#32777 – NAME OF BACKUP FILES

Posted in ‘Akeeba Solo (standalone)’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 01 April 2020 14:35 CDT
Hello, how are you ?? I wish all you are safe !
I send you an image of the folder with the backup files : from some days ago , the names are different .
What is the reason ??? Is important ??

Thanks !
Carlos
Custom Fields
PHP version (in x.y.z format) 7.2
Akeeba Solo version (x.y.x) n/a
CORBISER
Wednesday, 01 April 2020 14:59 CDT
There is a warning displayed to you about the security implications of using the default backup output directory. The warning is displayed in the Akeeba Backup Control Panel page when you activate a backup profile that uses the default backup output directory, as well asevery time you try to take a backup from the backend of your site with said backup profile.

This warning has been in place since 2009 and links to the Default output directory in use page explaining the issue and its mitigation. The same information is also present in our documentation's Security Information chapter for two years longer. If you have not done so already, please click on the link above to understand the security implications of using the default backup output directory before reading on.

Unfortunately, our security advice has been effectively ignored by our users for as long as we have it in place. This creates a potentially hazardous situation for our users that needs to be mitigated.

Changing or removing the default backup output directory is not a viable option for practical reasons. We cannot expect new users to follow an additional and potentially confusing configuration step just to start using our software. Nor can we stand aside when more experienced users, complacent by their initial experience using our software, take no positive action to improve their site's security despite a warning urging them to do so.

In an effort to protect the security and privacy of our clients' sites we decided to transition from passive security advice to affirmative security action. To this end, we will make the backup archive filenames practically impossible to guess by automatically adding -[RANDOM] (dash followed by 16 random alphanumeric characters) to the backup archive filename in the following potentially hazardous configuration conditions:

1. You are using the default backup output directory; OR

2. You are using a backup output directory that is under your site's root and for which we cannot positively detect that it's inaccessible over the web.

The test for whether the backup output directory is accessible over the web takes place when you visit Akeeba Backup's Control Panel page and activate the backup profile in question from the dropdown list. First, Akeeba Backup will place a .htaccess, web.config, index.html and index.html file if they are not already present. For this reason it's IMPERATIVE that your backup output directory is NOT the parent folder of a web accessible location. The check will then try to write a randomly named file in your backup output directory and access it over the web. This may create an entry in your server's error log. If this happens do not worry; it's normal and it means that everything is working correctly.

You cannot disable this behavior in Akeeba Backup for the same reason you cannot disable seat belts in a car. It is a security feature, put in place to protect you.

If you want to avoid having the random characters appended to your backup archive's name you need to address the conditions above, i.e. follow our advice to create a dedicated backup output directory. A short version follows.

Ideally, this should be placed in a directory above your site's root. If this is not possible, please use a directory inside your site's root. A hard to guess name like "qebPw234wD_backups" is preferred to an easily guessable name like "backups". Do not place your backup output directory in a CMS system directory, such as Joomla's cache, tmp, media etc directories or WordPress' wp-content directory. After creating the backup output directory go to the Configuration page to change your backup output directory to it. This needs to be done once per backup profile. Remember to exclude your old backup output directory (default: administrator/components/com_akeeba/backup) from your backup to prevent backing up any existing backups which may still be in there.

When you next visit Akeeba Backup's Control Panel, Akeeba Backup will try to protect the backup output directory and check if your directory is accessible over the web, as explained above.

If the backup output directory is EITHER above the site's root (therefore by definition inaccessible over the web) OR positively identified as being inaccessible over the web THEN and only then Akeeba Backup will stop adding the -[RANDOM] suffix to the names of your backup archives.

Thank you for your understanding wile we make using Akeeba Backup safer for you.


Dale L. Brackin

Support Specialist



English: native



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



dlb
Tuesday, 07 April 2020 13:10 CDT
Hi Dale, sorry for the delay in answer you.
I have no problems with the random sufix to the name.

But I ask you about them because I am using Solo Backup in 3 webs, and only in one of this is added the suffix.
In all the output directory is the standard , and all are using the Default Profil.

And the first backups in this web have the file names without the suffix....

????
Best regards.
Carlos
CORBISER
Tuesday, 07 April 2020 13:37 CDT
Carlos,

This change was just made in the latest version (before today) of Akeeba Backup and Solo. Is it possible that the other two installations have not been updated yet?


Dale L. Brackin

Support Specialist



English: native



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



dlb
Wednesday, 08 April 2020 02:07 CDT
Hi Dale, I updated all the SOLO instalations, and will wait tomorrow to see the names...
Thanks!
Carlos
CORBISER
Wednesday, 08 April 2020 07:46 CDT
Please let me know Carlos.


Dale L. Brackin

Support Specialist



English: native



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



dlb
Sunday, 12 April 2020 01:43 CDT
Good morning Dale.
After the update , I have the suffix in all the backup files.
Thanks.

Carlos
CORBISER
Sunday, 12 April 2020 09:18 CDT
You're welcome!


Dale L. Brackin

Support Specialist



English: native



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



dlb
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.