Safest way to backup to off-site NAS?

Backup, Restore, Netbak Replicator, Cloud Storage Services
Post Reply
GardG
New here
Posts: 4
Joined: Sun May 16, 2021 6:27 am

Safest way to backup to off-site NAS?

Post by GardG »

What would be the generally safest way to backup a NAS to an off-site NAS? In my case, the main NAS would be at the office (which has a static IP etc) and the off-site NAS would be at home.

By "safe" I'm looking for a solution that
- Won't allow malware/ransomware to propagate between sites
- Won't put the office network at risk of being compromised
- Keeps data safe (encrypted) during transfer

The office NAS will be mounted to workstations as an SMB share, so if a workstation is infected with ransomware, it could encrypt the files on the NAS. I'll be taking regular snapshots to protect against that, but in the unlikely case that we're hit by a ransomware which targets our particular type of NAS (keeping Qlocker in mind …), the snapshots themselves could also be affected. The idea is that the off-site NAS will grab the files from the office NAS regularly and make its own entirely separate snapshots, but be isolated enough not to get hit by the ransomware. So if all the files and snapshots at the office are encrypted by ransomware, even though the off-site files would also be encrypted (when synchronised with the office, that is), we'd still have the snapshots on the off-site NAS.

My idea was to simply connect the off-site NAS to the office as a VPN client, but for all practical purposes, that's the same as connecting it to a switch at the office, so it wouldn't prevent malware from propagating – right? So instead, I'm considering running Rsync over SSH. That means I'd have to open another port at the office, which I'm a bit reluctant to do, but I'm thinking of implementing the following measures:

- Using a nonstandard (high) port number for SSH
- Using geoblocking, refusing any connections from outside the country (ideally I'd whitelist my home IP, but it's not static)
- Using a public/private key pair for the SSH connection

Is this a feasible approach or are there better options?
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Safest way to backup to off-site NAS?

Post by P3R »

Setup a proper site-to-site VPN with good firewalls (I Use pfSense) and only allow the specific port used for the backup from the office to home through that VPN-connection. Never ever open any ports from the internet to the Qnap or the backup unit. Also, you need at least one more separate backup.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Safest way to backup to off-site NAS?

Post by Moogle Stiltzkin »

Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
https://www.youtube.com/watch?v=PgielyUFGeQ


use openvpn. wireguard on pfsense they claim it's stable now, but i'm not sure. they took it off recently then added it back later, so donno. wireguard is supposed to be better performance though.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Safest way to backup to off-site NAS?

Post by P3R »

Moogle Stiltzkin wrote: Tue May 25, 2021 4:46 pm ...use openvpn.
Yes if it's required right now, that's the best option.
wireguard on pfsense they claim it's stable now, but i'm not sure. they took it off recently then added it back later, so donno.
Possible security issues regarding non-standard MTUs was reported during an external security review and that's the reason Wireguard was pulled. After a rewrite it's now posted as a "highly experimental" package. I'm holding off until it's back in the regular distribution but then I'll be back using it as I like WG a lot.
...wireguard is supposed to be better performance though.
And is a much smaller package, 4.7 MB compared to 22.4 MB on iOS...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Safest way to backup to off-site NAS?

Post by Moogle Stiltzkin »

pivpn on a rasberrypi is also another option, i noticed in community some do that. and pivpn makes the setup very easy. this video explains how
https://www.youtube.com/watch?v=15VjDVCISj0

https://www.youtube.com/watch?v=zsN47t2r_WU


but i don't know is it less secure than running vpn server router or not?


i don't own a rasberrypi so i'm not too familiar hands on :(
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Safest way to backup to off-site NAS?

Post by P3R »

Moogle Stiltzkin wrote: Tue May 25, 2021 6:46 pm pivpn on a rasberrypi is also another option...
Yes if one don't have or can afford a decent router/firewall that have VPN integrated.

It's in home/SMB environment for ease of use and administrative reasons typically better to terminate the VPN on the internet-facing device.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Safest way to backup to off-site NAS?

Post by Moogle Stiltzkin »

so using qvpn on qhora router is better than qvpn on nas? ya
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
GardG
New here
Posts: 4
Joined: Sun May 16, 2021 6:27 am

Re: Safest way to backup to off-site NAS?

Post by GardG »

Thanks all!

Good to hear that a VPN tunnel is suitable, that's more familiar territory than the whole SSH business I was on the verge trying anyway.

I'm planning to use a Mikrotik router at the office – that's not 100% decided yet, but they have a model that is a perfect balance in features and price for my case, and I quite like RouterOS, though I'm by no means an expert at it. The idea is to run OpenVPN on the Mikrotik, that's the VPN variety I'm most familiar with.

Apparently it should be possible to set up its firewall to open only the Rsync port to the home NAS' VPN user, so that should be fairly safe. I'm guessing it's not really necessary to encrypt the Rsync traffic when it's on a VPN.

My current home router is some random ISP supplied fiber modem/router thingy – it's decent and handles the gigabit fiber Internet line just fine, so I don't really feel any urge to replace it. Apart from setting Wifi SSID/PW I've hardly touched it. I guess I could stick it in bridge mode and set up a decent consumer-grade router that can connect to VPN if necessary, but unless there's a particularly good reason to do otherwise I might as well just connect the home NAS itself as a VPN client, no?

I haven't decided what type of NAS to use at home – It'll just grab files from the office once a day and maintain some snapshots, so I was thinking as cheap as entirely possible (TS-131 for instance), but I've realised that the lowest-end units generally don't do snapshots, so I'm wondering if maybe I should just use a Raspberry Pi 4. It seems really easy to set up Snapper to take BTRFS snapshots. There's even a 4xSATA board available for it in case I should need to expand. It's a bit of a cheap-arse solution, but it's a simple application and will largely be set-and-forget, apart from some routine inspection.
User avatar
spile
Been there, done that
Posts: 638
Joined: Tue May 24, 2016 12:13 am

Re: Safest way to backup to off-site NAS?

Post by spile »

A recommendation for Wireguard on a Raspberry Pi. It has been a solid and reliable solution and certainly for the price point, a cost effective one with a small footprint.
Post Reply

Return to “Backup & Restore”