill (a shame - I'be been looking for a better backup solution and have yet to find it).

Here are my requirements:

1. Backups are encrypted.
2. Backup data can be split across media.
3. Backups can use include/exclude criteria.
4. Corrupted backup files are recoverable.
5. Backups are compressed.

I've yet to find anything free which does all of this. Instead I'm using a short shell script combo of tar/bzip/gpg/split which gets the job done, but not elegantly. I'm not 10
• #### Easy: Use QuickPar or some form of PAR2 (Score:4, Informative)

on Monday February 21, 2005 @10:18AM (#11735491) Journal
Here is an instance of the warez-monkies indirectly contributing something useful. PAR2 is essentially a RAID5 type data parity for files. Warezpups use it to add a layer of parity to their hundreds of RAR files (or whatever). If one (or more) RAR's go bad, the parity files can be used to reconstuct the bad file. Much like RAID5 however, there is a space sacrifice for this extra parity layer.

http://sourceforge.net/projects/parchive/

Its frequently used on USENET binaries groups now as well to solve the missing part problems.

I'm sure this exact strategy could be integrated into your backup solution with minimal effort.
• #### Re:Easy: Use QuickPar or some form of PAR2 (Score:3, Insightful)

"Much like RAID5 however, there is a space sacrifice for this extra parity layer."

But it's settable; so if you want to be able to recover fully from losing/corrupting 20% of your backup you just set it to 20% of your backup size, and if you only care about a few minor bit errors or so, you can drop it to a couple of percent or less.

Be nice if vendors provided PAR2's for their ISO/DVD images/anything else big; it sucks when you find the MD5 of your download doesn't match the one they provide (or that 400MB
• #### Re:Somebody has to say it (Score:2, Informative)

Have a look at dar (should handle 1-3, and 5) with par2 to get 4.

Actually, even without par2, dar will be able to get all the files except the ones in regions with bad data, IIRC.
• #### Re:Somebody has to say it (Score:2)

It looks quite promising. I have my first trial backup running now...
• #### Re:Somebody has to say it (Score:2)

Try WinRar, they have versions for OSs other than windows and it does everything you want it to.

-Encryption is done using AES
-You can specify a file size to split the archives across or you can let it auto-detect the size
-You can configure your backups with include/exclude file lists
-There are a few ways to do backup recovery. One involves adding some extra data to each archive that allows corrupt archives to be repaired or the parity data can be split off into seperate f
• #### got root? (Score:2, Insightful)

Seems to me that the only way to get r/w access to the entire filesystem is if either a) the backup daemon is running as root, or b) if the backup daemon's user or group has r/w access equal to root's. In either case, the sysadmin would have to be on crack to do that. Not that read-only access is OK by any stretch, but just making the point. Oh, and before idiots start saying "see, open source isn't secure," let me remind them that this is a commercial product that was comprimised. If anything, I'd take th
• #### Re:got root? (Score:1, Insightful)

I hate to spoil your party, but how are you going to backup user files if you don't have access to them? It is obvious the backup client has to run as root.

/Pedro

• #### Re:got root? (Score:3, Interesting)

Perhaps allowing read only access to the physical device, ie /dev/sda, and backing up at a bit level, of course this does not seem to be as economical or easy as backing up individual files... but i may be wrong.
• #### Re:got root? (Score:2)

For that you don't need Arkeia or any backup software of sorts. If you lose ability to do incremental or differential backups, or even RESTORE files on their location...

/Pedro

• #### Re:got root? (Score:2)

thats right.. dd or cpio will do the trick.. you could restore files to their location, by mounting the image of the device as a loopback and copying the required file off
of course it is less than elegant..
• #### Re:got root? (Score:3, Informative)

Backing up from the raw device rarely a good idea. Backups of this nature need to be atomic, so you need to unmount the filesystem, copy it, and then remount it. You will need to keep the FS unmounted for long enough to do a complete copy. A better solution is to provide rôle-based access control (SELinux does this, for example), and create a backup rôle which has read access to all files on mounted filesystems.
• #### Re:got root? (Score:2)

Use LVM snapshots. You dedicate some freespace out of an LVM pool to an LVM snapshot. If a block of the filesystem gets written to, the original block gets copied to the LVM snapshot. The more of the blocks that get written to while the snapshot is held open, the more space you have to dedicate to it.

