Are NASes vulnerable to ransomware?

[Merkey]

Hi, so I am a complete newbie in NASes and servers and I want to have a data backup using an external drive. Accessing the drive remotely would be also good, so I started looking into NASes, but would it be vulnerable to some viruses like the ransomware? 

[Mr.Humble]

If it's connected to the internet, it's vulnerable to ransomware (basically).

Spoiler

Don't take my word for it because I have no idea what i'm talking about.

 

[ChalkChalkson]

 

13 minutes ago, vojta.pokorny said:

If it's connected to the internet, it's vulnerable to ransomware (basically).

  Reveal hidden contents

Don't take my word for it because I have no idea what i'm talking about.

 

It is not quite that simple:

First of it depends on the ransome ware:

Most programs (like the recent Wannacry) are targeted at Windows (because of the marketshare and low fragmentation/high compatibility) while most NAS OSes are based on Linux, so your unraid or gnap NAS can't catch it directly.

But there is a catch: if you have permanent write access to your NAS from your PC without needing to log in each time, and you catch ransomeware on your PC the software can encrypt the data on the NAS.

But it is also very possible to attack the NAS directly, however this is far less common and harder to do, as far as I know.

 

If you want to protect your NAS you can do several things: 

• set up 2 user accounts, one with only read and one with read/write access, protect at least the latter on with a secure password
• Only enable export protocols when you need to (keep FTP, SMB etc off most of the time, this is best suited for backup servers)
• Keep it on the local network only
• Don't map it to a drive letter

[TheComputerdude]

2 hours ago, Merkey said:

Hi, so I am a complete newbie in NASes and servers and I want to have a data backup using an external drive. Accessing the drive remotely would be also good, so I started looking into NASes, but would it be vulnerable to some viruses like the ransomware? 

 

They can be It really depends on what the OS is. Nases are computers that are used for the sole purpose of storage. It depends if ransomware is written to target the os your nas runs on ex a Linux distro, Windows, proprietary. If you are wondering if ransomware could target the nas the awnser is maybe. Secure your nas with the tips @ChalkChalkson suggested

Quote

• set up 2 user accounts, one with only read and one with read/write access, protect at least the latter on with a secure password
• Only enable export protocols when you need to (keep FTP, SMB etc off most of the time, this is best suited for backup servers)
• Keep it on the local network only
• Don't map it to a drive letter

 

The thing I would add is keeping an offline backup. This is the only thing that completly prevents a ransomware attack. If this is a personal backup I would recomend a few things in order of data security

1. External hardrive that you keep unplugged when you are not backing up or restoring  data

2. External raid enclosure that you run in raid 1 for redundancy

3. One of the above listed things but also keep an offsite backup. If a rober breaks into your house you can bet they will probably take your backup drive. If a fire or natural disaster strikes your external drives won't survive. You could give drives to a relative or friend, but that makes it hard to keep it up to date.  The other option is a third party backup service like carbonite. While I don't personally use them I have heard great things. Or you could do what I do and put important data like pictures and documents in a service like OneDrive If you already have it. 

 

If this is for a buisness hire a profesinal to help you.

Edited June 7, 2017 by TheComputerdude
grammer

[ChalkChalkson]

1 minute ago, TheComputerdude said:

The thing I would add is keeping an offline backup. This is the only thing that completly prevents a ransomware attack. If this is a personal backup I would recomend a few things in order of data security

Of course. I thought if this was an option this would be obvious, but thanks for adding it.

3 minutes ago, TheComputerdude said:

1. External hardrive that you keep unplugged when you are not backing up or restoring  data

2. External raid enclosure that you run in raid 1 for redundancy

3. One of the above listed things but also keep an offsite backup

What I do is having a server at my parents place that loggs into my VPN and pulls all data off of my main server. This way the backup server has no exported shares, isn't accessible over the internet and all shares are password protected.

It isn't perfect, if someone infected on of the repositories I use it could catch ransome ware.

And a targeted attack could get into my network via one of the windows machines, set up an MITM attack or attack the linux distribution from there

 

But unfortunately in most cases offsite and offline are mutually exclusive unless you are willing to go for a drive whenever you want to backup your data

[TheComputerdude]

1 minute ago, ChalkChalkson said:

Of course. I thought if this was an option this would be obvious, but thanks for adding it.

