Jason Self on backups and ransomware and “Treating Your Data Like a VIP”:

If a machine gets infected with malware while the backup drive is plugged in, your backup is encrypted along with your primary files.

The smarter approach is to dedicate a single, physical machine on the LAN to act as a centralized backup server. […]

This centralized local server is the foundation. But just having a server isn't enough to stop a modern threat. We have to trap the server in a cage.

I’ve never given much consideration to a ransomware attack, but I’m rethinking that now. Some of Self’s advice (tape backups, for example) will be absolute overkill for many people, but there are several very useful recommendations, including limiting SSH to specific (backup-related) commands and “air gapping” your backup server. It also reminded me I really do need to re-add a centralized backup server to my home network.