Powershell scripting

[universal4]

Geek alert

Has anyone ever written scripts (thinking powershell currently) that connects or disconnects a usb drive?

For background, I am looking at creating a script for doing some backups, and looking at disconnecting the drive after the backup completes.

Backups that are on drives that are not connected, can not in fact be compromised, and usb makes this easier to handle when the machines are a distance away. (Of course in the case of virtual machines, one can tell the host to disconnect, but prefer to keep things isolated).

Due to windows sometimes not liking a disconnect without a gentle "you can now remove drive" I am looking at trying to implement this in a script.

Have found a few things on stackexchange, superuser etc, but was wondering if anyone had any real world examples or experience using something like this. Looks like it uses wmi called inside a powershell script, have also seen examples with java, but prefer straight powershell if possible.

For linux I am pretty sure it is straightforward using mount and umount, since it treats the drive or share as disconnected unless an auto mount is active say during a reboot.

Rick
Universal4

[universal4]

After some study and some testing, I do have the powershell script that worked for ejecting a usb device.

The problem with that method, there does not seem to be a method to have the system see the drive again, without physically unplugging a plugging the drive or device back in.

I tried using devcon and even going in to the device manager and right clicking, scan for new dices does not work once "ejected".

I have however tested a powershell script to disable and enable the usb device.

Once disabled, it may even show in explorer > my computer but it will be greyed out disabled, and the system can not access or write to the drive, which is the behavior I was looking for.

The re-enable portion gives access back to the drive immediately, so these two functions can easily be added in to a scripted backup if one has a need for such a thing.

Can share this with anyone that might be interested.

Rick
Universal4

[LinuxGam]

You could look at encrypting your backups… as if people have access to your server they don’t need your backups. If you are on a private server are you worried about hackers or staff? It goes without saying anything in your database thats private to others like a password is hashed. If you are worried about your code/site then backups don’t matter as they accessible on your site server. If you don’t use a compiled language like PHP/Python this obv magnifies the issue as it’s copy paste. JS/HTML/CSS is obv accessible anyway from all users.

[universal4]

I am working on solutions for various scenarios, in various scenarios, and at no time is there a question about staff.

When considering disaster recovery, just simply encrypting the backups is not enough if they are accessible such as a share on a server that "could" be compromised.

There are times when the theory "take a backup off site" is difficult to perform, and scenarios I am looking at have a complete ZERO to do with giving some other entity access to data security, such as is the scenario with "just put it on someone else's cloud" (microsoft, aws, google, fort knox) as that leaves the security of the data up to someone else, and they are all larger targets.

If you don’t use a compiled language like PHP/Python this obv magnifies the issue as it’s copy paste. JS/HTML/CSS is obv accessible anyway from all users.

And the scenario I laid out above in fact, if a drive is disconnected, they are not easily accessible, unless the reconnect or enable takes place. I agree, open shares of any drive, physical, connected active usb, off site cloud drive shares, etc are at risk.

Many of the most common forms or hacks or compromises that lead to as an example ransomware are more about encrypting current data etc on the compromised machine, not gaining remote access and having a dig around to find out how they are backing data up to also go after such data.

They are compromise, infect, encrypt all data available on the machine, then move on to all shares, not disconnected or disabled drives.

Nothing is 100%, just snowballing and investigating various scenarios and additional steps or methods to help with certain disaster recovery options.

Rick
Universal4

[LinuxGam]

I have nightly scheduled VM backups to a separate datacenter in case of a fire/explosion/flood and then once a month or so I download a days worth of backups to a 1TB drive plugged into my home router. That way if ransomware managed to encrypt my server and my backups, which seems unlikely both, but possible. I'm not rebuilding all the servers from scratch.

[universal4]

As long as those backups do not go to an open share, since often open shares are vulnerable.

Agree though that a full backup of the vm disk is about one of the fastest recovery options.

Rick
Universal4

[LinuxGam]

As long as those backups do not go to an open share, since often open shares are vulnerable.

Agree though that a full backup of the vm disk is about one of the fastest recovery options.

Rick
Universal4

Not only are the network backups not full public facing, only to servers on that LAN, they are also IP firewalled to only my server IP. The HDD on my router is strictly internal only, has no public forwarding. It was in my PC, but that meant if I wanted it as a NAS my PC has to be on.. so moved it to the internal LAN on my router.

I’m just in the middle of configuring my new server and I’m giving every single VM only a private IP and routing all traffic through a PfSense firewall. If you’ve not done it in a VM environment its a bit of a mind puzzle at first…. But once it’s set up it amazing.

I then set up a permanent certificate based VPN from my home router to the PfSense firewall, effectively creating a local private IP network. This means that all of my servers apart from the host on port 22 (SSH) and OpenVPN port on the firewall are only accessible via the internal IP range and you need a 2048 bit cert and username/password to access the VPN so unhackable.

I then open ports on the firewall for HTTP/HTTPS/Mail and forward to the correct VM’s

On top of this you can install SNORT on the firewall which autoblocks almost all dodgy attacks and bots looking for vulns as well as downloading a nightly updated known bad IP list / Bot list to fully block.

[universal4]

Whether the ip's are public facing or not is not the point, if the shares were open on the 10dot they would still be vulnerable for some scripts or trojans and ransomware attacks that seek out open shares.

