Suggested Windows "backup" share configuration for ransomware protection

    I've been using OMV5/armbian mostly for my automated borg backups without issues for quite some time that I've forgotten about configuration details.


    Now I would like to add a share for a network backup location for a Windows 10 computer on the local network, and my main concerns are user errors and ransomware protection. Suggestions on how to configure it to reduce risks? I would think read-only would be ideal but I don't see how that's possible given the need to write backups.


    Also, are different shares reasonably safe from each other in case of contamination/ransomware? My borg backup share is accessible only by the backup user and only via SSH PKE (not CIFS/SMB, and no password login).

    One option is to use ZFS with snapshots. The snapshots are immutable so all you need to do is "roll back" to the previous version. Read up about it to understand more.


    EDIT: You can do something similar with BTRFS but don't use it for RAID.

    Former Xpenology user moved to OMV 7.x with ZFS.

    HP Microserver Gen8 - 16GB RAM - 1x 32GB USB - 1x 480 GB SSD - 4x 16TB Exos (Shucked) / ZFS - OMV 7.x bare metal

    HP Microserver Gen7 N54L - 8GB RAM - 1x 32GB USB - 1x 240 GB SSD - 4x 4TB / ZFS - OMV 7.x bare metal

    Bobur Thanks for the thought, ZFS and BTRFS have lots of interesting features, though right now I'm apprehensive as I am not familiar with them (yet) and this is for backups.


    My current OMV setup is a simple Odroid HC2 (2GB RAM and arm7l (32-bit) architecture) with a single 10TB HDD formatted to ext4. I was just hoping for some pointers on how (or how not to) configure a share for a Windows 10 backup network drive on it to minimize risks, even if it's not a perfect setup.

    Zitat von grokov

    Now I would like to add a share for a network backup location for a Windows 10 computer on the local network, and my main concerns are user errors and ransomware protection. Suggestions on how to configure it to reduce risks? I would think read-only would be ideal but I don't see how that's possible given the need to write backups.


    Also, are different shares reasonably safe from each other in case of contamination/ransomware? My borg backup share is accessible only by the backup user and only via SSH PKE (not CIFS/SMB, and no password login).

    Use rsnapshot to take snapshots of the published share to some directory not exposed by any service.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Gefällt mir 1
    Zitat von Zoki

    Use rsnapshot to take snapshots of the published share to some directory not exposed by any service.

    Simple and practical, that's great!


    Suggestions on how (not) to configure the published share? Thinking SMB, not sure about requiring authentication (LAN only) or other restrictions to keep it simple to access and create backups from Windows.

    Just a simple smb share called backup is enough. I never use shares without authentication even in a home network.

    Then create a shared folder versioned-backup and create the rsanpshot job to copy from backup to versiond-backup.

    Do not configure a smb share for versioned backup.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Gefällt mir 1

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden