NAS Backup

We use NAS (Network Attached Storage) devices for two main purposes:

  • as backup storage;
  • for storing larger amounts of non-critical files (download mirrors, media files, etc.);

Additionally we use a second device on a remote location for off-site backup.

The remote system is off most of the day. It is scheduled to turn itself on every night and pull the latest backup data from the local system and subsequently shut down again after that. It can by turned on remotely anytime if needed trough WOL (Wake On LAN).

Local Backup Storage

Shared Folder for Backups

For storing backups of our various devices we create a shared folder on the local NAS:

  1. Open “Control Panel”
  2. Select “Shared Folder”
  3. Click on the “Create” button
  4. Set a name and description, i. e. like “backup” and “System backups”.
  5. Don’t activate “Enable Recycle Bin”.

File Services for Backup

For the SFTP (secure file transfer) service:

  1. Open “Control Panel”
  2. Select “File Services”
  3. Click on the “FTP” tab.
  4. Scroll down to the “SFTP” section.
  5. Activate the “Enable SFTP service” option.
  6. Choose a random TCP port number and set it as “Port number”.
  7. In the “General” section below click on the “Advanced Settings” button.
  8. Deactivate the “Enable FTP file transfer log” option.
  9. Deactivate the “Change user root directories” option.
  10. Deactivate the “Enable Anonymous FTP” option.
  11. Activate the “Apply default UNIX permisssions” option.
  12. Click the “OK” button to return.
  13. Confirm the settings by hitting the “Apply” button.

For the rsync service:

  1. Open “Control Panel”
  2. Select “File Services”
  3. Select the “rsync” tab
  4. Activate “Enable rsync service”
  5. Choose a random TCP port number and set it as “SSH encryption port”.
  6. Don’t activate “Enable rsync account”.
  7. Click the “Apply” button to store and activate.

Prepare for SSH keys

In DSM

Since we will authenticate SSH users by public keys instead of passwords, users need home directories to store their public keys.

  1. Open “Control Panel”
  2. Select “User”
  3. Click on the “Advanced” tab.
  4. Scroll down to the “User Home” section at the bottom of the dialog.
  5. Activate the “Enable user home service” option.
  6. Activate the “Enable Recycle Bin” option.
  7. Confirm the settings by hitting the “Apply” button.

Users need access to the homes shared folder. This can be achieved by …

  1. Open “Control Panel”.
  2. Select “Shared Folder”.
  3. Select “homes” from the list of shared folders.
  4. Click the “Edit” button.
  5. Select the “Permissions” tab.
  6. Select “Local groups” in the drop-down on the left above the list of users.
  7. Select the “users” group and click on the “Custom” column.
  8. In the “Permission Editor” dialog select “Traverse folder/Execute files”.
  9. Click the “OK” button to exit the dialog.
  10. Click the “OK” button to exit the “Edit Shared Folder” dialog.

On the command line:

Open a SSH command-line session as root on the DiskStation.

Change users home folder permissions, so that only the owner itself has access:

$ cd /volume1/homes
$ chmod 0700 user1 user2 user3 ...

Change the users SSH configuration directory .ssh permissions, so that only the user himself is allowed:

$ chmod 0700 /volume1/homes/*/.ssh

Restrict access to the users SSH public keys:

$ chmod 0600 /volume1/homes/*/.ssh/authorized_keys

Note

This removes any Windows ACL settings on these folders.

User Group for Backup Clients

Create a user group for the backup clients:

  1. Open “Control Panel”
  2. Select “Group”
  3. Click on the “Create” button
  4. Set the groups name as “backup” and a description like “Backup clients”
  5. Click the “Next” button.
  6. Set shared folder permissions by activating the “Read/Write” permission on the line of the “backup” share.
  7. Click the “Next” button.
  8. Skip the “Quota Settings” and click the “Next” button again.
  9. Assign application permissions for FTP and rsync only.
  10. Click the “Next” button.
  11. Skip the “Group Speed Limit Settings” and click the “Next” button again.
  12. Confirm the settings by hitting the “Apply” button.

User Profiles for Backup Clients

Create a user profile for every device that will store its backup data on local NAS and also one for the remote backup NAS.

  1. Open “Control Panel”
  2. Select “User”
  3. Click on the “Create” button
  4. Set a name and description of the device which will send its backups here.
  5. Use your own email address to receive notifications.
  6. Create a strong random password.
  7. Deactivate the “Send a notification mail …” option.
  8. Activate the “Disallow the user to change account password”
  9. Click the “Next” button.
  10. Add the user to the “backup” group in the “Join groups”.
  11. Skip the “Assign shared folder permissions” and click the “Next” button again.
  12. Skip the “User quota settings” and click the “Next” button again.
  13. Skip the “Assign application permissions” and click the “Next” button again.
  14. Skip the “User Speed Limit Settings” and click the “Next” button again.
  15. Confirm the settings by hitting the “Apply” button.

The backups are performed by the devices themselves. The local NAS just provides the storage over SFTP (secure file transfer over SSH) for severs and desktops and rsync over SSH for routers.

Remote Backup Storage

Add the same “backup” group and all of its users, as in the local NAS.

Login to the DSM with your administrator account and create shell script in your home directory:

#!/bin/bash

LOCAL_DIR="/volume1/"
SSH_USER="mccoy"
SSH_ID="/root/.ssh/id_ed25519.pub"
SSH_HOST="scott.example.net"
SSH_PORT="17251"
REMOTE_DIR="/volume1/backup"
LOGFILE="/volume1/homes/admin/rsync.log"

RSYNC_RSH="ssh -p ${SSH_PORT}"
source="${SSH_USER}@${SSH_HOST}:${REMOTE_DIR}"
target="$LOCAL_DIR"

/bin/rsync --archive --delete --super --rsh "${RSYNC_RSH}" \
            --log-file ${LOGFILE} \
            --human-readable --stats \
            "${source}" "${target}"

Notes

Why not use Synology Hyper-Backup?

Synology Hyper Backup uses a proprietary storage format. The backed up data is only accessible with Synology software.

Why not use Synology Hyper-Backup in “single-version”?

While “legacy-mode” or “single-version” backed up files are just stored in its native form in folders and remain accessible without Synology software,

  • deletions are not propagated to the backup folders. It will add files but never delete any;
  • Backups are push only. A remote system can not pull the backup data.

Why not use Synology Backup Vault on the remote NAS?

  • Only works with backup-data created by Hyper-Backup in its proprietary format;
  • Backups are push only. The remote NAS is not can not pull the backup data from the local one by itself.

Why not use Synology Shared-Folder-Sync?

  • Again this is a one-way push only solution which must be initiated by the local NAS.

Why not use Synology Cloud Station ShareSync?

  • Has a more overhead as it does a lot we don’t need, i.e. file versioning. The backup solutions on the clients already take care of that.

Why not use Synology Cloud Station Backup?

  • Cloud Station Backup is a solution geared towards desktop systems. We are mostly talking about backing up servers and routers.
  • Ubuntu Desktop has a well integrated backup solution (DejaDup) which transfers its backup data via SFTP.