Last days, I've refreshed my home server - new hardware, new software, everything new.
Now it's ubuntu-server 22.04 and JBOD case with five bays (all busy for now, trying to clean up stored data)

Till now all my backup actions were burning some DVDs or manually copying data to external disk from time to time.

Now I can do something else - establish one or even two of disks for that and create some backups. Also, my JBOD case is able to be configured with Raid 1 on two disks.

But it will secure my data in case of disks failure. The other important thread is some ransomware attack.

Is there a way to secure myself for such cases?
I'm thinking about two disks or partitions, generally unmounted. Some script may:
- mount one of them (next time - the other one),
- check checksum - between file on mounted partition and another file* in base OS)
- if it match, new backup may be made on the mounted partition, if not - backup system stops, alerts me and absolutely not touch the other partition, which should have working backup.

*the checksum files should have different names and internal formats to avoid situation, when both identical files are infected/encrypted with the same algorithm and are again - identical.

I didn't work on automated backup system yet, looking for good solution for my case:
large disc space, only one location, no cloud solutions, no tapes or optical disk to burn.

I expect that in case when I'm just a person with some home data (like family photos) I won't be a target of large scale attack with deep penetrating of my environment, but some automated, simple ransomware may bite me.

Does it make any sense? Any other idea?

I suggest that you also set up an off site backup system. My off site backup came in handy when my house burned down.

I've designed many a backup system but this is for the checksum part. For checksum, just use aide. Aide is designed for this.

As far as backup, you want something that does incrementals. Something that snaps the whole backup will either fill up or just copy the bad data before you can restore.

You're right, it should be done, even by sending (locally encrypted) data into some cloud service. This is obvious, but that's not the point.
The real question is below.

Thank, will check aide.
And yes, incrementals should be on table.
Of course I prefer to use working, experienced backup solution, rather than my own (I have some python or bash skills, but don't know too much about backup itself.


The main point:
How to secure data against ransomware attack?
That's why I thinking about two partitions, where only one can be mounted at the moment. And the more technical question is - how to check, that data is not compromised? (and let the other partition stay safe in case of attack) - this is the ground of my checksum idea, but maybe there is something better?
Using non-rewritable DVDs may be a solution, but I need to backup some more data and don't want to change discs.
And I don't want tapes.

One thing to do is ensure your backup system logs into the main system and 'pulls' data across.
That way, you're not enabling any kind of login TO the backup server that Ransomware hacker can exploit.

I back up two computers in two different buildings. For each computer I have a 4 terabyte external USB hard drive divided into 4 one terabyte partitions. My home grown backup script detects which partition contains the oldest backup and uses rsync to update the oldest backup. The script also backs up a USB thumb drive which serves as my off site backup which I keep in a detached garage. I detach both the USB thumb drive and the USB hard drive when I am not actively doing a backup run.

You could separate the off-site and on-site backups. Then you could leave the USB hard drive permanently connected but only mount the current backup partition during the backup run, say started by crontab. Thus the only backup exposed to ransomware would be the current backup partition during the time that it is being written to.

I have no advice on the checksum problem as I have never worked with it.

I'm an advocate of raid-1 mirroring for root, plus I use grub-multi-disks script to keep both UEFI partitions in sync. My method for doing backups is to temporary adding a 3rd ssd usb drive to my current root raid-1 (giving me 3 mirrored disks), then breaking the mirror and keeping the USB drive as my backup in the event that I catastrophically clobber my /root drive while making major changes.

This did happen to me just this week, I was able to boot from my USB drive, and then attach my main boot drive to it as the missing part of the USB booted raid-1. Once it sync'd, I powered down, unplugged the USB drive, booted from the newly sync'd internal drive, re-added back the 2nd internal raid-1 drive, and allowed it to sync.

For me, this is the perfect way to get back to a known state. Of course, my raid-1 does protect me from any mechanical failures...

Hope this helps..

OS is not strategic thing. This is only a tool and turning off my services for some time does not make me problems.
Destroying of personal/family data does (photos, family tree etc)
I can attach my discs to another machine, new server or laptop. But it won't help if the data is for example encrypted by some criminals...


There is one disandvantage if I understand your process correctly. Let's assume, that in your system/network there is some ransomware. Seats there and encrypts what it can see.
If you have 4 partitions, used one by one - day by day, it will take four days to encrypt all your backups.
My idea with checksum means, that there are two copies of it - in system and on backup partitions. If they are different, that means that something has been changed, so there is a chance that you are a victim of attack. So - stay away from other patitions/backups to let them keep healthy data (and of course - send some alerts)

It can be something else than checksum - some secret string, password etc. And it must be stored in different formats in both places, for example - in text file and as filename, to avoid situation where two identical files encrypted with the same algorithm are still identical (but not human readable).

Disconnecting backup drive is a must - I'm thinking about only logical disconnecting (by unmounting and keeping unmounted in case of attack), but not sure if this is enough.

Of course, You're right. And I know, that my idea (with unmounting backups) isn't perfect, because it can be mounted back by the attacker. But probably I have better chance, that any attack will come from my wife's or son's laptops with Windows rather than directly from my linux server (as I said, noone should expect big or valuable resources in my network), made by automatic program. In such case unmounting will be enough.

I use borg backup. It has a bit of a learning curve. Many amazing features.
I backup the data in an office stored in a small NAS, then I mirror it to another local server with rsync, and finally use borg to a remote server so data is encrypted, i can go back to any snapshot and mount it like it was a regular partition so i can recover any files without having to restore the whole thing. Fault tolerance and ransomware protection.