Keeping sql and nas on private only is obviously a good practice. One method I use and suggest is disabling the card of the vm in the host, turning the port off on the switch if a physical machine, and also remming out the nic reference sometimes on some linux installs.

Obviously stopping the attacks at the front door is preferable, but disaster recovery solutions still need to be planned none the less.

As for traffic on the private side, I keep ALL traffic separated public and private and yet another subnet for corosync.

Rick
Universal4

[LinuxGam]

Whether the ip's are public facing or not is not the point, if the shares were open on the 10dot they would still be vulnerable for some scripts or trojans and ransomware attacks that seek out open shares.

Keeping sql and nas on private only is obviously a good practice. One method I use and suggest is disabling the card of the vm in the host, turning the port off on the switch if a physical machine, and also remming out the nic reference sometimes on some linux installs.

Obviously stopping the attacks at the front door is preferable, but disaster recovery solutions still need to be planned none the less.

Rick
Universal4

If the shares are firewalled to one IP, not only are they secured to that IP they are not scannable by BOTS……. The firewall is a totally separate entity and IP address that will block that traffic. It’s not just they can’t access it, they would never even know a port was open or share was there.

[LinuxGam]

You could argue if the script got on the server… it could then access it 100%… if you look at the firewall and private IP setup I discussed before…. The chances of someone getting in on port 80/443 is pretty much ZERO

[universal4]

If shares are firewalled to allow a single ip, great, but if the single ip that is allowed is infected, the firewall will allow the traffic from the infected ip.

Rik
Universal4

[LinuxGam]

It’s also important to note, that SNORT on the firewall updates every night with web vulns and blocks known attempts. And it my case im not a WP plugin user… my entire site(s) all code/plugins are written by me, so there will be know BOTS that no about them. So unless I **** off the Russians and get a super dedicated attack…. It’s all good.

[LinuxGam]

If shares are firewalled to allow a single ip, great, but if the single ip that is allowed is infected, the firewall will allow the traffic from the infected ip.

Rik
Universal4

Also we both discussed if they are encrypted the worst damage really is ransom ware… so a weekly or even monthly download to a USB drive gets around that as well… I would be very surprised if someone could execute a script on my server, especially using a bot as i don’t use mass produced PHP CMS’s

[LinuxGam]

That single IP is only accessible via VPN private IP with 2048 certs and passwords… there is a chance that i could get malware on my PC etc…. But how far can we go we go with this… I’m pretty sure im more secure than 99.9% of companies with their websites and data.

[LinuxGam]

I appreciate your comments as its made me think and im not actually thinking about it exactly right. The web server VM is the only one with port 80/443 open and that I’m guessing the only likely one with any potential flaws (tho unlikely) The host server is the IP that has access to backup the VM’s. Based on the previous config I explained thats only accessible via SSH2 with certificate, and nothing else is open. So firewalling the backups to that server is VERY VERY secure. As fast as I know there are no flaws in SSH2 ive seen reported. You have the small risk of staff of technical errors etc with their firewall etc.. But the VM’s are all ringfenced to a private IP range and have no access to the backup space.

[universal4]

Agreed if you have not automated a backup within a single datacenter, then locking down to a single ip in your home could be a solution to your specific scenario.

My original post was looking to see if anyone had specific use cases or results using powershell for a specific use case, and it was never about how someone backups their vm's or data from a data center to their home, although other use case scenarios could easily be helpful to others in backup or disaster recovery scenario planning.

An allowed and active ip whether firewalled or not allows the traffic or data transfer. A disconnected drive, or for that matter a disconnected ip does not.

I had a specific use case I was looking to fulfill, on a windows is to a usb drive for a client and actually managed to do so with the disable and enable within a powershell script.

Rick
Universal4

[LinuxGam]

I agree with you… But I dont back up automated to home.. I backup to another datacenter…. I occasionally backup to home in case like you say it all get ransomwared, which I got the feeling your main concern was with public backups etc.

My home USB drive has no outside access at all.

My datacenter backup drive is firewalled commercially to one IP that can only be access via SSH2.

I agree this wasn’t your question… but I think my setup is super secure, so thought others might be interested.

Assuming you use a PHP CMS likely WP and likely with plugins, that should be as much a concern for you… I’m also assuming you don’t run it through a firewall first with things like SNORT running etc. Backups are the most important thing for sure… but its also nice not to be hacked in the first place.

[universal4]

Again, I had a specific use case I was looking for anyone with powershell experience in case they had used that PS function.

You keep going back to a firewalled ip, but if .10 and .11 allows sharing bi directional, and a compromise that attacks shares is on either .10 or .11 the firewall aint stopping it cause it is allowed.

And whether a person has wp, html or any other cms or custom cms is not the issue.(not the topic)

And when it comes to plugins, I personally am one of the biggest advocates at the GPWA that has said from the beginning, the least amount of plugins a person uses the better off they are in terms of security and higher speeds.

And I do in fact recommend firewalling wp installs. have specific preferences but again that is a complete slant away from the original topic of the discussion.

If anyone ever has a need for the script I spoke about initially, I am happy to share the results.

Rick
Universal4