First - NAS to NAS over LAN backup best scenario to protect backup target NAS:
If I have source nas backing up to target nas, both on my lan, how/what is the best way to protect the backup target nas?
1. The Backup target must be operated as a pure backup-only host. No additional services.
It doesn’t matter if it’s NAS or a home-brewed storage system.
2. The LAN backup target is operated in specific time slots (up to your backup schedule). The rest of the time is Off. No Wake on LAN services. Just manual update of services (automatic update of services is disabled, as usual for any devices in my operation).
3. Strictly defined user rights (named users only), firewall settings (exact IPs), Block services (users, max. 2 failed attempts only, ...)
Second - LAN and WAN part hardening:
1. Router with advanced management. Never use the router from IPS for the management of your Network (just for WAN over a bridge). You can find plenty of topics here.
3. Firewall for WAN IN/OUT, LAN IN/OUT rules. Specific (shaded) rules for router management systems who and when a what is able to connect to the system (diff from previous rules) from WAN or from LAN.
2. Fully managed Switch with Layer 3, you can manage which IP is allowed for what, otherwise it's about L2 (MAC addresses level only).
3. For any activity, when any devices are connected over LAN to WAN you need to use advanced security tools in your Network setup:
IPS Treat management on the Router level (or independent appliance/sw)
DNSSEC on router level
Secure DNS
Cloudflare umbrella
Pi-hole or similar for local DNS and outgoing communication supervision
Ntop - supervision of network activities
4. Guest account activities:
try to consider when you need to use a guest account for LAN connections (e.g. Guest WiFi)
when yes, use the strictly defined PORT, VLAN, ROUTING and Isolation from your LAN
But, here is a big but:
First of all, you need to protect the primary NAS, because this will be a potential transfer of vulnerability to the backup NAS.
Then it's about the way you create the backup:
Snapshot first, then Hyperbackup. Up to your data value. Drive ShareSync to backup NAS will keep all your versioning. I have also rsync of my entire Docker environment (better than nothing).
Additional External HDD (manually plugged in USB or eSATA) for some valuable data is a suitable method.
And then here you will find tons of material on how to make backups not only over the LAN, but also over the WAN to various targets, to reduce the problem of losing various resources. Of course, it's all about how you value your data.
In the case of WAN, other protection techniques are introduced IPSEC tunnel vs SSL VPN, ...
All mentioned affecting whether you can reliably find your data in the backup NAS in case you need it.
As you can see, there isn't a simple guide
"to the best way to protect the backup target nas".
You can start here:
follow my short research: 45 588 Syno NASes accessible from WAN by standard HTTP (5000) port 54% of them have opened UPnP 7% of them have opened FTP and people are crazy with SMB1, look here check your IP and what “they” know about you at Shodan.io Our mission here is providing a knowledge...
www.synoforum.com
