Data protect and backup on Synology

[mtguido]

Good evening,


I am an old Qnap user and I was victim of a Ramsonware ech0raix attack that encrypted all my nas data. Fortunately I had an external drive where I mirrored the data on a weekly basis. The climax was that the automatic backup I was doing on this disk was activated after the data encryption, so the backup station started copying the encrypted data to the external disk, eliminating the original ones. By a miracle the backup failed shortly after it started and I saved pretty much everything.

So I decided to invest what I saved in data redemption (those crap wanted € 1350) in buying a new Nas and I chose a Synology DS920 +, currently with only a 4tb WD red Pro drive.

I am writing here today to ask you what I can improve to avoid unpleasant problems in the future. I will list the solutions I have implemented at the moment and I kindly ask you to tell me what I can improve to make the data even more secure.

1) On the Synology I have activated firewall and automatic block for excessive login attempts.
2) The Nas Qnap I initialized it (formatted infected drive with various anti malware that identified and removed the malware). On the initialized nas I have installed practically nothing and I deactivated qnapcloud to access remotely, disabled admin account by creating new administrator user, deactivated upnp, activated automatic block for excessive access attempts, deactivated ftp, telnet and dlna.

Backup

Regarding the backups I have set this:
1) Single copy rsync backup from synology to Qnap via network. In practice, a mirror copy of the data carried out once a week.
2) Backup on external hard disk not single copy with smart recycle rotation always once a week. The backup cannot be consulted except through hyperbakcup explorer and if I understand correctly it keeps me different versions of the data over time.
3) Activated Snapshot on the most important folders with advanced retention policy.

I think I have told you everything I have done so far. What else do you recommend?

Thank you

 

[Telos]

What else do you recommend?

There are many security choices. The first is... set up a user account for yourself. Do not use the administrator account for day-to-day NAS activities (file storage, streaming, sharing, contacts, calendaring, etc).

 

[mtguido]

2) The Nas Qnap I initialized it (formatted infected drive with various anti malware that identified and removed the malware). On the initialized nas I have installed practically nothing and I deactivated qnapcloud to access remotely, disabled admin account by creating new administrator user, deactivated upnp, activated automatic block for excessive access attempts, deactivated ftp, telnet and dlna.

thanks @Telos for reply. The things you suggest me i think that i have just done. Right?

Other things i can do?

 

[Telos]

The things you suggest me i think that i have just done. Right?

You only stated creating a new administration account. That was not what I pointed out. The administration account should only be used for NAS administration, not for your day-to-day NAS interactions. Create a USER account for that. This is basic for Synology or QNAP.

Then run Security Advisor will all options checked. Search the Synology Knowledge Center for additional recommended security settings.

 

[mtguido]

You only stated creating a new administration account. That was not what I pointed out. The administration account should only be used for NAS administration, not for your day-to-day NAS interactions. Create a USER account for that. This is basic for Synology or QNAP.

Then run Security Advisor will all options checked. Search the Synology Knowledge Center for additional recommended security settings.

Ok maybe I have not understand.



As you can see I disable "admin" user. Then I created another user with different "nickname" and give it administrator authorization. Is this what you are suggesting me?

With "Security advisor" you mean that?


thanks

 

[Schewa]

Hello mtguido,

a video with different information on how to protect your data against ransomware was uploaded by synology. You can find it here.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

I also recommend to use the checklist which was uploaded to the forum, to increase the security in general and see if you can check and / or uncheck some points.

Best regards,
Schewa

 

[Telos]

Then I created another user with different "nickname" and give it administrator authorization. Is this what you are suggesting me?

No, create a separate user without administrator authorization. Use that one for your personal needs.

With "Security advisor" you mean that?

Look at your installed packages. You should see one labeled Security Advisor. Run that with all feature checks selected.

 

[mtguido]

No, create a separate user without administrator authorization. Use that one for your personal needs.


Look at your installed packages. You should see one labeled Security Advisor. Run that with all feature checks selected.

I don't use Qnap Nas more. I use it also as remote rsync backup from Synology. In Rsync setup on Qnap i created a specific username for login from synology and make backup.



Those are the only packages I have installed on Qnap. I can't found "security advisor", maybe my snap is too old for this application.

 

[Telos]

Those are the only packages I have installed on Qnap

I thought you wanted help securing your Synology NAS. Security Advisor is a Synology package. Apparently my comments have been unclear, so I will stop here.

 

[mtguido]

I thought you wanted help securing your Synology NAS. Security Advisor is a Synology package. Apparently my comments have been unclear, so I will stop here.

Your comments are not unclear. Understand that i am not expert as you. Otherwise i thinked that you are talking about my qnap not about my synology. Now i go search for security advisor for synology.

-- post merged: 9. Jan 2022 --

Look at your installed packages. You should see one labeled Security Advisor. Run that with all feature checks selected.

Ok now I understand what are you talking about. I just activate security advisor, i can't remember that the name was it.



What do you think about how I have set my backups?

Backup

Regarding the backups I have set this:
1) Single copy rsync backup from synology to Qnap via network. In practice, a mirror copy of the data carried out once a week.
2) Backup on external hard disk not single copy with smart recycle rotation always once a week. The backup cannot be consulted except through hyperbakcup explorer and if I understand correctly it keeps me different versions of the data over time.
3) Activated Snapshot on the most important folders with advanced retention policy.

 

[Telos]

What do you think about how I have set my backups?

Seems reasonable. But I like extended rotation (2-3 years). If one week works for you, that is fine.

 

[mtguido]

Seems reasonable. But I like extended rotation (2-3 years). If one week works for you, that is fine.

No maybe I explain it bad. The backup that in set in my external usb hard drive start once a week. The rotation setted for this kind of backup is “Smart recycle” that make various copy of each day, last of each week and last of each month.



Also i have a backup on the old qnap made by rsync in the single version method. So is a mirror copy of data. Also this kind of backup is setted once a week.