NAS4Free Home
Wiki
FAQ
Search
There are several postings on the old FreeNAS Forum & Phan Vinh Thinh's Blog about the proper things that are necessary to make sure
that your NAS4Free Server is as SECURE as possible. Phan Vinh Thinh's Blog is located at:
http://phanvinhthinh.blogspot.com/2010/02/how-to-secure-your-freenas-server.html
Q: How do I make sure my NAS4Free server is secure?
Before we can answer that question, there needs to be a bit of explanation of what you will need to do to make sure your Server is secure during
the process of enabling the Services, and what Router Ports will be “OPEN” to the Internet. If your NAS4Free System is Powered up with only the
HTTPS: Protocol enabled for WebGUI Access, then NAS4Free Port 443 will be the ONLY port “OPEN”. As you Enable more Services you will be
adding to the list of "OPEN" NAS4Free Ports. Here is a List of the Ports as they are scanned after turning on their Specific NAS4Free Service.
- Code: Select all
Port Service
HTTP 80 HTTP
HTTPS 443 HTTPS
CIFS/SMB 139 netbios-ssn
445 microsoft-ds
FTP 21 ftp
SSH or SFTP 22 ssh
NFS 111 sunrpc
629 unknown
856 unknown
913 unknown
2049 nfs
You should also realize that these TYPICAL Port Assignments can be changed as per your Specific requirements. They are not FIXED.
A comprehensive list of Port Number Assignments is located at: http://www.iana.org/assignments/port-numbers
If you haven't a clue what a LAN or WAN is, you need to do some reading from the following Site:
http://www.netfilter.org/documentation/HOWTO/networking-concepts-HOWTO.html
Now, realizing that your NAS4Free ports must have access to the Internet before anyone from the outside can access your NAS4Free Server,
we can DELAY Opening ANY Router Ports until the NAS4Free Setup and Configuration is complete. The NAS4Free Ports will be “OPEN” to any
LOCAL Computer that is connected to our Local Area Network (LAN), but NOT the WAN because your Router Port must be MANUALLY FORWARDED
allowing Server access via WAN.
There is one thing you need to understand about setting up your router. If your Client Software is accessing your neighbors NAS4Free Server
sitting behind your neighbors router on the WAN, ONLY your neighbor needs to OPEN his router's Port 22 to his NAS4Free Server for you to be
able to access it via ssh. Your router doesn't need Port 22 "OPEN" (MANUALLY FORWARDED).
So, with your Router Ports CLOSED, you are now ready to setup your NAS4Free Server with a computer connected to your Local Area Network (LAN).
Now lets review the previous Question again...........Along with Phan Vinh Thinh's answers.....
Q: How do I make sure my NAS4Free server is secure?
A: You can ensure basic security by following the NAS4Free Security Checklist:
1. Change the WebGUI default admin/root password.
Use a very strong password if you intend to access NAS4Free over the Internet (WAN).
Use a long password and not something that is a word that is found in any language dictionary. (Google your proposed password. If it has no
hits in Google, that is a good thing.) Include numbers and Special Characters as part of your password.
Please Note: - admin/root accounts use the same password.
Please Note: - Users that are members of the wheel group can su to root if they know the root password.
2. Change WebGUI admin user name, to protect your system against dictionary attacks. Don’t use ‘admin’ or ‘administrator’
3. Always use https protocol to access WebGUI interface over the WAN.
You do not need to have a security certificate to do this, but you will get a warning message if you don’t.
4. DO NOT open your WebGUI server to the internet, rather open a tunnel via SSH from client to server.
5. Check your logs regularly. While NAS4Free has security measures to protect against some brute force attacks, it never hurts to make sure you have not been hacked.
6. DO NOT give shell access to everybody.
7. DO NOT use FTP over the Internet, use SSH or SFTP instead to encrypt your traffic.
8. DO NOT enable Password Authentication with SSH, set-up and use SSH key based authentication.
9. Don’t allow the root account to access SSH. Under Services/SSHD, make sure the Permit root login box is NOT checked. If this is checked, someone can log
in as root if they know or crack your password. If this is not checked, they must guess your user LoginID and your password.
10. Have some kind of hardware firewall in place. Netgear or Linksys routers work nicely.
Only pass through the ports you need to make services work. Port 22 for SSH, port 443 for HTTPS. This may be under the application/gaming section of your router.
