Tuesday, February 23, 2010

How to secure your FreeNAS server

Quote from FreeNAS forum:

Q: How do I make sure my FreeNAS server is secure?
A: You can ensure basic security by following the FreeNAS Security Checklist:
  1. Change the WebGUI admin/root password (the default is: freenas)
    Use a very strong password if you intend to access FreeNAS over the Internet.
    Please note - admin/root accounts use the same password.
    Please note - Users that are members of the wheel group can su to root if they know the root password.
  2. Change WebGUI admin user name (the default is admin), to protect your system against dictionary attacks.
  3. DO NOT give shell access to everybody.
  4. DO NOT use FTP over the Internet, use SSH or SFTP instead.
  5. DO NOT enable Password Authentication with SSH, set-up and use SSH key based authentication.
  6. Always use https protocol to access WebGUI interface.
  7. DO NOT open your WebGUI server to internet, rather open a tunnel via SSH from client to server.
 Let's start from the first item:

1. Change the WebGUI admin password under System | General | Password:

2,4. Change WebGUI admin user name and access protocol under System | General:

5,7. SSH setup under Services | SSH:

Of course, you need to create a non-admin user, create SSH key, and upload it to FreeNAS server. Please read SSH manual. If your FreeNAS server is behind a router, you also need to setup the router's NAT:

Here I opened both WebGUI interface and SSH to Internet, but I will use only SSH to connect. To do SSH tunneling from Linux box, type:

$ ssh -v -p 22 -L 8888:localhost:443 username@your.FreeNASorRouter.IP.address

Then open your web browser and type address https://localhost:8888/ and you are there. Windows users can read the instruction in FreeNAS KnowledgeBase.

I don't have a static IP address, so I use (free) DynDNS service.

Last word:

To eliminate Windows users' advantage of using shortcut Linux users can create an alias:

$ cat .bashrc
alias ssh-nas="ssh pvt@"
alias ssh-dir="ssh pvt@"
alias tunnel-nas="ssh -v -p 22 -L 8888:localhost:443 tvp@xxx.dyndns.org"
# sudo alias
alias apt-update="sudo apt-get update"
alias apt-install="sudo apt-get install"
alias apt-remove="sudo apt-get remove"
alias mount="sudo mount"
alias umount="sudo umount"
alias suvim="sudo vim"

$ tunnel-nas

Happy using FreeNAS!


geoffala said...

Your blog came up when I was researching the possibilities to link FreeNAS to a CA. Thanks for the SSH ideas!

Nimbu said...

Its really important to limit access to ssh. On my server I disallowed root access to ssh. I created a separate user for ssh and then when I log in I can change to root with "su". There were so many failed logins in my server logs :D

Anonymous said...

Do you know of a method to let Freenas send notifications (SMART...) to a client without any connection to the Internet what so ever? I mean, it's meant to be email bound but... Is there any other way?