A virusproof (ransomware...) strategy for backup on a NAS?
The solution is to keep a history of backups.
You can store one daily backup, say for the last seven days. Then one backup per week four times per month. This way, if the backup from yesterday had been saved in a bad state, you take the backup from the day before. Or you can take the backup from last week.
To save space you can either use a file system with supports deduplication, use hard links or store only the difference between the backup. Which solution is best, depends on your needs, setup and the software you run.
EDIT: You updated your question and added additional information.
As you already know, you have to separate the data from the backup. A backup is always redundant, if possible even more than one copy. I don't know your NAS solution and their backup software. But I can tell you how I solved this.
I use an old 300MHz system as backup server, which is connected to the file server (that would be your NAS in your configuration). Once per day the backup server switches on and pulls the backup from the file server and writes the data on its own hard drives. As backup software I use rsnapshot. No client computer has access to the backup server in any way. And it is only running for a short time per day.
This is only one possible solution out of many. The key points of a good solution are:
- Keep a history of backups
- A backup is always redundant
- A backup is stored on different hardware (e.g. a second drive, not a second partition on the same drive)
- The client computers must not have access to the backup
- The backup should be as easy as possible, at best fully automatic
- Depending on how often restores are expected, it should not be too big of a burden to restore the data
The only way to have virus-free backups is to have some sort of history: you have to store your backups for several days/weeks/monthes.
This don't garantee to be virus-free, but this garantee you can recover files before you discover a recent infection.
One very important thing about backups: the "client" computer must not have access to the backups.
This means this is the "server" computer which connect to the client and make the backup. Most backup program are not designed this way.
Another method is to remove backups from client's sight once done. But this is often done in a bad way, leading to no security increase.
What you mention seem to be multiple separate issues. One is easier to overcome (accidental deletes or backing up of bad data) than the other (targeted malware).
In increasing order of severity / effort to save your data:
(Unnoticed) corruption of the data of one of your systems making it to the backup drive, deleting all the good data or replacing it with crap. Other answerers mentioned before, keep multiple generations. This saves you also from much more mundane issues, like software doing bad writes (I know people whose office software created broken, unreconverable files) without you noticing.
Malware that breaks all files on all connected drives. This one is more difficult, because malware can just delete or render unusable all of the backup generations, given programmatic access to them. Keep multiple backup drives and regularly switch between them. Never connect them at the same time.
Fires, burglary, lightning strikes, or a significant other who likes to throw (preferably expensive) things at you. Maintain multiple physical drives. Keep one of them off site at all times. Regularly switch between them to make sure both are reasonably up to date. Optionally, add an online backup solution you trust to the mix.
Of course, you can attempt to prevent some issues by e.g. keeping multiple backup generations and removing all write permissions to the files once they've been written, so malware cannot just overwrite them. I wouldn't rely on that, especially if you have malware problems already.