In the end, if you have twice the disk space, then you can hold the snapshot open indefinitely (otherwise the snapshot fails once change mo

• #### Re:got root? (Score:2)

The disadvantage of taking backups at a block level is that you can only restore by either mounting the backup as an image, or restoring to a partition of exactly the same size (which may not be possible if you are restoring to a different size hard disk). It also makes incremental backups difficult - you could run diff on each image, but that would be very messy. A better solution would be to mount the snapshot image and run the backup from this. FreeBSD allows you to mount snapshots of currently mounte
• #### Re:got root? (Score:3, Insightful)

Why not give the daemon read-only access to the source for backups? Seems like it's be a straight-forward enough thing to do.
• #### Re:got root? (Score:2)

You could still access /etc/shadow and get all the passwords. Do a little offline crack and you can ssh back in for some real damage...

Jeroen
• #### I hate to spoil yours, but... (Score:2)

Access requires r/o. The guiding rule of all software dev should be 'no more privs than absolutely necessary'.

Justin.
• #### Re:I hate to spoil yours, but... (Score:2)

Even so, everyone will be able to read everything.
IMHO you still have a big problem.
• #### Re:I hate to spoil yours, but... (Score:2)

Yeah, but that's rather the point of a backup system, as one of the parents said! How could you back up the files if you couldn't read them?!

Having weak security is bad, but having write access as well is a mess.

J.
• #### Re:got root? (Score:5, Insightful)

on Monday February 21, 2005 @07:25AM (#11734759) Homepage
It's a piece of backup software, at the very least it needs to have read access to everything it is going to be used to backup. If you are planning on doing a full system backup, that means it needs read access to the whole filesystem or it can't do it's job. That doesn't mean it needs to be running as "root" of course; ideally such a tool would be running with a dedicated user and group. On a Windows box however it's not uncommon to see backup utilities running with higher priviledges than the "administrator" account because that's the only way to sidestep things like system file protection and other tricks Microsoft uses to protect the system from abuse.
• #### Re:got root? (Score:2)

The problem this thing is giving access to everyone without any authentification.....
That is a really bad thing.

Jreoen
• #### Re:got root? (Score:3, Informative)

>>> On a Windows box however it's not uncommon to see backup utilities running with higher priviledges than the "administrator" account because that's the only way to sidestep things like system file protection and other tricks Microsoft uses to protect the system from abuse.

That is not true.

All you need to read a file system in Windows is the backup privilege. You don't even need to be an adminstrator. So if you have this privilege enabled, you can use the BackupRead API to backup stuff.
• #### Re:got root? (Score:3, Informative)

On a Windows box however it's not uncommon to see backup utilities running with higher priviledges than the "administrator" account because that's the only way to sidestep things like system file protection and other tricks Microsoft uses to protect the system from abuse

Actually, you'll almost inevitably see backup utilities running as LOCALSYSTEM, which is indeed higher than Administrator, because that's how Windows works.

If a user registers a program to run as a service (note: You must have Administrat
• #### Drop privelages (Score:2)

Not the entire program has to be root. I understand that it wouldn't help in this case, but note how sshd needs root to authenticate and become the desired user -- then it drops privelages. It could even fork off authentication to a nobody'd process.
• #### Re:got root? (Score:2)

Oh, and before idiots start saying "see, open source isn't secure," let me remind them that this is a commercial product that was comprimised. If anything, I'd take this as further evidence of the virtues of open source.

