Jump to content

Is TrueNAS Scale protected against ramsomware?

Robert Urrutia
 Share
Go to solution Solved by LIGISTX,
35 minutes ago, Robert Urrutia said:

I'm planning to move from Unraid to TrueNAS Scale. Everything works fine in Unraid except the lack of snapshot feature. Recently (somehow) a member of my family got their shares infected by checkmate ramsomware, luckily not much data was lost due to an offline backup. Still that has got me thinking about migrating to TrueNAS. So is it true that in a case the shares get infected I could revert those changes back with a snapshot? In a case that some shares get inffected, can the ramsomware reach server system files and encrypt the snapshots? I know most people are gonna comment "a raid is not a backup". Yes I know that pretty right, but it's easier and quicker to just restore a snapshot rather than manually backing up everything everyday and manually restoring. TIA.

ZFS snapshots are read only, and the only way to delete them (or alter them in any way) would either be through the truenas WebUI or via sshing in. So I’m almost every case, yes, “snapshots are ransomeware proof”. Obviously, if someone tries hard enough, on a normal home network this may not always be the case as a program could attempt to scrape passwords and reach out to device, detect a truenas webUI and go to town… but this is beyond the typical set or concerns. Truenas does also support 2FA I believe, and that would go a long way against protecting against this as well. 
 

Also something to remember, ZFS snapshots are “free”; they don’t take any space assuming no data has changed. I take snapshots of my important days every 10 minutes and hold them for 6 hours, snapshot every hour and hold for a day, snapshot every day and hold for 2 weeks, snapshot every week and hold for 2 months, snapshot every month and hold for 6 months. Since I rarely delete data out of my personal files directory, this dataset and it’s snapshots take up barely any more space then just the raw data itself. If your directory has a lot more deletions and such, you may have to edit the strategy you use - I have different snapshot strategies per dataset for this reason. 

Posted

I'm planning to move from Unraid to TrueNAS Scale. Everything works fine in Unraid except the lack of snapshot feature. Recently (somehow) a member of my family got their shares infected by checkmate ramsomware, luckily not much data was lost due to an offline backup. Still that has got me thinking about migrating to TrueNAS. So is it true that in a case the shares get infected I could revert those changes back with a snapshot? In a case that some shares get inffected, can the ramsomware reach server system files and encrypt the snapshots? I know most people are gonna comment "a raid is not a backup". Yes I know that pretty right, but it's easier and quicker to just restore a snapshot rather than manually backing up everything everyday and manually restoring. TIA.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

As long as you keep your system up to date, you'll mostly be protected against vulnerabilites that can lead to a ransomware infection. Phishing is typically the leading cause for ransomware infections, much easier for attackers if you just give them the access they need. For shares, the more vulnerable part is going to be the endpoints that are actually accessing the shares rather than TrueNAS itself, provided you don't have TrueNAS exposed to the internet via port forwarding or such.

 

If you were hit with ransomeware, I wouldn't rely on snapshots as a reliable backup solution, I'd be advising to completely wipe and restore from a proper backup that you know if good. By all means use them for things like accidental deletion and changes, but you said it yourself, a cold/offline backup is the best DR solution for protecting against ransomware, which is something RAID and snapshots do not protect against if the server is infected.

 

Some precautions you can take is to ensure that the account you use to access the shares is not the same account that has root/priveleged access to the NAS itself.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, Robert Urrutia said:

So is it true that in a case the shares get infected I could revert those changes back with a snapshot?

Basically yes, assuming you set up a sane periodic snapshot task on all the relevant datasets.

 

12 minutes ago, Robert Urrutia said:

can the ramsomware reach server system files and encrypt the snapshots?

Given enough ingenuity, probably yes, but ransomware is looking for low-hanging fruit, and encrypting (or deleting) snapshots in a remote server is not a trivial task.

