HBS security

Backup, Restore, Netbak Replicator, Cloud Storage Services
Post Reply
georgi69
New here
Posts: 8
Joined: Mon Mar 23, 2020 6:34 am

HBS security

Post by georgi69 »

Dear all,

I am using 2 NAS devices - 1st for for productive use and 2nd as off-site backup via HBS3 (RTRR).

The off-site connection is stored as remote NAS on productive one which I consider risky in case of a ransomware attack (proper ransomware developer should leverage the connection and make sure to infect the connected device as well).

Is somebody using a similar scenario? Any mitigations recommended?
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: HBS security

Post by Don »

How are the two sites connected?
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: HBS security

Post by dosborne »

georgi69 wrote: Tue Jan 18, 2022 7:08 am Is somebody using a similar scenario? Any mitigations recommended?
"Live" or scheduled backups will always be susceptible to an attack vector such as a typical ransomware attack.

Just follow best practices and have a succession of staged backups and / or manual and offline ones in the mix.

As a simple form of "hardening" I incorporated a system wide scan for the common "Readme" file names (as well as *.7z files as I use the .zip even for 7zip files) as an alert mechanism as well as a test in my automated backup scripts to reduce the risk of overwriting a good back with a ransomware encrypted backup.

How far *you* go is of course dependant on how valuable your data is to you. A lot of my files are things I store for convenience and can easily be replaced from other sources, or simply not recovered so essentially have no backup. Other files are extremely important, copied to multiple automated, manual and cloud locations and locked in high security fire-proof safes off-site. The majority fall between these 2 categories.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
georgi69
New here
Posts: 8
Joined: Mon Mar 23, 2020 6:34 am

Re: HBS security

Post by georgi69 »

Don wrote: Tue Jan 18, 2022 7:18 am How are the two sites connected?
Each has a "consumer grade" internet connection with public IP.
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: HBS security

Post by Don »

georgi69 wrote: Mon Jan 24, 2022 7:20 am
Don wrote: Tue Jan 18, 2022 7:18 am How are the two sites connected?
Each has a "consumer grade" internet connection with public IP.
Are you using a VPN?
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
georgi69
New here
Posts: 8
Joined: Mon Mar 23, 2020 6:34 am

Re: HBS security

Post by georgi69 »

dosborne wrote: Tue Jan 18, 2022 12:09 pm "Live" or scheduled backups will always be susceptible to an attack vector such as a typical ransomware attack.
Thanks for sharing considerations on this.

Just as an example of my thought - if I setup a virtual machine and run my backup tool there instead of using stock HBS3, it allows too many possible scenarios (basically infinity but let's just consider linux VM + trivial rsync script) for ransomware programmer to target my setup and collect credentials allowing compromise offsite instance backup. Ofc primary NAS can be burned/encrypted and rsync would populate this, but e.g. if it is enhanced with snapshots, this could work, huh?

p.s. I hope I am not just a troubled user trying to achieve enterprise class solution using consumer product 😅.
georgi69
New here
Posts: 8
Joined: Mon Mar 23, 2020 6:34 am

Re: HBS security

Post by georgi69 »

Don wrote: Mon Jan 24, 2022 7:25 am Are you using a VPN?
Yes - within VPN instances basically have a direct connectivity. My worry is that malware might abuse stored RTRR/Remote NAS connection. It might partly help to limit connectivity between NAS boxes outside of scheduled backup runs though 👍.
Post Reply

Return to “Backup & Restore”