Errrm, forgive me, but it's a bit hard to grasp the logic in that. Are you saying that the idiots might say: "look, there's a security problem on Linux, so open source isn't secure." And you remind them that this problem is due to some piece of proprietary software that is not open sou

• #### Re:got root? (Score:2)

This is a clear example of a problem that can never exist in opensource projects.
You cannot have this kind of "design decisions" if your code is open...
• #### Re:got root? (Score:2)

Yes, you most certainly can, unless all users run a complete code audit before installing anything from source.
• #### Re:got root? (Score:2)

>unless all users run a complete code audit

Actually, no. If only *one* user (or developer) gives it a look, people will know.
• #### Re:got root? (Score:2)

Only if he gets enough people to listen and ignore all the cries of "no way, it's open source..."
• #### Not a bug; it's a feature? (Score:5, Funny)

on Monday February 21, 2005 @07:24AM (#11734757) Homepage
"This appears to be an intentional design decision on the part of the Arkeia developers."

Does this mean that, possibly, they were anticipating people *not* being able to access TCP port 617? I.e. "we trust you know how to properly configure your firewall."

So far, I can narrow down to either that, them being drunk when they coded this, or this being a case of the improper usage of the word "intentional."

• #### Re:Not a bug; it's a feature? (Score:2)

I consider closing of unnecessary ports (that is: unnecessary for any remote use) to be reasonable security practice. However, to have it be the only layer of protection is of course rather dubious.

I doubt that "intentional" is correct, but when a security hole is so blatant, the term does come to mind.
• #### Re:Not a bug; it's a feature? (Score:5, Insightful)

on Monday February 21, 2005 @07:49AM (#11734849) Homepage
Even if they were making the somewhat idiotic assumption that all of their users were behind a properly configured firewall, so what? That makes absolutely zero provision for a potential cracker having already circumvented the firewall by other means or even the possibility that they might be an employee. Or haven't they seen any of the reports that a significant amount of computer crime is committed by aggrieved employees?

I don't think it's so much improper usage of the word "intentional" as an incorrect synonym for the term "brain dead".

• #### Re:Not a bug; it's a feature? (Score:2)

You're assuming that you have an institutional firewall, but nothing on individual machines. It's not unreasonable to suggest it could be sane to run system firewalls that restrict port access. It's still not sensible having that as the only security on the port though.
• #### Uh... (Score:3, Insightful)

... if the software doesn't need the port to be open on the internal network then why is it open?

Firewalling the port on each indivudual system behind the main firewall would then imply that the software couldn't actually function (for any reasonable definition of the word "function").
• #### Re:Uh... (Score:2, Insightful)

Have you never used a firewall? Think filtered not blocked. Configure it such that it'll only allow packets from the backup server to that port. Bingo, job's a goodun.
• #### Well, duh, (Score:2)

but how hard is it to take over the IP of another machine? There's a reason people don't do authentication-by-IP (or MAC for that matter).
• #### from the arkeia site (Score:5, Funny)

on Monday February 21, 2005 @07:26AM (#11734768)
Arkeia.com [arkeia.com]

I was looking for a Client-Server backup system that could offer me the possibility of backing up Unix/Linux and NT Servers on a single tape system.
After long research my choice went to the Arkeia solution, because it has all the benefits I needed. Since then, it runs like a black box, without any need of additional Service.

Tom Weber, IT Manager
RTL TV (Europe)

The backup system running like a black box might not be a good thing here eh?

• #### Re:from the arkeia site (Score:5, Insightful)

on Monday February 21, 2005 @08:10AM (#11734915) Journal
I'd say the worse thing here would be being a published user of a system with an "interesting" security hole like that; all of a sudden, a friendly testimonial becomes an advertisement of a vulnerability.

Unless, of course, they've got everything firewalled to tuesday.

Zzzzapp

Nope, metal.
• #### Specifications (Score:5, Insightful)

on Monday February 21, 2005 @07:33AM (#11734799)
It's very frustrating when you find previously unknown and undocumented features in software that you have purchased. I remember having to provide clients with full copies of the specifications and code for software so that they would be able update/repair/modify if I was hit by a bus or something. Security through obscurity is not safety, that should be validated by now simply by the sheer number of stories similar to this Arkeia one. Open Source Software at least has the beauty of the source code being readily accessible so that the user/admin/owner can see what they are installing on their system. This poor guy in the article ended up having to reverse engineer his software to find out the security dangers. Which may be against a law somewhere, ha - putting a backdoor into software you give me not illegal, finding that backdoor - may be me in trouble. I love it.
• #### Re:Specifications (Score:5, Insightful)

on Monday February 21, 2005 @08:09AM (#11734911) Journal
I think your post is probably the best one I've read on Slashdot explaining the benefits of open source, or free, software. It's not about giving the code away to everyone free of charge, it's about ensuring that those people who rely on the code have the ability to modify it.
• #### Re:Specifications (Score:3, Interesting)

1. It's very frustrating when you find previously unknown and undocumented features in software that you have purchased.

Well, for this situation finding a potential problem is easy: Port scan, [insecure.org] security scanner. [nessus.org] Two things that you should be doing on every network enabled device.