Let's start from the first item:
1. Change the WebGUI admin password under System | General | Password:
See – SUG Section 3.1.1-System|General|Password
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:system_general_password
2,3. Change WebGUI admin user name and access protocol under System | General:
See – SUG Section 3.1-System|General Setup
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:general_system_options
6->9. SSH setup under Services | SSH:
See – SUG Section 6.4-Services|SSH
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_ssh
Of course, you need to create a non-admin user, create SSH keys, and upload them to your NAS4Free server. Please read SSH manual, and refer to the man pages.
Please note that the command below is a final ssh product, and the ssh setup and testing is covered in another [HOWTO].
Once ssh has been setup and tested, you can use SSH tunneling from the Linux box to the NAS4Free WebGUI over the Internet. In a Terminal (Console) type:
- Code: Select all
$ ssh -v -p 22 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address
Then open your web browser, and type address:
- Code: Select all
https://localhost:8888/
and you are there. Windows users can read the instruction in NAS4Free KnowledgeBase.
If you don't have a static IP address, you can use (free) DynDNS service.
Tighten Your Security Parameters:
You can now tighten the parameters in ssh by turning off Enable Keyboard-Interactive Authentication, and by adding the following Extra Options:
- Code: Select all
AllowUsers loginBoZo4321&1234 JoESmithTOO!4433
MaxAuthTries 2
LoginGraceTime 45
At this time you might want to “FORWARD” your Routers External Port 22 for direction “IN” so you can further test your NAS4Free Server, while keeping
an eye on your log files.............
Unauthorized Login Attempts:
If your diagnostic logs show multiple login attempts by 49.212.28.207 & 116.125.127.119, you can “DENY” their access by adding their IP address
to (/etc/hosts.allow as hosts.deny is depreciated). By adding these IP addresses to NAS4Free you will actually be inserting the specific IP Address in
/etc/hosts.allow as DENY.
Network | Hosts
- Code: Select all
#ftpd : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
sshd : 49.212.28.207 : deny
sshd : 116.125.127.119 : deny
sshd : 205.214.192.101 : deny
sshd : 222.240.224.43 : deny
ALL : ALL : allow
10. IP Addressing – for IPFW Usage:
There is a standard notation for groups of IP addresses, sometimes called a `network address'. Just like a phone number can be broken up into an
area prefix and the rest, we can divide an IP address into a network prefix and the rest.
It used to be that people would talk about `the 1.2.3 network', meaning all 256 addresses from 1.2.3.0 to 1.2.3.255. Or if that wasn't a big enough
network, they might talk about the `1.2 network' which meant all addresses from 1.2.0.0 to 1.2.255.255.
We usually don't write `1.2.0.0 - 1.2.255.255'. Instead, we shorten it to `1.2.0.0/16'. This weird `/16' notation (it's called a `netmask') requires
a little explanation.
Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111): we write them in decimal form to make it more
readable for humans. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the the network
(remember: each digit represents 8 binary digits). This means any IP address beginning with `1.2.' is part of the network: `1.2.3.4' and `1.2.3.50' are,
and `1.3.1.1' is not.
To make life easier, we usually use networks ending in `/8', `/16' and `/24'. For example, `10.0.0.0/8' is a big network containing any address from
10.0.0.0 to 10.255.255.255 (over 16 million addresses!). 10.0.0.0/16 is smaller, containing only IP addresses from 10.0.0.0 to 10.0.255.255. 10.0.0.0/24
is smaller still, containing addresses 10.0.0.0 to 10.0.0.255. To make things confusing, there is another way of writing netmasks. We can write them
like IP addresses: 10.0.0.0/255.0.0.0
Finally, it's worth noting that the very highest IP address in any network is reserved as the `broadcast address', which can be used to send a message to
everyone on the network at once. Here is a table of network masks:
- Code: Select all
Short Full Maximum Comment
Form Form #Machines
/8 /255.0.0.0 16,777,215 Used to be called an `A-class'
/16 /255.255.0.0 65,535 Used to be called an `B-class'
/17 /255.255.128.0 32,767
/18 /255.255.192.0 16,383
/19 /255.255.224.0 8,191
/20 /255.255.240.0 4,095
/21 /255.255.248.0 2,047
/22 /255.255.252.0 1,023
/23 /255.255.254.0 511
/24 /255.255.255.0 255 Used to be called a `C-class'
/25 /255.255.255.128 127
/26 /255.255.255.192 63
/27 /255.255.255.224 31
/28 /255.255.255.240 15
/29 /255.255.255.248 7
/30 /255.255.255.252 3
/31 /255.255.255.253 2
/32 /255.255.255.254 1
IPFW for Unauthorized Login Attempts:
If you wanted to use IP Fire Wall (IPFW) instead, you could have created a rule to block the IP Address, or a Block of addresses and then ENABLED IPFW
to block those that continually attempt to hack/login to your NAS4Free Server. There were several IP Addresses that continuously tried to gain ssh access.