What I do is having a server at my parents place that loggs into my VPN and pulls all data off of my main server. This way the backup server has no exported shares, isn't accessible over the internet and all shares are password protected.

It isn't perfect, if someone infected on of the repositories I use it could catch ransome ware.

And a targeted attack could get into my network via one of the windows machines, set up an MITM attack or attack the linux distribution from there

 

But unfortunately in most cases offsite and offline are mutually exclusive unless you are willing to go for a drive whenever you want to backup your data

That is a really good idea and cool setup. Bit difficult to set up but damn that is nicely done. Good balance of conveniece, security, and cost. I still like the upload files to the cloud thing cause it is just easier and probably a bit more secure but well done that is a nice setup

[ChalkChalkson]

25 minutes ago, TheComputerdude said:

That is a really good idea and cool setup. Bit difficult to set up but damn that is nicely done. Good balance of conveniece, security, and cost. I still like the upload files to the cloud thing cause it is just easier and probably a bit more secure but well done that is a nice setup

Yeah, offsite backup services are always an option, and it basically comes down to 3 things:

Do you want a server that does more things than backups? Build one yourself

Do you trust the service provider to deliver on their promise to keep your privacy, and do you trust people who keep their encryption standards secrete (worked fine for rockyou )?

Do you like subscription services, or prefer owning stuff?

 

For me the first one triggered, since I wanted a server on my parents network to be able to VPN into there to help them fix their issues without going on a 5h journey  

[Merkey]

Thanks for the aswers guys, I didn´t understand most of the things you just written though  . Basically, what I want is a backup external drive for photos/videos, which would be able to share theese files over the internet (rarely). I don't have to have a 24/7 NAS with high redundancy (don't want so spend a lot anyway). So no, server doing backups, or just remotely accessible external drive would be enough for me  

[TheComputerdude]

21 minutes ago, Merkey said:

Thanks for the aswers guys, I didn´t understand most of the things you just written though  . Basically, what I want is a backup external drive for photos/videos, which would be able to share theese files over the internet (rarely). I don't have to have a 24/7 NAS with high redundancy (don't want so spend a lot anyway). So no, server doing backups, or just remotely accessible external drive would be enough for me  

the best thing for you is getting a hardrive to backup to. I would also upload some of the files to the cloud or give a relative a bit of hd backup every once in a while.

[ChalkChalkson]

 

4 hours ago, TheComputerdude said:

the best thing for you is getting a hardrive to backup to. I would also upload some of the files to the cloud or give a relative a bit of hd backup every once in a while.

If you have too much data for free cloud services, you might want to just search for "PC" on ebay and buy the cheapest thing you can fin, that looks like a standard formfactor. Then had over to your favourite PC component retailer and filter to only see Seagate and WD drives. Buy 3 2TB drives that have SATA 3, also known as "SATA 6Gb". Grab a usb 3.0 stick (off of amazon) and throw unraid onto there, install an OpenVPN server (check this post for step by step instructions) and you are done.

You can now (securely) access your data from anywhere, have a little bit of redundancy (1 out of 3 drives can fail) and you spend about 200$.

If you want to go for a cloud service I'd go with either google drive, onedrive or drop box (left to right is most favoured to least favoured). If you are unfortunate enough not to be a student the best deal would probably be office 365 giving you 1TB of storage and the office apps for 70$ a year, so the NAS would pay for itself after 3 years, even if you ignore that the NAS would have more storage.

A service like backblaze would be cheaper and might be the best suited for you, it is 50$ a year but it doesn't allow you to access the cloud as nicely as with onedrive

 

So in conclusion your options look this:

 

building a NAS:

+ High capacity

+ one time purchase

+ scaleable

+ good performance in house (100/1000 Mb/s)

+ might become useful in other ways (plex server etc...)

+ high speed on home network

- high up front cost (~200$)

- a little work (~ 1 to 2h) required

- low speed when accessed over the internet (~5-20 Mb/s)

- no one to yell at, when it doesn't work (except for us, we love to help :P) 

 

"The cloud":

+ ease of use

+ consistent speed in and outside the house

+ often bundled with other useful services (office / gmail & gphotos storage)

- high cost

- subscription (70-120$/yr)

- low capacity (~1TB)

 

backup service:

+ consistent speed in and outside the house

+ high capacity

+ ease of use

- subscription (50$/yr)

- slower than the other

 

 

Ultimately I'd go with the first option, but I am also a dude who loves playing with servers (desktop PCs got boring, everything works so seamless these days). So you have to decide for yourself where your priorities are.

[domandric034]

9 hours ago, Merkey said:

Hi, so I am a complete newbie in NASes and servers and I want to have a data backup using an external drive. Accessing the drive remotely would be also good, so I started looking into NASes, but would it be vulnerable to some viruses like the ransomware? 

If you have Linux based OS then you are fine but if you have Windows Server then get Sophos server solution.

[Merkey]

19 hours ago, ChalkChalkson said:

 

If you have too much data for free cloud services, you might want to just search for "PC" on ebay and buy the cheapest thing you can fin, that looks like a standard formfactor

Thanks so much for that detailed comment, could the PC be for ex. Raspberry PI?

[ChalkChalkson]

30 minutes ago, Merkey said:

Thanks so much for that detailed comment, could the PC be for ex. Raspberry PI?

^^sorry, no I literally mean searching for "PC" and then looking for something that looks like an ATX, µATX, or ITX case and that has at least a USB 3.0 port.

If you want a more detailed description of what you want in a nas system and a detailed description of how to make a random PC off of ebay into a NAS, I'd gladly write that out for you

[Merkey]

3 hours ago, ChalkChalkson said:

If you want a more detailed description of what you want in a nas system and a detailed description of how to make a random PC off of ebay into a NAS, I'd gladly write that out for you

That would be great if you don't mind, but if you don't want to, you can just point me to the right websites/videos for beginners. By the way, ebay is not so accessible in my country (it is, but it would take some time to deliver to Czech Rep.). If it can be a cheap pc, it would be easier for me to just buy refurbished one from some garage...

[ChalkChalkson]

Just now, Merkey said:

That would be great if you don't mind, but if you don't want to, you can just point me to the right websites/videos for beginners. By the way, ebay is not so accessible in my country (it is, but it would take some time to deliver to Czech Rep.). If it can be a cheap pc, it would be easier for me to just buy refurbished one from some garage...

As of step by step instructions for setup: check out my unraid guide, if you need additional things, please request it in that thread, and I'll look into it  

What you want in your system:

An x64 CPU with at least 2 cores, ideally 4 threads, but 2 is fine, even for blue ray streaming. You should try to get something sandybridge or newer.

With RAM you want at least 4GB, speed doesn't matter at all.

With drives you don't need anything fancy if you will only backup, but make sure you get 1 more drive than you need for storage, so that you get parity.

Make sure your motherboard has plenty of SATA ports, I usually try to go for 6.

And btw, you can chain unraid free trials, this is an unrelated funfact, you should never ever do that.

[Merkey]

@ChalkChalksonOk, the hardware side of it doesn't seem to be complicated, however I am getting lost in software for servers. What is NAS software, Plex, FreeNAS or MITM (some words that I saw in this thread). I will check the unraid thread

[ChalkChalkson]

21 hours ago, Merkey said:

I will check the unraid thread

Probably a good idea

21 hours ago, Merkey said:

What is NAS software, Plex, FreeNAS or MITM (some words that I saw in this thread)

• NAS software: an operating system, that is built around the idea of making the local storage accessible for people on the network
• Plex: a free(-mium) solution to host something very similar to Netflix for yourself (eg to be able to watch your blue-rays on a thin&light)
• FreeNAS one of the NAS OSes
• MITM: Man in the Middle (Attack)-this is a very powerful attack in a network, you basically pretend to be the router, getting complete control over the internet traffic from all machines in that network

[T4cC0re]

If the NAS is mounted as a Drive in Windows, YES! The ransomware WILL encrypt everything it has access to, including NetworkVloumes (sometimes even if not mounted).

The way I protect against that is to have my data on a snapshottable filesystem (btrfs) on my Homeserver. I do daily snapshots (they won't take up additional space) and if I should get infected with ransomware, I at most loose the data between snapshots. Yes. It will still encrypt the data, but I can revert back easily.

Depending on your NAS you might have the possibility to do that as well, but if not: Have a good backup strategy (you should have one anyways).
And as always: A RAID is not a Backup.