Users have realized that resorting to the public cloud means that we have to spend quite a lot of money monthly or annually, and that, in the long term, it is more worth it to buy a NAS and hard drives to store all the content. In addition, we can use this equipment for many other uses that are not private cloud, such as virtualization of operating systems or becoming a multimedia server with Plex Media Server or Jellyfin, to be able to stream to all the TVs at home or away.
Risks that exist when using your own cloud
Setting up a private cloud in our home is not without risks, especially if you do not know very well how to configure the server and the related security policies. There are mainly three critical risks that you must face, since, although these problems may occur, they can be minimized so that they do not affect us at all.
Access from outside in an unsafe manner
For a private cloud to be useful, it must be accessible over the Internet, since at any time we may want to access the folders and files contained in it, or directly to our media server to play multimedia content. A Action that you should totally avoid is opening the NAS administration port on your router, so that it can be accessed from the outside. In terms of security, doing this will expose the graphical user interface of your server, which may be susceptible to attacks and exploitation of vulnerabilities that are found, so it is neither safe nor advisable to do this. If you want to access remotely over the Internet, you have four main methods that are safe:
- Set up a VPN server on the router or NAS: Nowadays most home WiFi routers and NAS support the possibility of configuring a VPN server, either with OpenVPN or WireGuard. In this way, in order to connect to the NAS server, we will have to previously connect to the VPN server and tunnel all traffic. This is the safest way to connect, since the authentication against the VPN server is very robust, using digital certificates or a public-private key pair. In order to connect, you will have to open a port to the VPN server.
- Use an SDN VPN like ZeroTier, TailScale or similar. This type of VPN allows us to create an encrypted SDN network, in such a way that we will connect to the ZeroTier, TailScale or any other similar provider network, and we will be able to communicate with the NAS as if we were on the local network. To start this system it is not necessary to open any port on the router.
- Set up a reverse proxy server: Software like Traefik or Nginx Proxy Manager allow us to set up a reverse proxy, this means that we can access the NAS server by setting a specific domain. These softwares allow us to limit access by country, that only certain encryptions are allowed and we can even add an additional strong authentication based on OAuth2 to further strengthen said authentication, and subsequently access the administration of the NAS. In this case it is necessary to open port 443 for the HTTPS connection. In order to implement this, we will need a dynamic DNS host, or our own domain.
- Use Cloudflare Tunnel: the giant Cloudflare allows us to configure a reverse proxy in its infrastructure, in this case we will not have to open any port to be able to access the NAS server via the web, and the service itself will allow us to limit requests by country and add additional robust authentication, like authenticate by email and many other ways.
With these four options, you will have guarantees that remote access will be protected, so you should take this into account.
Data loss due to hardware problem
When we have a NAS server with several hard drives or SSDs, at any time one of them can break and lose the information contained on that disk. The most normal thing is that any server has different types of RAID configured, to protect us precisely from this problem. If you mount a RAID 5 and a disk breaks, nothing happens because if we replace it we can regenerate the information based on the information distributed on the rest of the disks. However, if you have mounted a RAID 5 and a second disk breaks, you will lose absolutely all the data contained, since regeneration is not possible as it does not have double parity.
It is very important to choose the type of RAID well so that the failure of one, two or more disks does not affect us. In addition, we also make some additional recommendations to minimize it:
- Although the disks in a RAID must be the same size, mix hard drives from different manufacturers and different manufacturing dates, to minimize a design flaw of the disks.
- After about 3 or 4 years, change one or more disks in the RAID to minimize the possibility of multiple disk failures while the RAID is being recomposed.
- Configure one or more disks as Hot-spare, that is, they are part of the RAID so that, in the event of one of them breaking, replication will automatically begin on the disk that is “standby”, to minimize regeneration time .
As you can see, it is critical to protect ourselves against a hardware problem, especially in the disks. But we must also take into account the possibility of a power surge and even a power outage. This is solved by installing a UPS next to our NAS, to protect it from this, and make the NAS turn off safely in the event of a power outage. in the electrical supply.
Ransomware is one of the main dangers of the private cloud, whether caused by one of the computers with which we can access all the information on the NAS, as well as the infection of the NAS itself if we leave it exposed to the Internet, something that is not It is not recommended for security reasons, as we have mentioned previously.
To avoid any type of data loss problem due to ransomware (as long as the NAS has not been hacked with administrator permissions), the recommendations are as follows:
- Limit the access of different users to the NAS, they do not always have to have administrator permissions.
- Configure snapshots, to be able to take a daily “photo” of all the data, and to be able to go back whenever we want.
- Configure WORM (Write Only Read Many) type volumes, a special volume that only allows data to be written and modified for a certain period of time, and subsequently we can only read the data, but not edit it. These types of volumes are very important to not overwrite the information.
- Scheduled backups that are external to the NAS, either on another server or the cloud.
As you can see, there are different techniques to protect a server from ransomware, although the danger will always be present.
One of the main recommendations that we can give you if you have a private cloud, is that you make backup copies in the public cloud weekly, to keep all the files under additional protection, you could also make a backup copy to another external NAS, a reverse backup and even backup to an external hard drive as an offline copy.