- ipfw1.gif
- ipfw1.gif (56.57 KiB) Viewed 4307 times
In my initial setup I had only Protocol “TCP” selected, but have since changed that to “ALL”. Likewise Direction could be changed to “ANY” versus “IN”.
IPFW RULES:
- ipfw2.gif
- ipfw2.gif (46.82 KiB) Viewed 4307 times
As you see the list continues to grow each day, and there is a better way to block those IP Addresses that continually try to access your Server.
The NAS4Free IPFW RULES will do the job much easier, and there is a [HOWTO] posted with that information.
The following photo shows the items I have setup in the ssh service:
- ssh.gif
- ssh.gif (55.6 KiB) Viewed 4307 times
Last Words:
To eliminate Windows users' advantage of using shortcut Linux users can create an alias:
$ cat .bashrc
- Code: Select all
alias ssh-nas="ssh pvt@192.168.1.250"
alias ssh-dir="ssh pvt@192.168.1.1"
alias tunnel-nas="ssh -v -p 22 -L 8888:localhost:443 tvp@xxx.dyndns.org"
# sudo alias
- Code: Select all
alias apt-update="sudo apt-get update"
alias apt-install="sudo apt-get install"
alias apt-remove="sudo apt-get remove"
alias mount="sudo mount"
alias umount="sudo umount"
alias suvim="sudo vim"
$ tunnel-nas
Now we need to begin the advanced configuration and usage.
I booted my NAS4Free Server, and configured the first two menu items:
1. Assign NIC Interfaces(x10)
2. Set LAN IP Addresses for my NAS:(192.168.1.250)
See- SUG Sections - 2.2-LAN interface and IP Configuration and 2.3-Basic System Configuration
Wired LAN: I chose to use a Hub with two patch cables to test my NAS4Free. Once you have the LAN connected, configure your CLIENT IP Address
and PING the server to verify that it is all communicating. (You can also use PING from the SERVER to verify the CLIENT.)
Realize that one of the three Computers below could actually be your NAS4Free Box.
- pic5.gif
- pic5.gif (15.31 KiB) Viewed 4353 times
If your Ethernet NIC card has the capability to do Crossover Detection & Auto-Correction, you won't need to use Special Crossover Ethernet Cables.
- pic6.gif
- pic6.gif (11.89 KiB) Viewed 4353 times
Crossover Cable Wiring.
- pic8.gif
- pic8.gif (26.12 KiB) Viewed 4353 times
Go to NETWORK | LAN Management and Set your MTU & Media Configuration .
If your Network appears to be Slow this Posting may be of help.
Mine is shown here:
- adv_config.png
- adv_config.png (27.3 KiB) Viewed 4227 times
At this point you should be ready to access your Advanced Configuration via WebGUI:
Open your Browser on your Laptop and type in the address that you previously configured as "192.168.1.250:80"
Use the default login username and password to access the WebGUI.
Since there are no "OPEN" Router ports (we are using a Hub) you should not have any Unauthorized Login Attempts on your system.
Once we get our NAS4Free tested, all we need to do is replace the Hub with the actual Router and keep an eye on the Log file.
Make it a habit to periodically view the Log File so you know what is going on, to determine if your NAS4Free is being Probed/Attacked for access.
Next time we'll keep adding Services, and Configuration to end up with a system that looks like this:
- ipfw0.png
- ipfw0.gif (53.54 KiB) Viewed 4227 times
Be sure to read the [HOWTO] - NAS4Free IPFW RULES for information on setting up IPFW Rules.
Thanks.
Larry
Updated 07-18-2012
