Every one of your synology tutorials is pure gold. I can't believe I didn't have this enabled on my NAS - almost lost over 3TB of photos and only retained them because I had a fireproof safe copy. If I had followed this advice before it would have been so much easier. Thank you.
@@ystebadvonschlegel3295 that's exactly what I do... Forget the cloud. I had a safe deposit box that I would swap drives out for years. Keeping one at another location and a set in my fireproof safe. Backup rotation was set in away, at most, I would be a month back at the safe deposit box, the drives from days, week, two weeks. Never keep drives connected to nas just in case it is compromised... They can't get to your backup drive. I have always been prepared for a full restore if that happened... Among other things
Great video! Thanks for reminding everyone to not treat their administrator account like user account. I would also recommend to never save the administrator password to in your browser.
Awesome video, I recently bought a 1815+ but hadn't set up snapshots, you made it very easy to follow to set up. Creating a new admin account and demoting your normal login is genius, removes having to make any changes to shares. Thanks for doing this video!!!
This is so well done and useful! Thanks so much for doing this. I'm new to Synology and your videos have taken the mystery out of some of the things I didn't understand.
Another great tutorial! I was all onboard for following this until I realized that I had cheaped out and bought a DS220J for my first NAS and it doesn't support BTRFS file system. Now it looks like I'm going to have to go the route of Hyper Backup maybe with a Raspberry Pie remote drive...... Keep up the great work! Having your tutorials has taken all my fear out of getting in there and getting my hands dirty!
So I just got a 920+ and followed all your VERY HELPFUL VIDEOs. I did run into one issue however, speed. So my setup before was a WD Element 8TB on a USB3.1 connection to my Mac. After seeing your videos on using LRC with Synology, I pulled the trigger, got the 920+, 4 - 8tb EXOS drives and 2 - Samsung 980 SSDs. I followed all your recommendations for setup and even installed the Synology Drive APP. I copied my LRC Catalog to my local Mac, setup Synology Drive, gave it a Synch point on the 920+..... BUT WOW did LRC become very very very.... VERY Slow. So I am trying to figure out, just how to make this transition make sense. I have a very good background with NAS systems, I used to design and build them on many different platforms of OS's and Hardware. AND I am extremely familiar with LRC being a Professional Photographer. I am thinking of placing a USB 3.2 SSD on my MAC, letting it be my Catalog Drive and then just backing that up.... I am curious what else you have tried to speed up your experience? Keep in mind, as a Pro Photographer, my catalogs contain a FULL year of data to pull photos for many reasons at an instant instead of hunting catalogs AND they may track as many as 100k photos... I have been doing this for the past 6 years... My Mac is an i5 with GPU and 64mb of RAM.
Wow, now I am glad that I have put the extra money to buy a DS220plus.. btrfs is really a true game changer even for a home set-up. I hope that more people discover your TH-cam channel.
Because you set the number of snapshots to 5, that specifies how many snapshots to keep before your rules are applied. So I guess in your scenario, you would only be retaining 5 days, the weeks and months may not apply.
My NAS is read only to my external logins except for one share that I use to load files into it. NAS is not external facing to the Web either. Has worked ok and I'm appreciative of the extra info on the video :).
Your videos have helped me out a lot! One thing that wasn't addressed in this video is how to create a snapshot when you have multiple Shared Folders in a single Volume. I'm not sure if I should create a single snapshot with all the Shared Folders in one, or create individual snapshots. There are at least 15 shared folders in a single volume so that could take some time to do the separately, but I want to set it up with best practice.
Thanks for this video! Excellent advice! A quick question. -- w ould you recommend turning off the last modified time features of folders to speed up the snapshots. Synology is asking me if I wish to do this. I use my NAS mainly for photos, media files and archived projects. Most of the real-time work is done on my local PC drives. So I *think* turning off the time tagging would be ok. Not sure if this will impact the photos though. What's your thoughts on this?
Love this video! Super helpful. I am currently backing up my DS920+ with Hyper Backup to the Synology C2 service. Is there anything I should be aware of before enabling Snapshot Replication?
Great presentation. Will the Snapshot Replication take a lot of space on the disk for video files ? Or even better is there a ratio of the snapshot backup file per terabyte? ( with adding file only not deletion). That will help me so much to evaluate my storage capability .
The best thing about BTRFS snapshots is that they are thin. This means they only take up space if files have been modified. Then they just take up the space of the modification
Hi , very helpful. I have a small office, recently switched to a btrfs capable nas. I am using Synology Drive to do immediate backups of users windows computer’s files to main nas, then using hyper backup to backup that nas to another older nas. I will now setup snapshots as suggested here. My main concern has been ransomware. I am trying to workout the best way to implement all this and have a user policy. One issue is one Drive setting is to delete files from nas as they are deleted from the users computer. This kind of defeats the purpose of using Drive to save you from accidental deletions but If deleted files stay on the server they will accumulate quickly and Drive recommends 500,000 files per Drive user. Now I’m now thinking with hourly snapshots I can delete from nas when deleted from computer. Any feedback is appreciated . Thanks
Nice video, thanks! I run mine slightly differently. All main shares are read only to users except admin, users home folders are read/write and have snapshots activated, and one main share is read/write to all users (/temp) all data that doesn't go to a users home dir is written to /temp and then moved to appropriate share by the admin account via DSM that way no matter what and of the main data shares can be mounted but are not writable, this works well for my setup as data doesn't change often in the main shares and when it does I am usualy the one changing it so I have complete control, I back up my main 24/7 on RS1219+ to an onsite DS1815+ once a week (automated power up, replicate, shutdown) and also replicate any valuable data to a 24/7 off site DS218+ via HyperBackup.
@@daillengineer yep I was using Hyperbackup onsite but my DS1815+ is now off-site at my parents and I Hyperbackup to that nightly (it boots up on schedule, then shutsdown when the backup is complete) I also still use my DS218+ at work to back up my most valuable data to via Hyperbackup, this way I always have 3 copies of my most important data in 3 different locations, and everything I could afford to loose is still in 2 locations.
@@radialblur That is awesome. I use very similiar setup but I use ds120j for backup. I know we can schedule the nas to power on/off. But how you make the backup nas to turn off automatically after backup is complete? How the backup nas knows the backup process is complete and hence it should turn off?
Nice video, but I have one major question after watching. Are crypto attacks possible on NAS that are not configured for external access, or is this tutorial only for people who need external access for their NAS? Wouldn't an ISP router provide sufficient protection for any local network share not configured for remote access?
So synologys actually are very secure devices and have not really had a direct breach. Where the majority of crypto attacks come from on synology are where you computer (with you synology drive mounted) gets a virus and encrypts the NAS
Great video, your help is much appreciated. It’s a pity that Synology doesn’t supply similar videos like this that explains thing so simply and are so easy to follow. Just the right balance of information and technical gobbledegook.
@@SpaceRexWill Well, you're welcome but it seems small compared to the several hours of valuable information you've given here. You may have saved me from an eventual security threat! So thank you very much for your work.
Good video. You missed the most important part. If they came in through the share, they will still have access via the same share unless you get them out of the main system.
Haha good point I did mention that offhandedly but I probably should have reinforced the fact that unless you figure out the computer that did it you are going to have it happen again
Excellent video SpaceRex and my thought exactly W. Shawn... and, the same question I had in my head half way through the video. After thinking about it, the NAS is for saving the data. Once data is safe, one just needs to rebuild the OS of the infected system from scratch. If each computer in the household has its own user account on the NAS, it should be easy to identify which computer let the attacker in. Create and maintain an instruction guide on how to reinstall the OS and all your software (including the license keys) while your system is functioning normally... print it... and keep it with your system repair disc (or USB Stick; or other system documentation). This is the surest way to know you got rid of any malware. Less assured, but will likely work... since backup/image copies are done at the admin level, restore the infected system from that.
Great Video Thanks. The Snapshot Replication App is the only bit that's not working for me:-) You used the new beta version in this video which have different schedule options, although I am sure I will get my head around it eventually, the current Snapshot Replication App "schedule options" are very confusing for someone who has not used it before, unlike the new beta version you used which appears to make a lot more sense.
Hey thank you. Will rewatch and work through it. at the moment I do Hyperbackup every day... but the external HDD is all the time connected via usb. I guess, a hacker would also encrypt that and then, still, all my data is lost... so i have to work again on making my files safer...
In your case the important thing is to not constantly use your Admin account for daily use. That way if your account is compromised the hacker will only have user privileges, not admin. You should also then make sure that the user has no r/w permissions to the volume that is the USB drive
@@SpaceRexWill your right.. i dissabled the "admin" -name account, and did give the rights to my names account. However this one is used for everything... like dsfiles, moments on the phone, connection to my windows 10.. sounds incredible bad... I will start switching the account for this without admin, especially without the r/w permissions to the usb drive volume.
@@SpaceRexWill Okay -what I did was the following: - I added a new admin-account with a random name and a very very strong 30dig.. password. That account has access, also to the USB-Drive. - My standard-account was downgraded to non-admin, but access to all folders. But I removed the access to the USB-Drive, so USB is not visible for this account at all. Therefore the Hyperbackup on the USB-Drive is not visible, just for the admin-account which I just use now for system-changes. - I use two-factor authent. for all user-accounts. Sounds good right? Thank you for your follow-up description, very great. Thanks
Amazing video! I learn so much from you this is the place to say thank you first of all now I have a question I changed the permissions (removed the administrator permissions) for my user as you suggested and went back to my user with normal permissions, the entire desktop was gone and with it the access to quite simple things that I didn't think a normal user would be able to log in or edit I immediately restored the administrative privileges as they were... I wanted to know if it is possible to see the desktop I had with normal permissions and if not, should I enable 2FA instead to increase the security a little more
Thanks for the video. Q, when you do a HyperBackup of the NAS (to say usb HDD or a friend's SYnology NAS), does it backup the snapshots as well, or just the latest version of the file system?
I tend to move a lot of big video files from one directory to another, and I don't know how snapshots would handle that. Instead of using snapshots, I just have a regular account with read only SMB permissions, and an admin account without smb/ftp/sftp/afs permissions. So, the only way to modify files is through the admin account, and only through the DSM. I think that's safe enough, I also have the recycle bin if I accidentally delete something.