The time consuming part comes with the follow up where you check the results of the scans on the local machines [tcpdump.org] and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypte

• #### Re:Specifications (Score:2)

Well, for this situation finding a potential problem is easy: Port scan, security scanner. Two things that you should be doing on every network enabled device.

These would not have helped. There was no unusual port to be found via the portscanner-- the Arkeia client was listening on a documented port and since it was installed intentionally, this open port would be considered normal. The Nessus security scanner only looks for known vulnerabilities and again would not have helped here.

HD did an excellen

• #### Re:Specifications (Score:2)

1. There was no unusual port to be found via the portscanner-- the Arkeia client was listening on a documented port and since it was installed intentionally, this open port would be considered normal.

The fact that a port was open would be enough to investigate what it was, why it was open, and if the service was properly secured. Anyone who stops and says "OH, it's just the backup software" should not be an admin.

1. The Nessus security scanner only looks for known vulnerabilities and again would not have
• #### The oldest excuse in the book (Score:5, Insightful)

on Monday February 21, 2005 @07:44AM (#11734829) Homepage Journal
"It's not a bug, it's a feature!"

What a bunch of morons. It's one thing to accidentally write a security hole in your software. It's another thing entirely to claim that you deliberately make it so your software leaves your users' systems wide open to anybody who feels like taking advantage.
• #### A good saying (Score:3, Insightful)

on Monday February 21, 2005 @07:46AM (#11734836)
Never attribute to malice what is explainable by stupidity. (though the Bush admin. has stretched my imagination...) Though it appears intentional, there is probably a very good explanation for all of this. Needless to say, we'd better be hearing soon from Arkeia as to exactly WHAT that explanation is.
• #### It may have been said before... (Score:5, Funny)

<(gro.mulac.erehseogmaps) (ta) (todhsals)> on Monday February 21, 2005 @07:48AM (#11734847) Homepage
Well, let me be the first to say that I for one welcome our new nmap -sS -PS617 -iR 0 -p 617 -ing overlords.
• #### Security available, just not enabled by default (Score:5, Insightful)

by Anonymous Coward on Monday February 21, 2005 @07:57AM (#11734875)
Arkeia provides both authentication and encryption of the connections - if you enable it. There is a part of the manual that covers how to enable security.

It is indeed bad that it is not enabled by default. On the other hand, enabling authentication of the backup server on the backup clients means that it is slightly harder to set up a backup client.

The problem is not much worse than, say, nfs. (Where impersonating a host can get you everywhere unless authenticated rpc is used.
• #### Re:Security available, just not enabled by default (Score:2)

There are a few differences between NFS and this. First, with NFS you are aware about its limitations and shortcomings right from the start. Nobody hides that. Second, you can still restrict NFS share to be read only. Third, I don't use arkeia, but after quickly glancing at the exploit page, it seems to indicate that there is no way to enable authentication for this.
• #### Hum off topic'ish. (Score:5, Insightful)

on Monday February 21, 2005 @08:21AM (#11734953)

Hi there.

Well I just dealt recently "simple" backups via rsync + ssh. If you can rsync something from remote onto target with no special protection regarding rsync... If target is compromised, a malicious user can run arbitrary commands through rsync. And rsync server provides full read access to FS. (Well, within user permissions though.) Isn't it a bit the same problem that this software has? I would not be surprised to hear that you can customize the backup server to limit access/actions for better sefety. Which is exactly what you have to do with ssh on remote server: filter commands passed through ssh before running them. I mean: each remote you want to back up will have to be worked on a little.

