A better NAS solution
May 15, 2017 5:31 AM   Subscribe

I'm looking for suggestions on how to build (or buy) a better home NAS solution with RAID5 and (possibly) some degree of ransomware protection...

Our existing NAS box is reaching the limits of its disc space so I'm looking to add to it with another box. The existing one can stay serving music and video, and the new one backing up our files.

Rather than relying on users copying files to it for backups, I'd quite like to make it automatic so that it (for example) backs up specific Windows directories.

With the rise of ransomware, I also quite like the idea of it being unaccessible as a drive with recovery done by web interface or manual access.

Is this logical, doable, and not hideously expensive? Any suggestions on how?
posted by sodium lights the horizon to Computers & Internet (9 answers total) 5 users marked this as a favorite
Windows or Mac?
posted by LuckySeven~ at 6:41 AM on May 15, 2017


The bit that says "specific Windows directories" should really say "specific directories" since I don't actually mean subdirectories of the OS directory.
posted by sodium lights the horizon at 6:46 AM on May 15, 2017

Obligatory FreeNAS shoutout.

The software is sound, works very well, battle tested, etc. You can look at a commercial solution like a Polywell. But if you feel comfortable building a machine, then I think FreeNAS might be the better solution.

As for backing up automatically, you can setup rsync scripts to run periodically. Check this article out. It's for an older version of FreeNAS, but the principle is the same.
posted by teabag at 7:09 AM on May 15, 2017

Look at the Synology line. I am a DIY/Linux kind of guy but their NAS boxes have some of the best (web based) software I've used on any device and they are pretty set-it-and-forget-it while at the same time being pretty powerful. I've had one running for years without touching it.
posted by bradbane at 7:43 AM on May 15, 2017 [1 favorite]

Do yourself a giant favour and just buy a Synology. I used to build my own, and inevitably had an issue every year or so where a disk would fail, and I would lose data. (Because software RAID just didn't seem to cut it on my Windows-based boxes - probably you would have better luck with Linux)

So - after that happening one too many times, I am now on my second NAS in about 10-years. QNAP was my first, but left that with the "ex" (if they are tech savvy, that is one of the things that will be contentious during a divorce ;-) ) and went with a 5-bay Synology in July 2013.

That one has been solid (gotta remember to get rid of the dust every few months) - but admittedly, the drives have begun to fail - even so - I have replaced 3 out of 5 since December, and not lost any data. (And... each time I replace a disk, my total available storage goes up, because I am swapping 3tb with 4tb drives)

Tons of services and apps for download - Plex runs nicely (ensure you get one with an Intel CPU).

Personally - I would never go back to a DIY for my primary storage/backup/media server. (Clients yes, but not the core)
posted by jkaczor at 11:02 AM on May 15, 2017

"Do yourself a favor and use linux" seriously? That's awful advice to give to someone who's just looking for a decent backup solution. "Just wipe all your computers, carefully migrate all the data and users to something unfamiliar, train everyone up on Linux, learn server administration, find replacement software and get users used to that, oh, and then once all that is done, ask the exact same question because you still want to know how to do a reliable backup".

My most recent recommended setup is a Synology as the primary backup storage-- each user has a share specifically for them. I then use Cloudberry to backup their data to that share. You have options to do file or full image based backups, the important thing is to keep time-slices of those backups, being able to restore the most recent backup isn't great-- you want to be able to walk back in time, your storage capacity will be the judge of how far you can go with that (pretty far if you do incremental backups).

I also use Acronis instead of Cloudberry for other sites, it works just the same and is very reliable.

You can do that backup to the Synology via SMB or FTP etc. Using the SMB option seems to be sandboxed (e.g. even if the Cloudberry client is accessing the share, the local computer can't do the same without requiring authentication) and the user never gets to know that password. So, if they get hit by Ransomware, the system can't get to those networked backups to cause havoc. That's worth checking if you use a different backup software that might open the share up on the user/system level. Synology comes with a backup client, so if you go that route, just check that that is also acts in that manner, I would hope most do the right thing :)

Secondarily, because it's always useful to have data off-site, I use CrashPlan to keep copies of the data too (Backblaze is also popular), though I'll probably migrate to getting Cloudberry to handle that too, since it happily plugs into a variety of cloud-file systems and I get better reporting for the particular version of Cloudberry I use.
posted by Static Vagabond at 11:07 AM on May 15, 2017 [2 favorites]

Synology or FreeNAS.

The Synology boxes use btrfs these days, so they are decently protected against bitrot and the UI is nice, with all kinds of nifty plugins to add functionality.

That said, if it were my money and I wanted a GUI frontend, I'd use FreeNAS running zfs with mirrored vdevs. Yes, you lose 50% of the disk space, but you are much less likely to run into issues with failed rebuilds when a disk fails. SATA disk read error rates are high enough that rebuilding a RAID5 or RAIDZ1 in the case of zfs is likely to fail on large disks.

I very much like zfs' snapshotting and the ability to incrementally sync the filesystem to another box over a network. It makes having an offsite spare much easier than with btrfs and it's more seamless (and faster) than using rsync to do file-level replication. It takes a looong time for rsync to calculate and transfer the delta over even 2-3Mbps uplinks on large datasets

If you will only ever have the one NAS box, Synology and btrfs snapshots are good enough to roll back from ransomware. I just like having the extra peace of mind with an offsite copy of everything that remains under my control. It's not at all unlikely that future ransomware will check your computer for backup software and use it to delete all the backups it can reach just like many variants already kill shadow copies on Windows before doing their dirty work.

An offsite FreeNAS box only known to your onsite FreeNAS box isn't accessible to it, so will at the least always have snapshots to roll back to and sync back onsite even if it somehow manages to murder everything local. (Not that it is likely to be able to delete and disable snapshots on a local Synology or FreeNAS box, but I'm paranoid when it comes to irreplaceable data)
posted by wierdo at 12:04 PM on May 15, 2017

Keep in mind btrfs is only on some Synology models. I think the lowest available in the prosumer space is the DS416play.

But yes, I have a similar setup. My cheap little ReadyNAS uses btrfs and has automatic snapshots (my NAS currently has four years worth of snapshots on folders) which makes it invulnerable to ransomware attacks. For offsite I sync the entire NAS to Amazon Cloud Drive. It's great. I would recommend the setup to anyone if the brand of NAS supports it.
posted by Talez at 3:11 PM on May 15, 2017

UnRaid might work for you. It's mainly designed for virtualization, but it also supports drives protected from any single disk failure with a parity drive. If any one drive fails, it carries on and there's no speed penalty or downtime. I use it for backup through a Crashplan docker and a crashplan account that means I can backup to local and the cloud and easily restore.
posted by baggers at 5:24 PM on May 15, 2017

« Older What do I do / what can I do with two cups of...   |   Advice about perspectives on long-term desires in... Newer »

You are not logged in, either login or create an account to post comments