Thank you for the video but on 27th JAN 2021, the rule settings for the Snapshot radically changed from your video: now there are anymore the "latest" snashopt to choose or unchoose...No Idea what I shall do now, it is very complicated, at least for me!
Log into DSM and click "Storage Manager" app. Once inside click the Storage Pool on left side pane. Look on right side and next to Storage Pool it will indicate RAID type and btrfs or ext4
Great video! Really helpful. Couple of questions: if all my data gets encrypted will it take up twice the space because snapshots save the delta and all data is changed? What happens if the size of the snapshot exceeds the available storage capacity? Should you use max 1/2 of your storage capacity when implementing this?
So in this case it actually does not matter. Basically during the attack the drive will fill up and the attacker will not be able to put any more files in the drive. But that’s ok because synology keeps 10% of your storage (so the volume will not crash) and once you realize what happened you can just delete the encrypted files
Hi Will fantastic video! Question: I'm already using Synology Drive. Can I recover all my data in case of a Crypto Attack with Synology Drive or do I have to use Snapshot Replication? Thx!
You can with some cases with drive but not all. For example the attacker could modify the files 32 times (even if it’s a very small mod) which would remove it from drive version control. It’s wayyy better then nothing but not all the way to snapshot
Hi! Awesome vid! You mentioned setting the snapshot schedule's frequency to every hour, is it recommended to snap every hour or it's actually okay to set it like for a day or 12hrs instead? Because I'm unsure if capturing the snapshots so frequently will slow down the NAS (longer loading time when accessing files), hope you're able to advise, cheers!
The only 'slow down' that you will see is when the snapshot is taken, and when it is cleaned up (at midnight) This happens in less than a second or two generally so you will not notice. Go for it!
@@SpaceRexWill Appreciate the prompt response and advice (: Can I also Inquire if the snapshot takes up any space in the NAS? As I know it works differently as compared to Hyper Backup.
its different. Does not take up space until you delete a file, after that it just does not give you back the space till the file is deleted (kinda like a recycling bin)
Hi. Thank you very much! I can finally use my NAS properly thanks to your vids. In this video you recommend to only enable SMB in your user account (not the admin). But if I disable SMB in the admin, I can't use SMB over VPN to access my NAS externally (even if I try to acces the user account?). So I have to enable SMB in the admin account? Cheers, Tim
Content is super helpful. Some nit suggestions, I don’t know why , but I really feel harder to breathe while watching this video. Probably because how you speak or how you cut the video ....
Great video. I just recently got my first Synology and have been keeping an eye on your videos. I do have one question if you have time. I had already disabled the admin account and now I'm going to follow your advice and use a new admin account. My question: When you "downgrade" your current "admin" to a "user" account, do you just deselect the Administrators' user group or do you also need to manually change the permissions? How about the applications tab? I'm asking because when I first created my account (now the new user account) I can't remember if I manually "allowed" applications and "read/write" permissions. Are there any specific applications or folders that the user should not be allowed to use? I un-ticked the administrator box from the user but I see a lot of allow under the applications tab, wondering if it's because I set those manually before or if that's because all users would normally see these allow.... I guess I could create a new user to see what it looks like. I'll try to do this but if you do have a chance to clarify what specific changes someone would need to make to their "user" account that might be useful. Cheers and thanks again for the videos.
So the main purpose of downgrading the user account is to really just not allow the attacker access to control snapshots. I would say give your user access to whatever you need as long as you have snapshots for them!
@@SpaceRexWill very logical. All I am missing at this point is a remote backup. I’ve watched your video about using a raspberry pie. My in-laws live nearby and could likely host a device for me. I’m also looking at odroid HC2 or perhaps using an old laptop I have... I’d like to have the device power down or at least drop to very low power usage down between backups. Thanks for the informative videos.
Question I hope you can answer please. With an hourly snapshot schedule, and with retention policy you've set up. Say, Friday afternoon, someone clicks on something at 3:30pm and gets their data crypto'ed. They go home, come back Monday morning and notice all their files are encrypted. In this scenario, the latest snapshot that we would be able to roll back to, is the last snapshot on Thursday, as we are keeping them for a 7 days right? So they would lose any changes made to any files on Friday??
My QNAP was hit. All my files smaller than 20MB are now zipped and encrypted. I’m not paying the $500 US ransom. I do have a backup so I didn’t loose much, but it’s still a royal PITA.
I am confused about the “no SMB” rule. My understanding has been that SMB is the only way to access the Synology NAS from Apple devices, like iPad or Macbook. The system would be managed from a Windows desktop in this example.
I wanted to ask you if I can access the nas in the local network with Vlc through 'universal plug and play', is it safe in your opinion? Thanks and congratulations for the channel!
