Protection against ransomware and exploits at once

Currently reading
Protection against ransomware and exploits at once

Hi! My question is very simple.

I want to be almost 100% sure that if something gains admin access (by an exploit for instance) to DSM (which device I call "Synology A") then the backups I created with "Synology A" with ABB cannot be deleted by the something by simply just having access to "Synology A". Cloud solutions are not an option.

I am aware of Snapshot Replication and Hyper Backup solutions to get the backups to another extra place, but normally an admin at "Synology A" can delete these extra repos any time if I understand well. And if we think of Snapshot Replication to another Synology device (Synology B), the exploit can be on "Synology A" and "Synology B" also by-the-way...
Getting the backup data to another non-Synology device (non-Synology device) with Hyper Backup or other manual methods and making the backup read-only or inaccessible there is a better solution, because the risks of both devices ("Synology A" and "non-Synology device") being compromised is minimal (if of course all credentials are different etc). I can even automate the process probably on the "non-Synology device" (move the data somewhere else or just make it read-only after the task is finished). Of course I am not thinking about the situation where both "Synology A" and "non-Synology device" are exploitable, that would be too much :)

What is the best method for this to make sure that no ransomware and also no Synology exploit can make data disappear? I want to sleep a bit better :)

Thanks,
Daniel
 
The answer is probably as simple as your question: Admin access will give access to the backup, so risk is always there.
So cold storage backup to write-once media is a possibility.

some thoughts to reduce risk:
  1. scheduled switch on/off the target backup Synology, only on during backup. This reduced the time for abuse.
  2. get the 2FA on the NAS, so you will be notified if the admin account is used.
  3. Get a two stage backup, your nas-> second device -> third device, Abuse needs two admin accounts in that case.
 
Thx very much @EAZ1964 !!!

Ok, I think that the best option is the write-once media in my case.

Other questions:

The resulting files of ABB I can see with terminal are much larger (120TB vs 3TB) than in reality thanks to btrfs deduplication (Synology Community). There are only 7-8 files (virtual disk files) in a backup session btw so I don't know exactly how this deduplication is carried through, but it is very nice. Now my question is that what "write-once media transfer" possibility do I have in this case if I transfer to a "non-Synology device" so the deduplication would still be intact and I do not need much more storage space? Is it at all possible?

And if I decide to use Synology-based device because of this issue (for instance with scheduled on/off which is a good idea) for either Snapshot or Hyper Backup transfer of the backup data, what is going to happen with the deduplication? I didn't find any relevant info about this, but it should work obviously, because that is the advised backup strategy (f.i. 3-2-1) with Synology.

Thanks for the info!!!
 
Thx very much @EAZ1964 !!!

Ok, I think that the best option is the write-once media in my case.

Other questions:

The resulting files of ABB I can see with terminal are much larger (120TB vs 3TB) than in reality thanks to btrfs deduplication (Synology Community). There are only 7-8 files (virtual disk files) in a backup session btw so I don't know exactly how this deduplication is carried through, but it is very nice. Now my question is that what "write-once media transfer" possibility do I have in this case if I transfer to a "non-Synology device" so the deduplication would still be intact and I do not need much more storage space? Is it at all possible?

And if I decide to use Synology-based device because of this issue (for instance with scheduled on/off which is a good idea) for either Snapshot or Hyper Backup transfer of the backup data, what is going to happen with the deduplication? I didn't find any relevant info about this, but it should work obviously, because that is the advised backup strategy (f.i. 3-2-1) with Synology.

Thanks for the info!!!
But OK, we have the @ActiveBackup folder that is only relevant. Should I be able to just rsync with manual methods (even ran from a "non-Synology device" the @ActiveBackup folder to anywhere else and then all deduplication weill be OK and the data be restorable? I am trying to search for info about this, but have no direct answer.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Actually I could be wrong, leaving retention policy off might be the safest: Always retain snapshots...
Replies
1
Views
786

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top