NAS protection

jogold

jogold

Active Member
Reaction score
66
Location
Belgium
I have a Synology DS120j. The device has one harddrive and for file version retention I have a daily backup to a folder on the same HDD.
I have an external hdd connected to the USB for weekly backups in case of hardware failure.

I would like to leave the external always connected to the NAS but am worried that if for some reason the NAS were to get hit by a virus like a ransomware encrypt type the USB backup version would also become unusable.

What would the recommended practice be for protection for this, other than having someone remember to connect the external once a week.
Thanks
Jo
 
It's an office with 3 computers and until naw all of the files were just shared from the secretary's win 7 computer.
They don't want the files in the cloud (I have no idea why not and talking to the boss is a waste of time, I think he's superstitious about it).
So the external USB is my only solution.
I would just like to know if there is a setting that will allow ONLY the backup program to write to the USB.
 
I put them on their own VLAN, so the UTM controls who has access to the management port. At least then I can limit which machines can possibly be trying to brute force the thing.
 
There is no off-site access. I'm more concerned about a machine infecting the shared folders via the Lan
 
If you are using it primarily as a file share, then the only protection you have is what you provide via other means. There's no magic "Don't let the bad guys in" checkbox.
  • Have a firewall/utm at the edge of your network with GAV/GAM, with a strong password for management
  • have AV/AM on all of the workstations, and use strong passwords for all accounts
  • keep the NAS DSM updated
  • make an admin account for the NAS that isn't named "admin" and set a strong password (then disable the original admin account)
  • make limited user accounts on the NAS (that don't have access to the backup folder/partition) with strong passwords for accessing the file share, and
  • backup - ideally both to an external drive and online. B2 is very inexpensive and easy to setup securely. If the client doesn't like online, then either convince them or make them sign a waiver. Make THEM responsible for swapping out the backup drive.
Oh, and buy a 2nd disk for the NAS and setup a RAID1 for pete's sake. Why even use a NAS if you're not going to take advantage of the benefits it brings to the table.

You say there's no offsite access, but what you mean is there's no "intentional" offsite access. If your network is connected to the internet then there is always ATTEMPTED offsite access. Plan your deployments to thwart that as much as you can and then backup robustly for when (not if) those attempts succeed.

Synology units are great devices, but they need to be protected, just like a server would.
 
jogold said:
I would just like to know if there is a setting that will allow ONLY the backup program to write to the USB.
Click to expand...
I've never really fiddled around with using the external USB. Got a DS 420j slim but can't find it at the moment to look at the settings. But seem to remember that a USB drive just shows up as another drive so it's handled the same way as the other drives/shares. In reality there is only one protection against rogue encryption - unplugged. Not on any network, no way anything can touch it. Cached credentials on any logged in account on a computer are easily retrieved.

So if they don't want cloud then they'll have to manually attach the USB backup drive every so often for a backup to be made.
 
Looking at this setup I would say the NAS should have a RAID1 with 2 drives and the external USB could be the off site backup, easiest way would be have 2 USB drives at least and rotate each day, which is plugged up and a job to duplicate the NAS to the USB.
 
I have an old Synology single Disk NAS I use for a basic file share at home. It also has a USB disk attached to back up what's on its own drive.

The USB drive is not available to the network and can't be seen by any networked attached device. So Ransomware would have difficulty hitting the attached USB drive.

Now if a backup runs after a ransomware attack, that could be an issue. Otherwise not to worried about that USB drive getting hit.
 
@MichaelBits I'm afraid your assessment isn't correct. The assaults against NAS devices have opened SSH access, and exposed the linux under the hood. All attached devices are impacted once that breach happens. Directly attached USB storage IS NOT SAFE.

It is "safer" than the primary storage of course, but it is not "safe." So rotate out that USB storage and keep a copy offline in a fireproof safe or something, that's "safe".
 
@Sky-Knight:

Which also just goes to show what a cat and mouse game all computer security is. What may be "absolutely safe" at one minute is virtually certain not to remain that way in perpetuity.

It's amazing just how long the old belt and braces approach of "Backup, Backup, Backup!, has remained, with the proviso that those backups now absolutely need to be stored offline except when being taken or restored from.
 
@britechguy Yes sir, the only constant in this conversation has always been, the only secure device is an unplugged device.

There is no replacement for an offline copy... You can get versioned cloud storage and get a much more reasonable solution for daily use that covers most eventualities, but if you want to cover all bases all of the time... you need an offline vault.

The problem with the offline copy is of course the stale nature of it... it's never current. But it's always something, and if you're down that far, the alternative is often nothing.
 
I still advocate for offline backup but I advocate for them only in that it becomes your fail safe should you somehow lose all other sources or data redundancy something 24hrs old is usually better than nothing.
 
Sky-Knight said:
There is no replacement for an offline copy... You can get versioned cloud storage and get a much more reasonable solution for daily use that covers most eventualities, but if you want to cover all bases all of the time... you need an offline vault.
Click to expand...

It's interesting that Synology allows you to setup more than one USB drive so you can swap out the units and do sneakernet for an offline solution, but I get the impression they don't exactly encourage that - not as far as UX cues, at least. You do separate jobs for each drive, so they have to be scheduled, which means the right drive has to be attached at the right time - which is doomed to fail from a practical standpoint. These facts always lead me to suggest online with versioning (I use B2) over a 2 (or more) drive solution.
 
HCHTech said:
It's interesting that Synology allows you to setup more than one USB drive so you can swap out the units and do sneakernet for an offline solution, but I get the impression they don't exactly encourage that - not as far as UX cues, at least. You do separate jobs for each drive, so they have to be scheduled, which means the right drive has to be attached at the right time - which is doomed to fail from a practical standpoint. These facts always lead me to suggest online with versioning (I use B2) over a 2 (or more) drive solution.
Click to expand...
It's absolutely difficult to do an offline copy, and on devices like Synology the USB file copy usually takes an absolute age... So yeah, online versioning is typically the answer for any reasonable requirements. But if you want to spend time instead of money, the offline copy does work. I still recommend them for businesses, but they're only updated quarterly. They are the last final fail safe... if we're here, something have gone very very wrong!
 
Sky-Knight said:
@MichaelBits I'm afraid your assessment isn't correct. The assaults against NAS devices have opened SSH access, and exposed the linux under the hood. All attached devices are impacted once that breach happens. Directly attached USB storage IS NOT SAFE.

It is "safer" than the primary storage of course, but it is not "safe." So rotate out that USB storage and keep a copy offline in a fireproof safe or something, that's "safe".
Click to expand...
I suppose that would be an issue if I used SSH on it....
But SSH is disabled.
 
MichaelBits said:
I suppose that would be an issue if I used SSH on it....
But SSH is disabled.
Click to expand...
SSH will be open after it's breached. These things have been victimized by authentication bugs that allow direct access to the webui without authentication, then they own the box to open SSH wide and get at everything.

What you have configured at the moment is irrelevant... that's the problem.

And worse? The SSH tunnel will come from the storage unit and connect to the control server. So your local TCP 22 will never be "open".
 
Sky-Knight said:
SSH will be open after it's breached. These things have been victimized by authentication bugs that allow direct access to the webui without authentication, then they own the box to open SSH wide and get at everything.
Click to expand...
I suppose that could be an issue if it was exposed to the internet. Or is a model that has that vulnerability.
It isn't on either count.
 
MichaelBits said:
I suppose that could be an issue if it was exposed to the internet. Or is a model that has that vulnerability.
It isn't on either count.
Click to expand...

The malware beating on these NAS's isn't coming from the "Internet". It's running on the LAN via an infected host.

Emotet is one such variant that does this... and it's a cloaky ******* of such power it's almost impossible to prove the thing is even present on a network much less disprove it.

That's why these attacks are so wide spread. You're not wrong to think you're safer to not have the cloud enabled features turned on... because you certainly are. I'm just saying don't be complacent, because one mistake and it's still all gone.
 
Last edited:
I mean, have a look at what happened with all those WD Network devices that were factory reset last few months. I'm sure those users never imagined it would happen and had no backup.

I used to support an insurance company, and they did nightly backups that were then taken offsite by the owners. They had backup drives for every day of the week. It's allot of work, but that's the way to do it. Those backup drives only ever get plugged in to do a backup, and with five of them, even if the server was breached, there would be a "cache" of a few days worth of backups that would not have been infected. Because those backups were offline and offsite, the chance of the data loss was significantly reduced.
 
You must log in or register to reply here.

Similar threads

frase
Macbook pro 2017 External HDD ISSUE
Replies
19
Views
332
fincoder
fincoder
Velvis
Recommendations for a temp offsite solution
Replies
9
Views
227
YeOldeStonecat
YeOldeStonecat
Appletax
[REQUEST] Trouble mapping old D-Link NAS
Replies
17
Views
482
Diggs
Diggs
Metanis
[REQUEST] Recommending a backup solution.
Replies
8
Views
463
Sky-Knight
Sky-Knight
P
Weird display issue with pattern of horizontal lines on MacBook Pro 15" A1398
Replies
4
Views
179
NviGate Systems
NviGate Systems
Back
Top