Great blog on how to prevent and/or recover from ransomware. I subscribed today. I have or will soon incorporate your recommendations. On a related subject, plan to purchase a 2nd synology nas to enable NAS-NAS backups via Hyperbackup. I plan to buy the DS920 to be my new production nas and then utilize my existing DS418 as the remote NAS. My long-term goal is to cancel my iDrive subscription and totally rely on security practices and encrypted backup (only) nas files I watched your video about how to setup a backup NAS and how to encrypt the files. So just two questions: 1) would the encryption key on my backup DS418 nas prevent any ransome attack on the nas? 2) What is your opinion about dropping cloud backups (months later of course)? Not only is it costly (now at $600 per year) both it would be time consuming to order a recovery drive. Thanks in advice BTW; is there a way to contact you directly via chat of email? Jim
Hey! Answers 1) The encrypted Backup only protects you from threats seeing the data, not if they are able to delete the data, snapshots on the DS418 (if available) would allow you to roll the backup back 2) for me I only recommend paying for cloud backups for your truly crucial data. The ~100-300 gigs of family photos and tax documents that you just cannot get back. This costs normally under $100 per year which I think is well worth it. For the rest of the stuff thats massive files having a hard drive backup that might not survive if your house burns down is probably worth the risk
Great video thank you! Quick question, I know people aren't a fan of quickconnect, and neither am I. However, if I wanted to use it, would I benefit from enabling the firewall and essentially blocking everything except local network traffic and that one application using quickconnect? Also is there any point to enable the firewall when not using quickconnect? THANK YOU! Note: Currently I have my firewall setup blocking everything except local subnet traffic using ip/mask and the DSM (just so i dont accidently have to reset the nas)
I have a question! If I only have my drive accessible from Cloud Station Drive, then is it okay if I don't make a separate admin account? It doesn't appear the snapshot folder even appears visible on the computer (even if I show hidden folders). I don't want to make a separate admin account because otherwise I only access my Synology it's just through the browser with a very hard password, and I log out every time.
Thank you very much! Just one question left, please: In my old admin I've set all the rules for the NAS. Now with the new admin, do I have to reactivate/customize this rules again? Or are they transfered automatically from old admin to new admin? Thank you in advance!!!
Great Video & channel! Trying to make sure my new DS920+ is as secure as possible. QUESTION... I have snapshot scheduled for the shared drive I created, but I also have ActiveBackupforBusiness installed and running under my user account. Do I need to schedule a Shapshot on that directory as well??? Or do I only need to do a snapshot on my shared folders? Thanks for any additional guidance.
What most random ware do is leave the encrypted encryption key in your file system. It’s generally randomly generated and their password is required to decrypt it to get your files back. Using this method there is no way for you to decrypt the files without 6 years on a super computer
Every one of your synology tutorials is pure gold. I can't believe I didn't have this enabled on my NAS - almost lost over 3TB of photos and only retained them because I had a fireproof safe copy. If I had followed this advice before it would have been so much easier. Thank you.
Hey glad this was helpful and that you like the channel!
What you mean by fireproof copy? Cloud or another remote nas?
@@Hephasto in my case a separate hard drive stuck in my fireproof safe.
@@ystebadvonschlegel3295 that's exactly what I do... Forget the cloud. I had a safe deposit box that I would swap drives out for years. Keeping one at another location and a set in my fireproof safe. Backup rotation was set in away, at most, I would be a month back at the safe deposit box, the drives from days, week, two weeks. Never keep drives connected to nas just in case it is compromised... They can't get to your backup drive. I have always been prepared for a full restore if that happened... Among other things
Great video! Thanks for reminding everyone to not treat their administrator account like user account. I would also recommend to never save the administrator password to in your browser.
Awesome video, I recently bought a 1815+ but hadn't set up snapshots, you made it very easy to follow to set up. Creating a new admin account and demoting your normal login is genius, removes having to make any changes to shares. Thanks for doing this video!!!
Hey thanks! Really glad this was helpful!
There's a special place in Heaven for people that work so hard to share their knowledge and help others. To really know, you must teach. Thank you.
I've never like so many videos of one creator in a row! Grate job!
Hey thanks man!
5 dislikes from the attackers
Dead
@Hobert Saunas it's a scam site to get your credentials...
Another great video.
I somehow missed your "How To Secure your NAS" video, so that is added to my list to watch and implement.
Cheers.
Hey thanks! Glad it was helpful!
Great Video, great energy. Youre the Jim Carry of NAS
Thx for making me aware of the risks of admin rights and I've followed your clear recommendations to secure my NAS!
Glad it was helpful!
Wow. Unbelievable information. Literally you walk us through how to do this stuff. Incredibly helpful. Thank you SO much!
This is so well done and useful! Thanks so much for doing this. I'm new to Synology and your videos have taken the mystery out of some of the things I didn't understand.
Hey I’m glad! Thanks!
Great explanation of how snapshots work! Thanks!
So thorough! Thanks so much. I will be watching all of your Synology NAS videos!
Yours are the best Synology videos out there! Thank you so much!
Another great tutorial! I was all onboard for following this until I realized that I had cheaped out and bought a DS220J for my first NAS and it doesn't support BTRFS file system. Now it looks like I'm going to have to go the route of Hyper Backup maybe with a Raspberry Pie remote drive...... Keep up the great work! Having your tutorials has taken all my fear out of getting in there and getting my hands dirty!
Hey im glad! Thats awesome!