Main System (Byarlant): Ryzen 7 5800X | Asus B550-Creator ProArt | EK 240mm Basic AIO | 16GB G.Skill DDR4 3200MT/s CAS-14 | XFX Speedster SWFT 210 RX 6600 | Samsung 990 PRO 2TB / Samsung 960 PRO 512GB / 4× Crucial MX500 2TB (RAID-0) | Corsair RM750X | a 10G NIC (pending) | Inateck USB 3.0 Card | Hyte Y60 Case | Dell U3415W Monitor | Keychron K4 Brown (white backlight)

 

Laptop (Narrative): Lenovo Flex 5 81X20005US | Ryzen 5 4500U | 16GB RAM (soldered) | Vega 6 Graphics | SKHynix P31 1TB NVMe SSD | Intel AX200 Wifi (all-around awesome machine)

 

Proxmox Server (Veda): Ryzen 7 3800XT | AsRock Rack X470D4U | Corsair H80i v2 | 64GB Micron DDR4 ECC 3200MT/s | 4x 10TB WD Whites / 4x 14TB Seagate Exos / 2× Samsung PM963a 960GB SSD | Seasonic Prime Fanless 500W | Intel X540-T2 10G NIC | LSI 9207-8i HBA | Fractal Design Node 804 Case (side panels swapped to show off drives) | VMs: TrueNAS Scale; Ubuntu Server (PiHole/PiVPN/NGINX?); Windows 10 Pro; Ubuntu Server (Apache/MySQL)


Media Center/Video Capture (Jesta Cannon): Ryzen 5 1600X | ASRock B450M Pro4 R2.0 | Noctua NH-L12S | 16GB Crucial DDR4 3200MT/s CAS-22 | EVGA GTX750Ti SC | UMIS NVMe SSD 256GB / TEAMGROUP MS30 1TB | Corsair CX450M | Viewcast Osprey 260e Video Capture | Mellanox ConnectX-2 10G NIC | LG UH12NS30 BD-ROM | Silverstone Sugo SG-11 Case | Sony XR65A80K

 

Camera: Sony ɑ7II w/ Meike Grip | Sony SEL24240 | Samyang 35mm ƒ/2.8 | Sony SEL50F18F | Sony SEL2870 (kit lens) | PNY Elite Perfomance 512GB SDXC card

 

Network:

Spoiler 
                           ┌─────────────── Office/Rack ────────────────────────────────────────────────────────────────────────────┐
Google Fiber Webpass ────── UniFi Security Gateway ─── UniFi Switch 8-60W ─┬─ UniFi Switch Flex XG ═╦═ Veda (Proxmox Virtual Switch)
(500Mbps↑/500Mbps↓)                             UniFi CloudKey Gen2 (PoE) ─┴─ Veda (IPMI)           ╠═ Veda-NAS (HW Passthrough NIC)
╔═══════════════════════════════════════════════════════════════════════════════════════════════════╩═ Narrative (Asus USB 2.5G NIC)
║ ┌────── Closet ──────┐   ┌─────────────── Bedroom ──────────────────────────────────────────────────────┐
╚═ UniFi Switch Flex XG ═╤═ UniFi Switch Flex XG ═╦═ Byarlant
   (PoE)                 │                        ╠═ Narrative (Cable Matters USB-PD 2.5G Ethernet Dongle)
                         │                        ╚═ Jesta Cannon*
                         │ ┌─────────────── Media Center ──────────────────────────────────┐
Notes:                   └─ UniFi Switch 8 ─────────┬─ UniFi Access Point nanoHD (PoE)
═══ is Multi-Gigabit                                ├─ Sony Playstation 4 
─── is Gigabit                                      ├─ Pioneer VSX-S520
* = cable passed to Bedroom from Media Center       ├─ Sony XR65A80K (Google TV)
** = cable passed from Media Center to Bedroom      └─ Work Laptop** (Startech USB-PD Dock)

Retired/Other:

Spoiler

Laptop (Rozen-Zulu): Sony VAIO VPCF13WFX | Core i7-740QM | 8GB Patriot DDR3 | GT 425M | Samsung 850EVO 250GB SSD | Blu-ray Drive | Intel 7260 Wifi (lived a good life, retired with honor)

Testbed/Old Desktop (Kshatriya): Xeon X5470 @ 4.0GHz | ZALMAN CNPS9500 | Gigabyte EP45-UD3L | 8GB Nanya DDR2 400MHz | XFX HD6870 DD | OCZ Vertex 3 Max-IOPS 120GB | Corsair CX430M | HooToo USB 3.0 PCIe Card | Osprey 230 Video Capture | NZXT H230 Case