It's off topic but FYI: Rsync server can take as a file list an arbitrary unix command.

rsync user@remote:'\rm -rf /' .

Pretty efficient isn't it ? (unix file perm will limit the damage though).

Bye bye.

Z.

• #### Re:Hum off topic'ish. (Score:2, Insightful)

by Anonymous Coward
Well I just dealt recently "simple" backups via rsync + ssh.

I'm assuming you are doing really simple backups...how do you handle complicated tape library management (ie: tape robots, backup aging, onsite/offsite backups) automatically without having to use software more complicated than the basic Unix command line utilities? I'm not targeting you in particular, but there seems to be a lack of realization in general in this thread that backup systems are usually more complicated than just sticking an 'rsyn

• #### Re:Hum off topic'ish. (Score:4, Informative)

on Monday February 21, 2005 @11:02AM (#11735818)
how do you handle complicated tape library management (ie: tape robots, backup aging, onsite/offsite backups) automatically without having to use software more complicated than the basic Unix command line utilities?

By not using tape. rsnapshot [rsnapshot.org] going to a sufficiently-large RAID array or drive covers your regular backups, including aging. A separate rsnapshot or rsync can do nicely for offsites, pushing the backups to another server. For enterprises, this approach probably is insufficient, but for smaller firms (e.g., ~70 employees, 5 offices), this works well.

• #### GNU tar handles hardlinks (Score:2)

I just found this out. I don't really have a remote server that I can rsnapshot to, so I can just go

> tar -cf offiste050222.tar /var/cache/rsnapshot
> gpg -c offiste050222.tar

Dump the gpg file to a CD (or DVD... I don't know how much you like to backup) and bring the media to a remote location. Because GNU tar can do hardlinks (and gpg will compress your data), your tarball will be only a little bit larger than what rsnapshot du reports, and your gpg file will be... well.. depends on your data, but

• #### Re:Hum off topic'ish. (Score:2)

You can restrict the commands and arguments allowed by ssh. If you don't restrict this, though, you are in deep poo.

Examples at: http://sial.org/howto/rsync/
• #### Re:Hum off topic'ish. (Score:3, Informative)

If target is compromised, a malicious user can run arbitrary commands through rsync.

I agree this is an issue, the best solution I have found is Push Mirroring [debian.org] with this the command that can be run is put in the ssh public key and then the compromised client can only run this specific command.

• #### Only wimps use tape backup... (Score:2, Funny)

...real men just install Arkeia for their important stuff, and let the rest of the world mirror it :)

• #### Call to slashdot from a now ex-Arkeia customer. (Score:2)

Well well, isn't this interesting. I've had Arkeia running for a while now, backing up a number of different machines with a variety of linuxes, and I chose it because it was the only one that had any sort of support for Debian Sarge. It's been fine, apart from some unstable MySQL support, but other than that, a great piece of software. Until now.

I can't ever trust these guys again. When I first installed it, this issue occured to me, and I just assumed "no way could those guys be that stupid, they must ha
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

I use Netbackup, but for me it was a price issue. Arkiea qouted me a price 3x Netbackup (Arkeia $5500, Netbackup$1700)!

Could you install CentOS (Veritas doesn't support any free OS's as a server, and while CentOS is free, it is a clone of a Veritas supported OS ;) on your backup server? Not sure what your environment is like, but my backup server is pretty much dedicated to backups and file sharing, so it really doesn't matter what OS it runs.
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

Could you install CentOS (Veritas doesn't support any free OS's as a server, and while CentOS is free, it is a clone of a Veritas supported OS ;) on your backup server? Not sure what your environment is like, but my backup server is pretty much dedicated to backups and file sharing, so it really doesn't matter what OS it runs.

AFAIK Veritas supports several Linux Distros and if you really object to paying the distro vendor there are any number of distributions that are 'close enough' (like CentOS) that the
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

Actually Netbackup used to be supported on RH7.3, so I would expect it to work there. Veritas offically stopped supporting Netbackup on RH8 or RH9.

I originally tired it on RH9 and had a few problems, that mysteriously went away when I built my own system from RHEL sources.

