How safe is a NAS server against threats like WannaCry?

[steffeeh]

Like the title says, let's say I get a Synology NAS housing (or other) and add in a WD Red, no RAID config, and one use case scenario is that we only use this in our household, while the other is so the rest of our family living on their own also can access the NAS from outside the local network (haven't decided on which one yet) - would the data on the NAS still be safe in the event of a ransomware attack like the current one?

The latest massive attack used a Windows exploit, but how would a NAS handle a general ransomware attack or worm designed for multiple OS's?

 

EDIT: I actually forgot to mention that the NAS will be used to create full image backups of computers, so no actual external storage there.

[Guest]

If it's accessible via a share that Windows can read, it's not safe.

[porina]

If the NAS can be accessed by a potentially infected machine, the data on it is still at risk.

 

Ok, I type too slow, Windspeed36 said the same...

[rn8686]

If its connected and able to write to it, likely screwed as well. 

[DimasRMDO]

Well it's believed to be a worm as well, so.....

I'd disconnect my NAS if I were you (for a while).

 

Being total paranoid here, but well.... I just want to be safe right?

[SCHISCHKA]

How about pick a filesystem/backup system that does snapshots and does not have direct access to the disks? for example rsync or its cygwin equivalent.

[steffeeh]

I actually forgot to mention that the NAS will be used to create full image backups of computers, so no actual external storage there.

Stupido me, I'll edit it in into the OP as well

[desertcomputer]

Backup and ZFS snapshot is useful for this type when it whole disk ZFS not per file. 

[SCHISCHKA]

have a look at dragonfly's filesystem

[gibbsy81]

If it is accessible on the network it is at threat if your concerned backup your files to your nas then power off your nas when not in use or backup your nas periodically to something else and disconnect it when not needed.

You could also set Windows to forget your login credentials when you have stopped using it.

This should reduce the threat significantly.

[KuJoe]

Another thing to keep in mind is if you perform backups of encrypted files and overwrite old backups, then your backups are gone. Versioned backups will prevent this, but only as long as you stop backing up as soon as you get infected with the ransomware.

[Anghammarad]

Or just use a huge USB Disk... 8TB+ then build yourself a script for the backup, plugin the drive to the machine you want to backup, let it run, overnight for example, as soon as finished unplug. As long as the drive is unplugged, no Wannacry for that Backup =) 

 

I try to use a kind of snapshot software that does incremental backups. So the first one takes quite long, the second is way faster, as long as you don't backup LTTs Petabyte Project =P

 

Snapshot Backups for at least the system drive have got the charm, you play it back, reboot and get your system back like you know it from right before the backup. 

 

 

[KuJoe]

4 minutes ago, Anghammarad said:

Or just use a huge USB Disk... 8TB+ then build yourself a script for the backup, plugin the drive to the machine you want to backup, let it run, overnight for example, as soon as finished unplug. As long as the drive is unplugged, no Wannacry for that Backup =) 

 

I try to use a kind of snapshot software that does incremental backups. So the first one takes quite long, the second is way faster, as long as you don't backup LTTs Petabyte Project =P

 

Snapshot Backups for at least the system drive have got the charm, you play it back, reboot and get your system back like you know it from right before the backup. 

To many manual steps for my liking. Backups should be automated and unattended to be useful, then again my backup strategy is overkill for the majority of people.

[Guest]

Just now, KuJoe said:

To many manual steps for my liking. Backups should be automated and unattended to be useful, then again my backup strategy is overkill for the majority of people.

 

What do you use? 

[Anghammarad]

Lookie here for semi automatic USB backup...

 

The vid shows the "one button backup solution" but is transferable to a usb drive.

[KuJoe]

Just now, Windspeed36 said:

What do you use? 

Mostly rsync and proprietary software for my Synology. This was my backup scheme from 2016, needless to say it is significantly more complex now with additional cloud storage providers in the mix as well as more versioning than before.

 

I actually spent the weekend revamping it and I plan to add some checks to my rsync scripts so it won't rsync the data if the data can't be read to prevent it from overwriting my good backups with encrypted garbage. I'll also be adding some monthly and weekly backups to the mix so I have a buffer in the event I my other safeguards fail.

[KuJoe]

6 minutes ago, Anghammarad said:

Lookie here for semi automatic USB backup...

 

The vid shows the "one button backup solution" but is transferable to a usb drive.

But if the USB drive is connected to the PC hit with the ransomware the data on the USB drive is useless.

[Anghammarad]

 

Just now, KuJoe said:

But if the USB drive is connected to the PC hit with the ransomware the data on the USB drive is useless.

you know, the point of this is to disconnect the USB Drive after the backup is done... 

[KuJoe]

Just now, Anghammarad said:

you know, the point of this is to disconnect the USB Drive after the backup is done... 

And hope the user remembers to reconnect it every day? That's asking a lot for most home users.

[Guest]

4 minutes ago, KuJoe said:

Mostly rsync and proprietary software for my Synology. This was my backup scheme from 2016, needless to say it is significantly more complex now with additional cloud storage providers in the mix as well as more versioning than before.

 

I actually spent the weekend revamping it and I plan to add some checks to my rsync scripts so it won't rsync the data if the data can't be read to prevent it from overwriting my good backups with encrypted garbage. I'll also be adding some monthly and weekly backups to the mix so I have a buffer in the event I my other safeguards fail.

Interesting concept - I assume you make certain machines offline/closed connections at certain times?

[Anghammarad]

The question is, do you really need every day backup. 

 

I've seen those crypto trojaners wreak havoc. Started on a Terminal Server it reached through the whole network, onto every network share it could find. 

[Guest]

4 minutes ago, Anghammarad said:

The question is, do you really need every day backup. 

 

I've seen those crypto trojaners wreak havoc. Started on a Terminal Server it reached through the whole network, onto every network share it could find. 

That's some pretty poor planning then isn't it

[KuJoe]

Just now, Windspeed36 said:

Interesting concept - I assume you make certain machines offline/closed connections at certain times?

Yup. I never have my VM or laptop (replaced the netbook in that diagram) connected at the same time. I also mix OSes to avoid OS specific exploits (Windows 7, Windows 10, CrunchBang, and Fedora for desktops, CentOS and Debian for servers)

[KuJoe]

6 minutes ago, Anghammarad said:

The question is, do you really need every day backup.

That's the question, a user should keep backups as often as they need. If 100% of your data can be recovered online without a backup then you don't need backups at all, if you work on your PC and you spend the day writing code that puts food on the table then you better be backing up as frequently as your network connection and hard drives allow.

[Anghammarad]

32 minutes ago, Windspeed36 said:

That's some pretty poor planning then isn't it

Not really. The Network was heterogene, Linux (CentOs) and Windows. The virus was executed by a guy that opened up the mail attachment. The local virus scanners did nothing to prevent that. (Avira Professional) Avira got a pattern update the next day, and then was able to find the virus. What we did was remove the TS from the network as fast as possible (Vmware remove network) but even on Shares that weren't mounted it started encrypting files.

 

The only thing possible is building a "perfect" permission set onto all shares, then a user opening such a virus may only corrupt files he/she has access to. But for that you need a single authentication backbone, which most company have, we didn't due to the intelligence of our Chief of IT. 

 

But this will also need you to grab the backup tapes after the cleanup to play back lost data. 

 

There is one scanner I know that uses system behaviour for finding threats as well, that would have provided some security. Trend Micro Server Protect. That one watches outgoing and incoming connections. When configured it watched for connections per second and if a threshold is reached it cuts the machines network connection.