Help needed with NAS backup options

[Patrick9876]

Alert: rambling post. But I do eventually ask some questions.

I have 3 NAS devices - a small QNAP TS-128A with a pulic share (accessed by 4 Windows systems), a 3TB Synology DS218 with private shares containing backups of the same 4 Windows systems, and a 6TB Synology DS218 in a somewhat sheltered location containing backups for the other two NAS - no SMB access from Windows.

Since the two devices with public and private shares are accessed by SMB I consider them vulnerable to ransomware attacks and would like to take backups of them only if they have not been attacked.(Paranoia perhaps - I have no reason to I would be a victim of ransomware, and it has never happened ... yet.) The public NAS has lots of low-lying fruit for a ransomware attack - .txt files, etc. It should be easy to check if some had been encrypted, renamed, or otherwise molested. And I could easily put similar "validation" files on the private shares. All I need to do is test those files and prevent backups if they have been corrupted.

However, I have not found a way to incorporate such a test into backup software available on either the QNAP or Synology devices.

Synology DSM allows for user-written scripts so I could invoke rsync, wget, etc. from a script that first checks the files. But those just create a sync'ed copy of the source (I think). I would prefer to use true backup software that saves multiple backup generations. Synology has (at least) one such package, but I don't think it can be invoked from a script.

I've asked on two Synology forums if I've missed a capability to do what I want or a package that does what I want. So now I'm asking here. Is there something?

As near as I can tell, QNAP QTS has even less capability. It has no support for user-written scripts. People do SSH into the device and add their own scripts so I guess I could do that, but I can picture doing more harm than good. On the other hand, there seems to be no backup capability to a non-QNAP NAS so I think the "backup" I'm taking is just an rsync copy. I probably could to that in a script if I am brave enough. Or I could just continue to blindly do a sync to the Synology NAS, but the test and a real backup there.

So I guess I have a number of questions:

1. Is there Synology backup software that can be invoked from a script?
2. Or is there a way to invoke a DSM application from a script whether or not the application expects to be invoked that way?
3. Or is there a way to change a DSM scheduled "system" task (as opposed to a user task) into a triggered task? (And can a simple validation script pull the trigger?)
4. Am I missing other completely obvious solutions?

 

[dosborne]

I can only speak directly to the QNAP and NAS and backup in general.

QNAP does have some anti-ransomware protection. No idea how good it is, but I run it on mine just in case.

As a general plan, I sequentially copy files within a single NAS across volumes nightly. This provides a "backup" copy to protect against deletion, and minimal protection if only 1 of the 2 volumes is compromised in some way, at least until the nightly sync.

I do the same thing to a different physical NAS, also after a 24 hour delay (or a week for some folders) providing further separation in time and theoretically not all systems would be compromised at the same time (or at I would hope).

Further to that, critical files are synced to cloud storage both from the "live" system and from one that is a day or week behind providing offsite, delayed and offline backup.

Further to that, I use a usb cable and HDD (or a portable drive) to take snapshot images to be put in my safety deposit box, and swap those out every 6 months or so.

QNAP also has snapshot capability, but I've never used it.

User scripting is extremely simple on qnap vis SSH.

Rsync is a great tool to handle most, or all, of the copying syncing between NAS boxes.

I'm sure Synology has everything QNAP has.

Sorry, I didn't answer any of your questions, but may have given some ideas to think about.

 

[OzarkEdge]

Alert: rambling post. But I do eventually ask some questions.

I have 3 NAS devices - a small QNAP TS-128A with a pulic share (accessed by 4 Windows systems), a 3TB Synology DS218 with private shares containing backups of the same 4 Windows systems, and a 6TB Synology DS218 in a somewhat sheltered location containing backups for the other two NAS - no SMB access from Windows.

Since the two devices with public and private shares are accessed by SMB I consider them vulnerable to ransomware attacks and would like to take backups of them only if they have not been attacked.(Paranoia perhaps - I have no reason to I would be a victim of ransomware, and it has never happened ... yet.) The public NAS has lots of low-lying fruit for a ransomware attack - .txt files, etc. It should be easy to check if some had been encrypted, renamed, or otherwise molested. And I could easily put similar "validation" files on the private shares. All I need to do is test those files and prevent backups if they have been corrupted.

However, I have not found a way to incorporate such a test into backup software available on either the QNAP or Synology devices.

Synology DSM allows for user-written scripts so I could invoke rsync, wget, etc. from a script that first checks the files. But those just create a sync'ed copy of the source (I think). I would prefer to use true backup software that saves multiple backup generations. Synology has (at least) one such package, but I don't think it can be invoked from a script.

I've asked on two Synology forums if I've missed a capability to do what I want or a package that does what I want. So now I'm asking here. Is there something?

As near as I can tell, QNAP QTS has even less capability. It has no support for user-written scripts. People do SSH into the device and add their own scripts so I guess I could do that, but I can picture doing more harm than good. On the other hand, there seems to be no backup capability to a non-QNAP NAS so I think the "backup" I'm taking is just an rsync copy. I probably could to that in a script if I am brave enough. Or I could just continue to blindly do a sync to the Synology NAS, but the test and a real backup there.

So I guess I have a number of questions:

1. Is there Synology backup software that can be invoked from a script?
2. Or is there a way to invoke a DSM application from a script whether or not the application expects to be invoked that way?
3. Or is there a way to change a DSM scheduled "system" task (as opposed to a user task) into a triggered task? (And can a simple validation script pull the trigger?)
4. Am I missing other completely obvious solutions?

Do you want to prevent backups of corrupted sources to prevent overwriting uncorrupted backups... because you do not have enough backup destination space to store a history of backups over time?

OE