So I just got a 920+ and followed all your VERY HELPFUL VIDEOs. I did run into one issue however, speed. So my setup before was a WD Element 8TB on a USB3.1 connection to my Mac. After seeing your videos on using LRC with Synology, I pulled the trigger, got the 920+, 4 - 8tb EXOS drives and 2 - Samsung 980 SSDs. I followed all your recommendations for setup and even installed the Synology Drive APP. I copied my LRC Catalog to my local Mac, setup Synology Drive, gave it a Synch point on the 920+..... BUT WOW did LRC become very very very.... VERY Slow. So I am trying to figure out, just how to make this transition make sense. I have a very good background with NAS systems, I used to design and build them on many different platforms of OS's and Hardware. AND I am extremely familiar with LRC being a Professional Photographer. I am thinking of placing a USB 3.2 SSD on my MAC, letting it be my Catalog Drive and then just backing that up.... I am curious what else you have tried to speed up your experience? Keep in mind, as a Pro Photographer, my catalogs contain a FULL year of data to pull photos for many reasons at an instant instead of hunting catalogs AND they may track as many as 100k photos... I have been doing this for the past 6 years... My Mac is an i5 with GPU and 64mb of RAM.
Thank you so much for all the informations! I will follow every single step to protect my Synology NAS! ❤❤
Thanks for doing this! Really helpful as I start to use my NAS.
New to this whole Synology thing. Thanks so much for this vid!
Glad it was helpful?
Wow, now I am glad that I have put the extra money to buy a DS220plus.. btrfs is really a true game changer even for a home set-up. I hope that more people discover your TH-cam channel.
Hey thanks me too! Its still amazing how much its grown recently I am pretty happy!
BTRFS is really awesome!
Spot on. I used the Synology Assistant method previously but this way has the Share listed in the explorer directory better - thanks
Excellent video! Brilliant. Synology has amazing capabilities.
This is brilliant and for me it is going to change the game. Thanks for this video and everything.
Glad it was helpful!
I have been looking for this video for a long time ,thank you so much, just subscribed.
Excellent tutorial and I'm looking forward seeing the rest of the security stuff...
Because you set the number of snapshots to 5, that specifies how many snapshots to keep before your rules are applied. So I guess in your scenario, you would only be retaining 5 days, the weeks and months may not apply.
Is this definitely the case..?
My NAS is read only to my external logins except for one share that I use to load files into it. NAS is not external facing to the Web either. Has worked ok and I'm appreciative of the extra info on the video :).
Thanks you! We never stop to learn something
Thank you for sharing this! It was a helpful resource to assist a friend with their NAS.
I'd highly recommend using a de-clicker for your audio. :)
Your videos have helped me out a lot! One thing that wasn't addressed in this video is how to create a snapshot when you have multiple Shared Folders in a single Volume. I'm not sure if I should create a single snapshot with all the Shared Folders in one, or create individual snapshots. There are at least 15 shared folders in a single volume so that could take some time to do the separately, but I want to set it up with best practice.
I’m curious about this also ie what’s the best approach for multiple Shares…?
Great video & info BTW, thanks..!
New sub as I just barely escaped a ransomware attack... prevention and preparation!!!
Hey thanks!
What ended up happening with your last “close call”
Thanks for this video! Excellent advice! A quick question. -- w ould you recommend turning off the last modified time features of folders to speed up the snapshots. Synology is asking me if I wish to do this. I use my NAS mainly for photos, media files and archived projects. Most of the real-time work is done on my local PC drives. So I *think* turning off the time tagging would be ok. Not sure if this will impact the photos though. What's your thoughts on this?
I keep last access times off, its more efficient and not that necessary. You will still have the date the photos were taken in the meta data
Perfect explanation !
I definitely have to create such an account and stop using the only admin account...
Congrats !
So glad you put this info out there!
well done....the only backup is a backup! :)
haha glad you liked that!
Very helpful! Nice clear explanations and practical tips.
Glad you liked the video!
Love this video! Super helpful.
I am currently backing up my DS920+ with Hyper Backup to the Synology C2 service. Is there anything I should be aware of before enabling Snapshot Replication?
Have a second pool in the Nas with no users having permission...using backups is a good option too?
I'm pretty sure using backup is good option. But don't leave the backup device powered on all the times. Otherwise, backup also get encrypted 😊
Great video man, gonna give this a deep dive..
Great video with a lot of important things.Thanx a lot!
Glad it was helpful!
Very impressive. Thank you for video share. Will help me protect my NAS.
Glad you liked it!
Really useful information here! Your tips and info videos are very good 👍
Glad you think so!
Thanks a lot for your videos. They have helped me a lot to improve my NAS knowledge
This is invaluable. Thank you so much
Great presentation. Will the Snapshot Replication take a lot of space on the disk for video files ? Or even better is there a ratio of the snapshot backup file per terabyte? ( with adding file only not deletion). That will help me so much to evaluate my storage capability .
The best thing about BTRFS snapshots is that they are thin. This means they only take up space if files have been modified. Then they just take up the space of the modification
Great explanation!! and great hair too.