Last time I looked, only Win32, commerical *nix, and RHEL and SuSE were supported as servers. They support pretty much everything as a client.
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

I was curious, so I checked. [veritas.com]

They actually don't support SuSE as a server, and they stopped support for free RH versions at 7.3 (I assume this is when the first version of RHEL came out). The chart says they don't support RHEL 3.0, as a server, but I know someone who is running it on 3.0, and claims they support him.

No BSD's are supported as a server.
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

by rk (6314)

I would like to humbly suggest these guys [tolisgroup.com]. The software was completely self contained (Either static executables, or the dependant libraries on were included). The network agent did a DH key exchange when you first installed it, and after that, each agent contact required a challenge-response before it would do anything. Nothing is ever guaranteed secure, but several very bright engineers who were also experienced sysadmins burned a lot of brain cycles to design the security of this system before a line o

• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

SEP [www.sep.de] comes to mind.
Extensive platform support and lot's of plugins.

Not free, but you get what you pay for...

• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

Rsync is your friend, but remember to use the ssh feature for security: rsync -e ssh --timeout=180 -Cavuzb www.example.com:/home/ /data/example.net/mirror/home/ and to automate the use of ssh, you need to use ssh-agent to keep the keys.
• #### Re:Call to slashdot from a now ex-Arkeia customer. (Score:2)

Veritas Netbackup wouldn't even touch a Sarge install, it was a dependency hell that I didn't have the time nor patience to get in to. I've got Redhat boxes, from 7.2 to 9, that all need backing up too... So what are the pros out there using? Is there anything that isn't rsync and a few mt commands in a bash script?

Netbackup seems to work fine with Debian Sarge clients for us. We've got the server running on a RedHat 7.3 box at the moment but are considering upgrading to a later RedHat/Fedora/CentOS/Mandr
• #### Ever try Tapeware? (Score:2)

Well, in light of this I guess I will plug the backup software I have been using. At my work we are using Yosemite's Tapeware [yosemitetech.com]. We currently backup two Linux servers and one Windows server and it works very well. You can manage the storage group from any of the servers (CLI on the Linux box's, GUI on the Windows machine). Yosemite even offers a 30 day trial of their software with no limitations. I am not sure how well it works on a larger setup than what I have, but for my needs, it works great and is c
• #### Arkeia! (Score:2)

That's not just the name of the product, it's the sound your digestive tract will make when you try to use it! Seriously, this announcement should serve as justice to anyone who found Arkeia and stopped looking. Your much better off with Amanda or TapeWare. Not that I've audited TapeWare or anything, but I've done several thousand backups with it and I know how robust it is.

http://www.tapeware.com/ [tapeware.com]
• #### Re:Arkeia! (Score:2)

but I've done several thousand backups with it and I know how robust it is.
Have you done a restore? Most problems with backup software arise when you try to restore something, not when you backup the files.
• #### Re:Arkeia! (Score:2)

Not as many. :)

The only problem I've run into doing restores involed restoring a MS SQL 7.0 on NT. There was a bug in their connector and I was apparently the first one to hit it. I've long since switched to using an open file manager for Windows-side databases, and moved almost everything to Linux anyway. TapeWare's cross platform support is pretty good, although they do develop first on Windows and then port to Linux, Novell, DOS, and Solaris. I'm in the TW8 beta program but haven't done much as I'm stil
• #### Re:Arkeia! (Score:2)

Not in my case. We purchased it for a block of Sun servers, and had a LOT of problems with backing up. Performance was awful (> 24 hours to backup 40GB systems), and really bad error recovery. I was really disappointed with their tech support, and I had to educate them about the normal operations of Sun systems. When backups finally succeeded, restores were pertty straightforward.

This was a couple of years ago now. I believe they've gotten better, though, and we didn't upgrade the license to newer
• #### !Tapeware (Score:2)

Tapeware doesn't use routeable protocols, so you can't do backups on systems outside your subnet.
• #### Re:!Tapeware (Score:2)

Correct me if I'm wrong, but I think the installer lets you enter hostnames manually. This isn't something I needed (backup server at each remote office), so I haven't tried. I think my sales rep told me I could cross subnets if I wanted to.
• #### Proof that Windows is more secure! (Score:2)

Entering Balmer Mode

Yes!

Now we can see a system configured for enterprise use with enterprise grade software is completely vulnerable! Linux is a sieve! It can't protect you data, why there are millions of machines infected with Linux that can now be remotely accessed by ANOYNE for any purpose? How many of those machines are being used for kiddie porn, illegal phishing sites and other similar and equally illegal activities?

The message is clear, install Linux and your data is open to the world.

Why, I'
• #### Arkeia Backs-up Great - Restore Is a Problem (Score:4, Informative)

<[moc.liamg] [ta] [cetnez]> on Monday February 21, 2005 @10:49AM (#11735711)
I ran Arkeia with a large web hosting firm for about 2 years mixed with Linux and Windows machines. We tested the backups extensively before deployment and spent $18,000 with Knox for licenses. All seemed well until we needed to restore data. The logging indicated a perfect backup, but time and time again our restores were either failing or incomplete. On Windows, it simply wouldn't restore anything. The solution, according to Arkeia was to purchase an upgrade ($12,000) which would solve all our problems. And since we refused to spend another 15% for a support agreement, that was our only alternative. I don't think so.

Needless to say, we went with someone else. Veritas had a great enterprise solution that worked with Linux and Windows (the server app runs only on Windows) and supports a huge array of tape drives. And it was one-third the price.

I can't definetly recall, but the Veritas agent also has some security peculiarities that raised some eyebrows. If you run any enterprise backup, I guess the answer is to make sure you're firewalled.

In this day and age of cheap disk drives, I wonder if anyone is using USB or Firewire drives and just using those for back-ups. A Lacie 250 gig Firewire drive is <\$200.

• #### Re:Arkeia Backs-up Great - Restore Is a Problem (Score:2)

I had the same experience with Arkeia on price. I can't believe anyone would buy their product when it's at least 3x Netbackup.

The biggest problem with Netbackup is Veritas will only support the server on RHEL or SuSE, no "free" OS's. So I built an RHEL server from source, and got around that problem. Of course now you could use something like CentOS, if you don't want to build your own.
• #### Re:Arkeia Backs-up Great - Restore Is a Problem (Score:2)

Yes. We are using LaCie 250's to do backups now with UltraBac. We were using Veritas, but after waiting on the phone for 3 hours for help on a restore (with a paid support contract, no less!), we decided that Veritas could piss off.

The UltraBac interface is definitely a bit clunky, but their phone support is great. I even get forwarded to their developers when I find potential bugs. (on that note, wait a bit to go with UB8, UB7 works great). UltraBac even claims to have a UNIX agent, although we only

• #### Re:Arkeia Backs-up Great - Restore Is a Problem (Score:2)

Needless to say, we went with someone else. Veritas had a great enterprise solution that worked with Linux and Windows (the server app runs only on Windows) and supports a huge array of tape drives. And it was one-third the price.

Actually Veritas supports a nubmber of UNIX platforms for the server app including Solaris, HP-UX, and Linux (there is the issue that for Linux Veritas only supports RHEL and SuSE, but there are free distros that are 'close enough' to work and given a little effort even Debian
• #### Re:Arkeia Backs-up Great - Restore Is a Problem (Score:2)

Yep. We're a small shop but we have about 4 of our clients using external USB2 HDDs for backup instead of tape.

For the couple that wanted added reliability, they use two external drives on a rotation basis (the drive that gets taken off-site at the end of the day is swapped with the alternate drive that stays for overnight backup).
• #### Be careful if you decide to firewall port 617 (Score:2)

Just a note. For you [fortunate] individuals who may have SCO system on your network. Be careful about setting up firewall blocks for port 617.

sco-dtmgr 617/tcp SCO Desktop Administration Server
sco-dtmgr 617/udp SCO Desktop Administration Server

I ran a scan of the larger corporate network and found a lot of these hiding out there...

#### Related LinksTop of the: day, week, month.

We are drowning in information but starved for knowledge. -- John Naisbitt, Megatrends

Working...