In light of WCry, and ransomware in general, I was curious how to protect daily backups on my NAS from also being infected? I have a pretty limited understanding of networking, so ultimately I am looking for the easiest solution that is also secure.
I started watching the pfSense build guide on Level1Linux and perhaps that is the best solution?
I also found an old topic that seems to address security on a network, but since I'm not very familiar with networking I don't know that it covers this specific issue.
It's a pretty simple setup. I have daily backups that are encrypted using Acronis that are stored on my NAS. In the event that my computer is compromised, by ransomware or other means, I just wanted to know how to secure my NAS so that it doens't get tainted.
To answer your second question, no I don't run any other services on my NAS; it's strictly for backups.
Does it make sense to write a script to unmount after backup, and remount before? Is that even possible? What about the pfSense setup? Does that seem to be the best course of action?
I do indeed protect my backups by manually mounting the backup share before running the packup (rsync). The share has a dedicated username and password, which is different from the credentials I use on the machines to login - so no malware can easily mount it (in case they learn that)
Than I run the backup and later unmount the share again.
I was also contemplating to automate that task with a script but in the end I said no, as what is if the script runs when the ransomware is already active on the system? The share could get mounted by the script and than the encryption virus can go havoc on the backup -.-
As @Th3Z0ne pointed out, a script to mount the share could automatically mount it while the system is compromised.
The only truly safe way to do backups is to manage them manually or use a snapshotted system that doesn't allow a file to be overwritten when it is updated.
Unfortunately I can't seem to find any snapshot system for Drobos. Apparently Synology supports snapshots, which could be set up to preserve daily backups, but that doesn't really help you right now.
Makes sense. However, if you're using the computer everyday that is the source of the backups, wouldn't you know if your computer was compromised? If you're away for a few days or whatever, then you just don't run any backup processes.
Thanks everyone for the information. I think the argument has been made pretty clear the best way is to do it yourself. Does anyone know of any alternatives? I'm just thinking about large companies that take snapshots of their data or whatever. I'm not going to give them too much credit because it's obvious there are a lot of companies that don't practice good security. However, there must be some pretty reliable solution?
As usually the encryption starts asap and than I would not backup anymore of course.
That is a problem I had to solve using a USB3.0 SSD (in stick format) I do not have highly important data exceeding 256GB so that is my - remote/offsite/onme backup XD
Snapshots is 99% the best way - keep them for a lot of days so you can restore ^^ and of course the snapshots must be not accessible to clients (just saying)
That's the easiest and probably fastest way to protect yourself. If you get yourself (or build yourself) a FreeNAS box you can set up regular snapshots with a few clicks, that you can easily reset back to in case of an incident.
If you want to further enhance your security and also resilience (e.g. against physical damage to your hardware due to fire etc.) you can set up automatic replication that will copy the data to an off-site machine. If you have two FreeNAS boxes ready to go, this is done in like 15 minutes
If you use a NAS to backup to then step one is never be logged to it unless needed. If you're on windows and its just a shared drive it will get owned.
For the NAS if you can do snapshots etc and if their read only say freenas then sure you can roll back the files from snapshots
There are many good solutions for backup, both free and commercial.
A FreeNAS box or other home built solution could be capable of scheduled snapshots of shares, which would protect against ransomware. Similarly some commercial NAS devices can do this such as Synology or in fact ShadowCopy on a Windows server.
Other solutions include "pull" type backups, where the backup is initiated from the backup server. This way the versioning on the server can't be influenced by the client computers. A free example of this is BackupPC, and a commercial example would be Datto.
I run with small system drives and have all my data on the NAS, so I disconnected it in Windows for now. I can't seem to find the option to modify my user account (in the freenas control panel) so that the shares are read-only to me.
Still on 9.3, by the way. I stopped updating because Freenas wants me to flash my HBA (an LSI 9211-8i on firmware version 16, Freenas wants version 20) Oh well, I guess it's time to back everything up, pull the card and flash it, add some drives and start anew with the newer version. Not this week though, gonna be one hell of a week at work.
Don't get me wrong, but I think this is not a practical solution. In my experience, most people who have a NAS are working off the data from the NAS as well and not just use it as a backup volume. So those files that are on those shares will most likely be affected, unless you happen to not have worked with them since you booted the machine (given that you need to login to the share manually before using them).
So in my opinion it is probably a better idea to make sure that the effects of a ransomware infection are limited than to prevent its direct damage. In other words, make the data that might become encrypted recoverable through snapshots, etc. than to stop having things mounted.
With my arse currently flapping in the breeze, and a note from the CISO that went out at work....um...yeah, I'm interested. I like the pull or push/pull methodology for keeping my shtuff safe.
Another option from windows might be to NOT have password saved? However, if it strikes while you're logged into the share with write permission, depending on how your shares are configured, there could be a heck of a data slaughter. Split read and write like a sane person...and only use write sparingly.
I too work off my NAS, but I'm thinking of "adding" to the family and having a couple of "true" backup boxes and external drives for my most important data. Looking at some viable options, and I'm interested how things shake out.
I'm not as worried about myself, but for the rest of my family that turn to me for tech support. I hope they have their $300.00 handy.
Maybe people will take security seriously...maybe (Nope!).
I get you. My personal opinion is that as much as possible everyone should limit themselves from having access to the backups/snapshots yet keeping the process of creating backup as much simple as possible otherwise you will stop bother (at least until next crisis). I personally created a "system" of tiers of data that I backup. And for each tier I have a little different approach and backup intervals. The basic rule is the more that data is important for be the more effort I put into this.