Your explanation is excellent! well done
Hi , very helpful. I have a small office, recently switched to a btrfs capable nas. I am using Synology Drive to do immediate backups of users windows computer’s files to main nas, then using hyper backup to backup that nas to another older nas. I will now setup snapshots as suggested here. My main concern has been ransomware. I am trying to workout the best way to implement all this and have a user policy. One issue is one Drive setting is to delete files from nas as they are deleted from the users computer. This kind of defeats the purpose of using Drive to save you from accidental deletions but If deleted files stay on the server they will accumulate quickly and Drive recommends 500,000 files per Drive user. Now I’m now thinking with hourly snapshots I can delete from nas when deleted from computer. Any feedback is appreciated . Thanks
Damn it’s so good!! Thanks man👍🏻
Nice video, thanks!
I run mine slightly differently. All main shares are read only to users except admin, users home folders are read/write and have snapshots activated, and one main share is read/write to all users (/temp) all data that doesn't go to a users home dir is written to /temp and then moved to appropriate share by the admin account via DSM that way no matter what and of the main data shares can be mounted but are not writable, this works well for my setup as data doesn't change often in the main shares and when it does I am usualy the one changing it so I have complete control, I back up my main 24/7 on RS1219+ to an onsite DS1815+ once a week (automated power up, replicate, shutdown) and also replicate any valuable data to a 24/7 off site DS218+ via HyperBackup.
How are you doing your on site backup? Not hyper backup?
@@daillengineer yep I was using Hyperbackup onsite but my DS1815+ is now off-site at my parents and I Hyperbackup to that nightly (it boots up on schedule, then shutsdown when the backup is complete) I also still use my DS218+ at work to back up my most valuable data to via Hyperbackup, this way I always have 3 copies of my most important data in 3 different locations, and everything I could afford to loose is still in 2 locations.
@@radialblur That is awesome. I use very similiar setup but I use ds120j for backup. I know we can schedule the nas to power on/off. But how you make the backup nas to turn off automatically after backup is complete? How the backup nas knows the backup process is complete and hence it should turn off?
Awesome vidéo thank you so much I feel much better knowing that I have this setup.
Glad it helped!
Nice video, but I have one major question after watching. Are crypto attacks possible on NAS that are not configured for external access, or is this tutorial only for people who need external access for their NAS? Wouldn't an ISP router provide sufficient protection for any local network share not configured for remote access?
So synologys actually are very secure devices and have not really had a direct breach. Where the majority of crypto attacks come from on synology are where you computer (with you synology drive mounted) gets a virus and encrypts the NAS
Great video, your help is much appreciated.
It’s a pity that Synology doesn’t supply similar videos like this that explains thing so simply and are so easy to follow. Just the right balance of information and technical gobbledegook.
Super video! I applauded for $10.00 👏👏👏
Wow! Thanks so much!
@@SpaceRexWill Well, you're welcome but it seems small compared to the several hours of valuable information you've given here. You may have saved me from an eventual security threat! So thank you very much for your work.
Really nice of you!
Things I should have done to start with. Thank you!!
It’s great to know this is available and I understand most of what you said, but I am a bit confused about some of it.
Great Video - again! Thanx❤
fantastic videos as always
Good video. You missed the most important part. If they came in through the share, they will still have access via the same share unless you get them out of the main system.
Haha good point I did mention that offhandedly but I probably should have reinforced the fact that unless you figure out the computer that did it you are going to have it happen again
Excellent video SpaceRex and my thought exactly W. Shawn... and, the same question I had in my head half way through the video. After thinking about it, the NAS is for saving the data. Once data is safe, one just needs to rebuild the OS of the infected system from scratch. If each computer in the household has its own user account on the NAS, it should be easy to identify which computer let the attacker in. Create and maintain an instruction guide on how to reinstall the OS and all your software (including the license keys) while your system is functioning normally... print it... and keep it with your system repair disc (or USB Stick; or other system documentation). This is the surest way to know you got rid of any malware. Less assured, but will likely work... since backup/image copies are done at the admin level, restore the infected system from that.
This is great! Thank you once again.
Happy to help!
Great Video Thanks. The Snapshot Replication App is the only bit that's not working for me:-) You used the new beta version in this video which have different schedule options, although I am sure I will get my head around it eventually, the current Snapshot Replication App "schedule options" are very confusing for someone who has not used it before, unlike the new beta version you used which appears to make a lot more sense.
Woohoo!! Thx so much!
Bro, pls tell me that you are receiving money from Sinology. Your every video is better than Sinology documentation!
Love you bro
I have a questi... nevermind, SUBSCRIBED! Thanks for this!
haha thanks!
Hey thank you. Will rewatch and work through it. at the moment I do Hyperbackup every day... but the external HDD is all the time connected via usb. I guess, a hacker would also encrypt that and then, still, all my data is lost... so i have to work again on making my files safer...
In your case the important thing is to not constantly use your Admin account for daily use. That way if your account is compromised the hacker will only have user privileges, not admin.
You should also then make sure that the user has no r/w permissions to the volume that is the USB drive
@@SpaceRexWill Very helpful, keep up your awesome work!
@@SpaceRexWill your right.. i dissabled the "admin" -name account, and did give the rights to my names account. However this one is used for everything... like dsfiles, moments on the phone, connection to my windows 10.. sounds incredible bad... I will start switching the account for this without admin, especially without the r/w permissions to the usb drive volume.
What you can do is what I did in the video and just create a new admin account and downgrade the account you were using
@@SpaceRexWill Okay -what I did was the following:
- I added a new admin-account with a random name and a very very strong 30dig.. password. That account has access, also to the USB-Drive.
