What would be the generally safest way to backup an Asustor NAS to an off-site NAS? In my case, the main NAS would be at the office (which has a static IP etc) and the off-site NAS would be at home.
By "safe" I'm looking for a solution that
- Won't allow malware/ransomware to propagate between sites
- Won't put the office network at risk of being compromised
- Keeps data safe (encrypted) during transfer
The office NAS will be mounted to workstations as an SMB share, so if a workstation is infected with ransomware, it could encrypt the files on the NAS. I'll be taking regular snapshots to protect against that, but in the unlikely case that we're hit by a ransomware which targets Asustor NASes, the snapshots themselves could also be affected. The idea is that the off-site NAS will grab the files from the office NAS regularly and make its own entirely separate snapshots, but be isolated enough not to get hit by the ransomware. So if all the files and snapshots at the office are encrypted by ransomware, even though the off-site files would also be encrypted (when synchronised with the office, that is), we'd still have the snapshots on the off-site NAS.
My idea was to simply connect the off-site NAS to the office as a VPN client, but for all practical purposes, that's the same as connecting it to a switch at the office, so it wouldn't prevent malware from propagating. So instead, I'm considering running Rsync over SSH. That means I'd have to open another port at the office, which I'm a bit reluctant to do, but I'm thinking of implementing the following measures:
- Using a nonstandard (high) port number for SSH
- Using geoblocking, refusing any connections from outside the country (ideally I'd whitelist my home IP, but it's not static)
- Using a public/private key pair for the SSH connection
Is this a reasonable and doable approach or are there better options? The office NAS will be a Lockerstor 4, the home NAS will be a low-end Asustor or Synology (the latter is cheaper)
Safest way to backup to off-site NAS? (Rsync+SSH?)
Backup and data protection discussion at its finest.
Moderator: Lillian.W@AST
-
- Posts: 6
- youtube meble na wymiar Warszawa
- Joined: Wed May 19, 2021 7:42 pm
- orion
- Posts: 3485
- Joined: Wed May 29, 2013 11:09 am
Re: Safest way to backup to off-site NAS? (Rsync+SSH?)
- Put your off-site NAS behind NAT (home gateway function).
- Disable all services in off-site NAS (no PnP, no EZ connect...).
- Don't create user account, Only admin with very strong password in off-site NAS.
- Don't install the other apps (only default apps) in off-site NAS.
Return to “Backup and Data Protection”
Jump to
- General
- ↳ Announcements
- ↳ Meet and Greet
- ↳ Feature Requests
- ↳ Presales
- ↳ Tips & Tricks
- All about NAS
- ↳ ADM, the OS
- ↳ ADM general
- ↳ [Beta] ADM
- ↳ [Beta] ADM 3.1 for All Series
- ↳ [Official] For AS70XX Series
- ↳ [Official] For AS-60X Series
- ↳ [Official] For AS-30X Series
- ↳ [Official] For AS-20X Series
- ↳ [Official] For AS50xx/51xx Series
- ↳ [Official] For AS61XX/62XX Series
- ↳ [Official] For AS31XX/ AS32XX Series
- ↳ [Official] For AS10XX Series
- ↳ [Official] For AS40XX Series
