Page 1 of 1

Ransomware protected backup

Posted: Sun Feb 10, 2019 5:55 pm
by DJDJDJDJ
Hi,

So, my home server was attacked yesterday by a ransomware and around 2TB worth of personal files got encrypted. Thankfully, I have an offline backup (external disk) and my QNAP NAS was also spared that has another backup on it. So ransom guy can do one to himself.

So, going forward, I would like to setup a backup from my QNAP drive to an attached USB. I know I can do this today (been doing it). However, I have a few questions:

- Is versioning available in QNAP backups? I am thinking I would like to keep 3 months of versions.
- Is snapshoting available to USB? The reason I am asking about this is that, I have around 50-60K personal family pics. It would be extremely time consuming to revert them to a previous version if another attack were to occur. Perhaps reverting back to a previous snapshot might be a bit easier. May be a daily differential snapshot and weekly full one?
- Is there a way so that USB drives attached to the NAS unit can only be used by the backup process and not be accessed remotely using any login (even admin login). This is to prevent any infection to backups.

Thank you for any help and suggestions.

Re: Ransomware protected backup

Posted: Sun Feb 10, 2019 7:31 pm
by P3R
DJDJDJDJ wrote: Sun Feb 10, 2019 5:55 pm - Is versioning available in QNAP backups? I am thinking I would like to keep 3 months of versions.
Yes with the Hybrid Backup Sync app it is.

The trick to use versioning on an external disk is to not use the External Backup option in HBS but to create a standard Local backup job (click the blue Create job button in th top right corner). If the external backup disk use the file systems Ext4 or NTFS you can enable the backup versioning feature with it as the backup destination.

HFS+ should be a supported file system as well but currently have a bug that prevent versioning to work reliably.
- Is there a way so that USB drives attached to the NAS unit can only be used by the backup process and not be accessed remotely using any login (even admin login). This is to prevent any infection to backups.
No. If your admin account is compromised the intruder have complete access and you're lost.

Never use an admin account for normal file server use and consider to enable 2-factor authentication on the admin account to protect it.

Re: Ransomware protected backup

Posted: Sun Feb 10, 2019 9:35 pm
by alokeprasad
DJDJDJDJ wrote: Sun Feb 10, 2019 5:55 pm - Is snapshoting available to USB? The reason I am asking about this is that, I have around 50-60K personal family pics. It would be extremely time consuming to revert them to a previous version if another attack were to occur. Perhaps reverting back to a previous snapshot might be a bit easier. May be a daily differential snapshot and weekly full one?
No, AFAIK. Snapshots by QTS is only for volumes residing on storage pools on the NAS.
DJDJDJDJ wrote: Sun Feb 10, 2019 5:55 pm - Is there a way so that USB drives attached to the NAS unit can only be used by the backup process and not be accessed remotely using any login (even admin login). This is to prevent any infection to backups.
Assuming that the pathway to your NAS is through the connected PC's, the ransomware can only overwrite the shares it can see. I use a user account (not Admin) to connect to the NAS from my PC. Thus, UNC paths or mapped drives are limited to shares I have defined for backups and common area to share with other PC's in my LAN. The standard Multimedia share is not accessible from any of my PCs. Ipopulate Multimedia from FileStation when logged into my NAS as Admin. Luckily, home media, pictures, music doesn't need to be updated that often.
Use multiple User accounts and give them limited rights to shares on the NAS, per intended use of that user account.
The other possibility is someone hacking into the NAS itself, through open ports on the NAT and compromised apps. There is some of that happening nowadays, the details of which are not fully understood. If that happens, then anything is possible.
viewtopic.php?f=50&t=146352
viewtopic.php?f=25&t=144837