- My standard-account was downgraded to non-admin, but access to all folders. But I removed the access to the USB-Drive, so USB is not visible for this account at all. Therefore the Hyperbackup on the USB-Drive is not visible, just for the admin-account which I just use now for system-changes.
- I use two-factor authent. for all user-accounts.
Sounds good right? Thank you for your follow-up description, very great. Thanks
Amazing video! I learn so much from you this is the place to say thank you first of all now I have a question
I changed the permissions (removed the administrator permissions) for my user as you suggested and went back to my user with normal permissions, the entire desktop was gone and with it the access to quite simple things that I didn't think a normal user would be able to log in or edit
I immediately restored the administrative privileges as they were...
I wanted to know if it is possible to see the desktop I had with normal permissions and if not, should I enable 2FA instead to increase the security a little more
Thanks for the video. Q, when you do a HyperBackup of the NAS (to say usb HDD or a friend's SYnology NAS), does it backup the snapshots as well, or just the latest version of the file system?
I tend to move a lot of big video files from one directory to another, and I don't know how snapshots would handle that.
Instead of using snapshots, I just have a regular account with read only SMB permissions, and an admin account without smb/ftp/sftp/afs permissions.
So, the only way to modify files is through the admin account, and only through the DSM. I think that's safe enough, I also have the recycle bin if I accidentally delete something.
Great video thanks! Guess I have a lot of work to do today :)
Hey thanks!
Thank you for the video but on 27th JAN 2021, the rule settings for the Snapshot radically changed from your video: now there are anymore the "latest" snashopt to choose or unchoose...No Idea what I shall do now, it is very complicated, at least for me!
Aaaaaaaaaand I get zero credit for sparking the idea for this video? That’s what I call a raw deal
How do I check if my Ds418 has BTRFS enabled?
Log into DSM and click "Storage Manager" app. Once inside click the Storage Pool on left side pane. Look on right side and next to Storage Pool it will indicate RAID type and btrfs or ext4
Great video! Really helpful.
Couple of questions: if all my data gets encrypted will it take up twice the space because snapshots save the delta and all data is changed? What happens if the size of the snapshot exceeds the available storage capacity? Should you use max 1/2 of your storage capacity when implementing this?
So in this case it actually does not matter. Basically during the attack the drive will fill up and the attacker will not be able to put any more files in the drive. But that’s ok because synology keeps 10% of your storage (so the volume will not crash) and once you realize what happened you can just delete the encrypted files
@@SpaceRexWill ah that makes sense, thanks!
Hi Will fantastic video! Question: I'm already using Synology Drive. Can I recover all my data in case of a Crypto Attack with Synology Drive or do I have to use Snapshot Replication? Thx!
You can with some cases with drive but not all. For example the attacker could modify the files 32 times (even if it’s a very small mod) which would remove it from drive version control. It’s wayyy better then nothing but not all the way to snapshot
Do you recommend disabling SMB on your admin account?
Hi! Awesome vid! You mentioned setting the snapshot schedule's frequency to every hour, is it recommended to snap every hour or it's actually okay to set it like for a day or 12hrs instead? Because I'm unsure if capturing the snapshots so frequently will slow down the NAS (longer loading time when accessing files), hope you're able to advise, cheers!
The only 'slow down' that you will see is when the snapshot is taken, and when it is cleaned up (at midnight) This happens in less than a second or two generally so you will not notice. Go for it!
@@SpaceRexWill Appreciate the prompt response and advice (: Can I also Inquire if the snapshot takes up any space in the NAS? As I know it works differently as compared to Hyper Backup.
its different. Does not take up space until you delete a file, after that it just does not give you back the space till the file is deleted (kinda like a recycling bin)
Always been my motto to never use a default admin/administrator account and create a new one that is not so common named
Very good video!!!
Thank you.
Thanks, really needed!
Most powerfull for is snapshot. I like this feature. I also have encrypted by ransomware but my snapshot is ok.
Hi. Thank you very much! I can finally use my NAS properly thanks to your vids.
In this video you recommend to only enable SMB in your user account (not the admin). But if I disable SMB in the admin, I can't use SMB over VPN to access my NAS externally (even if I try to acces the user account?). So I have to enable SMB in the admin account?
Cheers,
Tim
Great tutorial, thank you!
Really good video!
Content is super helpful. Some nit suggestions, I don’t know why , but I really feel harder to breathe while watching this video. Probably because how you speak or how you cut the video ....
Great video. I just recently got my first Synology and have been keeping an eye on your videos. I do have one question if you have time. I had already disabled the admin account and now I'm going to follow your advice and use a new admin account. My question: When you "downgrade" your current "admin" to a "user" account, do you just deselect the Administrators' user group or do you also need to manually change the permissions? How about the applications tab? I'm asking because when I first created my account (now the new user account) I can't remember if I manually "allowed" applications and "read/write" permissions. Are there any specific applications or folders that the user should not be allowed to use? I un-ticked the administrator box from the user but I see a lot of allow under the applications tab, wondering if it's because I set those manually before or if that's because all users would normally see these allow.... I guess I could create a new user to see what it looks like. I'll try to do this but if you do have a chance to clarify what specific changes someone would need to make to their "user" account that might be useful. Cheers and thanks again for the videos.
So the main purpose of downgrading the user account is to really just not allow the attacker access to control snapshots. I would say give your user access to whatever you need as long as you have snapshots for them!
@@SpaceRexWill very logical. All I am missing at this point is a remote backup. I’ve watched your video about using a raspberry pie. My in-laws live nearby and could likely host a device for me. I’m also looking at odroid HC2 or perhaps using an old laptop I have... I’d like to have the device power down or at least drop to very low power usage down between backups. Thanks for the informative videos.
Better not brute force your way into my NAS... no sir!
Question I hope you can answer please.
With an hourly snapshot schedule, and with retention policy you've set up. Say, Friday afternoon, someone clicks on something at 3:30pm and gets their data crypto'ed. They go home, come back Monday morning and notice all their files are encrypted. In this scenario, the latest snapshot that we would be able to roll back to, is the last snapshot on Thursday, as we are keeping them for a 7 days right? So they would lose any changes made to any files on Friday??
So yes. If you where worried about this you can have snapshots up to the 5 min mark
My QNAP was hit. All my files smaller than 20MB are now zipped and encrypted. I’m not paying the $500 US ransom. I do have a backup so I didn’t loose much, but it’s still a royal PITA.
ooofff, having backups are huge
Great job on this video
I am confused about the “no SMB” rule. My understanding has been that SMB is the only way to access the Synology NAS from Apple devices, like iPad or Macbook. The system would be managed from a Windows desktop in this example.
I wanted to ask you if I can access the nas in the local network with Vlc through 'universal plug and play', is it safe in your opinion? Thanks and congratulations for the channel!
Great blog on how to prevent and/or recover from ransomware. I subscribed today.
I have or will soon incorporate your recommendations.
On a related subject, plan to purchase a 2nd synology nas to enable NAS-NAS backups via Hyperbackup. I plan to buy the DS920 to be my new production nas and then utilize my existing DS418 as the remote NAS. My long-term goal is to cancel my iDrive subscription and totally rely on security practices and encrypted backup (only) nas files
I watched your video about how to setup a backup NAS and how to encrypt the files. So just two questions:
1) would the encryption key on my backup DS418 nas prevent any ransome attack on the nas?
2) What is your opinion about dropping cloud backups (months later of course)? Not only is it costly (now at $600 per year) both it would be time consuming to order a recovery drive.
Thanks in advice
BTW; is there a way to contact you directly via chat of email?
Jim
Hey! Answers
1) The encrypted Backup only protects you from threats seeing the data, not if they are able to delete the data, snapshots on the DS418 (if available) would allow you to roll the backup back
2) for me I only recommend paying for cloud backups for your truly crucial data. The ~100-300 gigs of family photos and tax documents that you just cannot get back. This costs normally under $100 per year which I think is well worth it. For the rest of the stuff thats massive files having a hard drive backup that might not survive if your house burns down is probably worth the risk
Great video thank you! Quick question, I know people aren't a fan of quickconnect, and neither am I. However, if I wanted to use it, would I benefit from enabling the firewall and essentially blocking everything except local network traffic and that one application using quickconnect? Also is there any point to enable the firewall when not using quickconnect? THANK YOU!
Note: Currently I have my firewall setup blocking everything except local subnet traffic using ip/mask and the DSM (just so i dont accidently have to reset the nas)
In this case if you can manage it a VPN server will be more secure if you are looking for external access
I have a question! If I only have my drive accessible from Cloud Station Drive, then is it okay if I don't make a separate admin account? It doesn't appear the snapshot folder even appears visible on the computer (even if I show hidden folders). I don't want to make a separate admin account because otherwise I only access my Synology it's just through the browser with a very hard password, and I log out every time.
Very helpful- thank you! Question: can a non-admin 'user' with read/write permission to a share, encrypt that share? Thanks.
Thank you very much! Just one question left, please: In my old admin I've set all the rules for the NAS. Now with the new admin, do I have to reactivate/customize this rules again? Or are they transfered automatically from old admin to new admin? Thank you in advance!!!
Great Video & channel! Trying to make sure my new DS920+ is as secure as possible. QUESTION... I have snapshot scheduled for the shared drive I created, but I also have ActiveBackupforBusiness installed and running under my user account. Do I need to schedule a Shapshot on that directory as well??? Or do I only need to do a snapshot on my shared folders? Thanks for any additional guidance.
I would not worry about snapshotting the active backup folder as they already have versioning and no smb access
@@SpaceRexWill Thanks for the quick response!
Thanks for great content. What is the way/app that you use to log in to your NAS?
I use SMB 99% of the time
@@SpaceRexWill Thanks.
Keep up the great work. You put out the best Synology content out there.
My NAS backs up data from 4 internal drives on my PC. Can I snapshot the backups? Is there any point in that?
Great video.
Many ransomware kits have free decryption tools. A simple Google will give you results from Kaspersky, Bit Defender etc.
What most random ware do is leave the encrypted encryption key in your file system. It’s generally randomly generated and their password is required to decrypt it to get your files back. Using this method there is no way for you to decrypt the files without 6 years on a super computer