- ↳ [Official] For AS63XX/64XX Series
- ↳ [Official] For AS52xx/53xx/66xx Series
- ↳ [Official] For AS65xx Series
- ↳ [Official] For AS67xx Series
- ↳ NAS Utilities
- ↳ ASUSTOR Control Center
- ↳ ASUSTOR Download Assistant
- ↳ ASUSTOR Backup Plan
- ↳ Download Center Helper
- ↳ ASUSTOR EZ Connect
- ↳ ASUSTOR Ez Sync
- ↳ Hardware Compatibility
- Apps Unlimited
- ↳ Official ASUSTOR Apps
- ↳ ASUS Webstorage
- ↳ ASUSTOR Portal
- ↳ Avast
- ↳ Boxee
- ↳ Chrome
- ↳ ClamAV
- ↳ DataSync for Dropbox
- ↳ Data Sync for Google Drive
- ↳ DataSync for hubiC
- ↳ Data Sync for OneDrive
- ↳ DataSync for Yandex (Beta)
- ↳ Download Center
- ↳ EZ Sync Manager
- ↳ exFAT Driver
- ↳ FFmpeg
- ↳ File Explorer
- ↳ FTP Explorer
- ↳ Gogs
- ↳ Geo IP DataBase
- ↳ HiDrive Backup
- ↳ DataSync for Onedrive Business
- ↳ Mail Server
- ↳ iTunes Server
- ↳ Linux-Center
- ↳ Media Cast
- ↳ LooksGood
- ↳ Mail-Server
- ↳ Mono
- ↳ Media-pack
- ↳ nodejs
- ↳ OnlyOffice Document Server (Beta)
- ↳ Perl
- ↳ Photo Gallery
- ↳ Radius Server
- ↳ RALUS
- ↳ Ruby
- ↳ Syslog Server
- ↳ Snapshot Center Beta
- ↳ SoundsGood
- ↳ StreamsGood
- ↳ Surveillance Center
- ↳ Subversion
- ↳ phpmyadmin
- ↳ Python
- ↳ Takeasy
- ↳ TomCat
- ↳ UPnP Media Server
- ↳ UPnP Media Server 2
- ↳ Portainer
- ↳ VirtualBox
- ↳ VPN Server
- ↳ Xunlei
- ↳ xorg
- ↳ My Media for Alexa
- ↳ 3rd-party Apps
- ↳ Developer's Corner
- ↳ Cloodtools
- ↳ dislocker
- ↳ Desktop_Engine
- ↳ Fillezilla
- ↳ Gateone
- ↳ Foreign Keyboard Layout
- ↳ HD_Engine
- ↳ Home_assistant
- ↳ Kodi
- ↳ LibCEC
- ↳ Mykodi17
- ↳ myHD
- ↳ Mypyload
- ↳ NZBmegasearcH
- ↳ OpenPlexHome Theater
- ↳ PMP (PlexMediaPlayer)
- ↳ Python
- ↳ Rtorrent
- ↳ Serviio
- ↳ Tailscale-native
- ↳ Xnc-Server
- ↳ aMule
- ↳ Ajaxplorer
- ↳ aria2
- ↳ asunder
- ↳ BaiduPCS (Beta)
- ↳ BicBucStriim
- ↳ BitTorrent Sync
- ↳ BubbleUPnP
- ↳ CouchPotato
- ↳ CrashPlan
- ↳ Deluge
- ↳ Docker
- ↳ Domoticz
- ↳ Dolphin
- ↳ Droidmote
- ↳ Duplicati
- ↳ DVBLink TV Server
- ↳ Entware
- ↳ Eynio Server
- ↳ freeciv
- ↳ Firefox
- ↳ Emby
- ↳ Gallery
- ↳ Gamez
- ↳ Git
- ↳ Gitbucket
- ↳ Headphones
- ↳ Hi-Res Player
- ↳ Hotstar
- ↳ Jackett
- ↳ Jellyfin
- ↳ Jdownloader2
- ↳ Libreoffice
- ↳ Leanote (Beta)
- ↳ Logitech Media Server (Beta)
- ↳ madsonic (Beta)
- ↳ Mame
- ↳ Jeedom
- ↳ mednafen (Beta)
- ↳ Minimserver
- ↳ MongoDb
- ↳ minecraft
- ↳ MiniDLNA
- ↳ Mylar
- ↳ Netdata
- ↳ Nextcloud
- ↳ Nuclear
- ↳ NHome Server
- ↳ NzbDrone
- ↳ NZBGet
- ↳ Odoo-8.0
- ↳ ownCloud
- ↳ OpenPHT
- ↳ optware
- ↳ osTicket
- ↳ QuikFynd
- ↳ Plex
- ↳ Popcorn Time
- ↳ pyLoad
- ↳ qBittorrent
- ↳ Resilio Sync
- ↳ Radarr (Beta)
- ↳ RainLoop Webmail
- ↳ SABnzbdplus
- ↳ SickBeard
- ↳ Subsonic
- ↳ snes9x
- ↳ sonarr
- ↳ Spotify
- ↳ Squid
- ↳ Syncthing
- ↳ transmission
- ↳ Tvheadend (Beta)
- ↳ Twonky (Beta)
- ↳ Teamspeak
- ↳ Ubooquity
- ↳ uTorrent
- ↳ Plex Media Player
- ↳ URL-Pack-NEWS
- ↳ vtigercrm
- ↳ Wonderbox (Beta)
- ↳ Pandora
- ↳ WordPress
- ↳ xCloud
- ↳ Zappiti Server
- ↳ ZurmoCRM
- ↳ Mobile Apps
- ↳ AiCast
- ↳ AiData
- ↳ AiDownload
- ↳ AiFoto
- ↳ AiMaster
- ↳ AiMusic
- ↳ AiRemote
- ↳ AiSecure
- ↳ AiVideos
- Tech Talk
- ↳ Web Hosting
- ↳ Backup and Data Protection
- ↳ Virtualization
- Misc.
- ↳ Archives
- ↳ XBMC