TrueNAS Server (La Vie en Rose): Xeon E3-1241v3 | Supermicro X10SLL-F | Corsair H60 | 32GB Micron DDR3L ECC 1600MHz | 1x Kingston 16GB SSD / Crucial MX500 500GB

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution
35 minutes ago, Robert Urrutia said:

I'm planning to move from Unraid to TrueNAS Scale. Everything works fine in Unraid except the lack of snapshot feature. Recently (somehow) a member of my family got their shares infected by checkmate ramsomware, luckily not much data was lost due to an offline backup. Still that has got me thinking about migrating to TrueNAS. So is it true that in a case the shares get infected I could revert those changes back with a snapshot? In a case that some shares get inffected, can the ramsomware reach server system files and encrypt the snapshots? I know most people are gonna comment "a raid is not a backup". Yes I know that pretty right, but it's easier and quicker to just restore a snapshot rather than manually backing up everything everyday and manually restoring. TIA.

ZFS snapshots are read only, and the only way to delete them (or alter them in any way) would either be through the truenas WebUI or via sshing in. So I’m almost every case, yes, “snapshots are ransomeware proof”. Obviously, if someone tries hard enough, on a normal home network this may not always be the case as a program could attempt to scrape passwords and reach out to device, detect a truenas webUI and go to town… but this is beyond the typical set or concerns. Truenas does also support 2FA I believe, and that would go a long way against protecting against this as well. 
 

Also something to remember, ZFS snapshots are “free”; they don’t take any space assuming no data has changed. I take snapshots of my important days every 10 minutes and hold them for 6 hours, snapshot every hour and hold for a day, snapshot every day and hold for 2 weeks, snapshot every week and hold for 2 months, snapshot every month and hold for 6 months. Since I rarely delete data out of my personal files directory, this dataset and it’s snapshots take up barely any more space then just the raw data itself. If your directory has a lot more deletions and such, you may have to edit the strategy you use - I have different snapshot strategies per dataset for this reason. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
40 minutes ago, Robert Urrutia said:

I'm planning to move from Unraid to TrueNAS Scale. Everything works fine in Unraid except the lack of snapshot feature. Recently (somehow) a member of my family got their shares infected by checkmate ramsomware, luckily not much data was lost due to an offline backup. Still that has got me thinking about migrating to TrueNAS. So is it true that in a case the shares get infected I could revert those changes back with a snapshot? In a case that some shares get inffected, can the ramsomware reach server system files and encrypt the snapshots? I know most people are gonna comment "a raid is not a backup". Yes I know that pretty right, but it's easier and quicker to just restore a snapshot rather than manually backing up everything everyday and manually restoring. TIA.

I would assume that depends on what is infected. Is it the host or server or on the clients end. If a client get's infected, recovering data should be possible with a full snapshot. However you want to make sure that each clients only has access to their specific directory. If you have the resources on the server, give each Client a VM or container to work out of. Getting ransomware on the server would mean on of the admins was lazy und careless. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
45 minutes ago, Applefreak said:

I would assume that depends on what is infected. Is it the host or server or on the clients end. If a client get's infected, recovering data should be possible with a full snapshot. However you want to make sure that each clients only has access to their specific directory. If you have the resources on the server, give each Client a VM or container to work out of. Getting ransomware on the server would mean on of the admins was lazy und careless. 

I don’t think this is quite what the OP is after. If they are using this as a NAS, usually you just have an SMB share used either as a network folder/drive, or are sending backups via either windows or some third party software. No VM or container required. Just needs to implement ZFS snapshots within truenas to snapshot the directories… and not let their truenas box be compromised either via SSH or webUI.

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Snapshots, be it file or volume level are the number one defense against ransomware on an enterprise level. Azure and AWS don't rely on offline backups to scrub Ransomware. 

 

An infected client can encrypt anything they have edit rights to. If their user account can edit X data, then the ransomware running in their account can encryot it. Ransonware encryption = edit rights. That simple. Doesnt matter if its windows or Linux. Same rules apply.

 

The bad ransomware outbreaks snipe somebody's admin credz and start over writing backups. Just sloppy administration. Keep passwords and admin accounts unique and you should be fine. Snapshots are the bomb for file level recovery. 

 

 

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Thanks everyone for sharing your thoughts, I've doing some testing with TrueNAS and seems like I'm migrating to it.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×