A virusproof (ransomware...) strategy for backup on a NAS?
I bought a NAS to share files and as backup solution.
Recently my netbook got infected by a ransomware. All files on the netbook and most of the file on the NAS were destroyed (the virus shuffles the first bits of the files). Fortunately my main PC was not attacked and since I do manual backups on portable HDD I lost anything.
But still, it frightened me since I think I could lost lots of data if it appeared on my main PC. Indeed if a backup is running when the files are being corrupted then I would backup corrupted data on the NAS!
So my question: is there a virusproof backup strategy?
Thank you for your help.
So after I read your answers, I now understand I need two solutions:
- Sync my data in a location that CAN be accessed by the clients so that I can share data between computers (I would call it the synced area)
- Then backup this synced area in a location that CAN'T be accessed by the clients
Finally my questions:
- Are those 2 assertions above enough to be safe?
- How to setup this solution with computers on windows and a Synology NAS?
Daniel Beck asked for more detail on my environment:
I have 2 PCs:
- The main desktop PC with which I do most of the stuff (sorting photos, accounting, etc.) It has HDDs big enough to contain all data I need to share and backup.
- The second one is a netbook. It has a small HDD, so it doesn't contain all data (for example no photos). But it is often used to edit some documents from the shared area. Sometimes I will create new data that I will manually save in the shared area.
At the moment, I do all copies on the NAS manually (I have no backup software).
My NAS is Synology DS211j, it hosts the shared data.
So I would like to:
- give access to the netbook to all data that is on the desktop PC even if it is shut down down
- Have a solution to protect my data from viruses.
- Set up an automated solution for all of that.
Thanks to the latest comment of Liori, here is what I would like to try:
- Reset my NAS set up from RAID with 2 HDDs to 2 separated volumes.
- Set up a synchro of data on volume 1 that will be seen by user.
- Use the Synology NAS time backup software, to backup shared volume 1 on backup volume 2. Volume 2 will NOT be seen by users.
If it is safe, I see a lot of advantages:
- Even if it is not so good, I keep access to my data thru Internet.
- The backup of data would be scheduled on the NAS, I don't need to let my computer on for backups.
- I would have my data on 3 locations: main desktop PC + shared volume + backup volume (4 in fact with the manual backup on USB HDD). So I lost useless RAID, and I get secured backups on dedicated HDD.
Do you think it would work?
Thanks again!
Solution 1:
The solution is to keep a history of backups.
You can store one daily backup, say for the last seven days. Then one backup per week four times per month. This way, if the backup from yesterday had been saved in a bad state, you take the backup from the day before. Or you can take the backup from last week.
To save space you can either use a file system with supports deduplication, use hard links or store only the difference between the backup. Which solution is best, depends on your needs, setup and the software you run.
EDIT: You updated your question and added additional information.
As you already know, you have to separate the data from the backup. A backup is always redundant, if possible even more than one copy. I don't know your NAS solution and their backup software. But I can tell you how I solved this.
I use an old 300MHz system as backup server, which is connected to the file server (that would be your NAS in your configuration). Once per day the backup server switches on and pulls the backup from the file server and writes the data on its own hard drives. As backup software I use rsnapshot. No client computer has access to the backup server in any way. And it is only running for a short time per day.
This is only one possible solution out of many. The key points of a good solution are:
- Keep a history of backups
- A backup is always redundant
- A backup is stored on different hardware (e.g. a second drive, not a second partition on the same drive)
- The client computers must not have access to the backup
- The backup should be as easy as possible, at best fully automatic
- Depending on how often restores are expected, it should not be too big of a burden to restore the data
Solution 2:
The only way to have virus-free backups is to have some sort of history: you have to store your backups for several days/weeks/monthes.
This don't garantee to be virus-free, but this garantee you can recover files before you discover a recent infection.
One very important thing about backups: the "client" computer must not have access to the backups.
This means this is the "server" computer which connect to the client and make the backup. Most backup program are not designed this way.
Another method is to remove backups from client's sight once done. But this is often done in a bad way, leading to no security increase.