Securing and Hardening FreeNAS against Hackers?

[Socrates]

Hi all,

I am sure the question has been debated to death here before. I did try to look up on the forum, but couldnt find much info, i guess i am using the wrong terminology to search.
So dear mates of the forum, i trust your word more than the members words at FreeNAS itself for this topic and debate.
FreeNAS community as a whole do not prefer using FreeNAS on ESXi, and rather choose it over a dedicated hardware. I am sure many folks here also prefer that, but i really cannot do that right now. I have a dedicated AV rack, and about 5-6 super micro 3u or 4u chassis, i am using ESXi with multiple VM's. I am completely new to FreeNAS, and initially i'd like to use my current hardware, hence want to try out going the virtual route.

I have been reading that FreeNAS is easier to hack into than a router or a printer. And many people report events recorded in their event manager about instrustion as soon as they add the NAS to internet facing.
I've been reading lots of folks do not have NAS attached to the internet but instead on a seperate router or vlan, completely disconnected from the internet.

I would like to get your opinions about hardening, securing freenas against hackers and preying eyes.
I was reading elsewhere, few tips such as disabling root, disabling password based login, and use public and or private keys. Adding intricate rules, layers in firewalls such as pfsense or sophos to secure NAS
I'd like to know from the uber folks from you here, how do u protect your freenas setup?
The only reason i need to attach freenas to the internet, is for backing up my freenas data to Amazon Drive: Cloud Storage (damn they had a sweet 45 dollar deal for unlimited storage for the entire year recently, i'd like to use that.. )

 

[wildchild]

So.. You freenas box is behind a nat device and a firewal?
As you freenas is initiating traffic towards the internet, i'd be much much more interested in making sure you fw is properly setup, as in most all cases your freenas isnt reachable by traffic initiated from the internet.

As you freenas is located on the inside of you network, "normal" precautions are needed in securing it for a internal network, which includes disable "root", create a new root user , certificates and keys etc etc

 

[Socrates]

So.. You freenas box is behind a nat device and a firewal?
As you freenas is initiating traffic towards the internet, i'd be much much more interested in making sure you fw is properly setup, as in most all cases your freenas isnt reachable by traffic initiated from the internet.

As you freenas is located on the inside of you network, "normal" precautions are needed in securing it for a internal network, which includes disable "root", create a new root user , certificates and keys etc etc

No Nat device.
I plan to setup Sophos UTM firewall in a 1u rack space server.

I didnt understand your question about FreeNAS initiating traffic towards internet. But let me explain a bit.
The FreeNAS will be used to store important documents, family pictures. Nothing more. I dont care to access the freenas/data remotely if i am not at home. Anytime i will be accessing the data from my nas will be when i will be at home. (mainly copy photographs from my macbook or PC to the FreeNAS volume)

I'd like to have a redundancy for the files in my freenas just in case of natural/unnatural disaster to the AV rack, and i loose everything.. hence i'd like to keep a copy of all my files/family pictures, videos on the cloud on Amazon cloud backup. The idea is, each time i copy anything on the freenas disk, it shud upload the same data to amazon drive for backup.

I am sure a lot of folks here have taken extreme precaution here for their FreeNAS servers, or is it always ignored?

 

[markarr]

Most firewalls fall into two types. Deny all in and out or deny all in and allow all out. The Sophos UTM is the first and pfsense is the latter by default. So the sophos does not let anything pass through unless there is a specific rule from the outside world in or vice versa. So if you only want to have freenas talk to Amazon cloud over the backup ports then make the rule and only freenas can initiate the connection amazon could not "get in" without freenas talking first.

Now here is the obligatory line saying "Anything stored in the cloud unless you encrypt it yourself should not be considered completely secure". There are differing opinions on that line but it is said.

 

[wildchild]

Most firewalls fall into two types. Deny all in and out or deny all in and allow all out. The Sophos UTM is the first and pfsense is the latter by default. So the sophos does not let anything pass through unless there is a specific rule from the outside world in or vice versa. So if you only want to have freenas talk to Amazon cloud over the backup ports then make the rule and only freenas can initiate the connection amazon could not "get in" without freenas talking first.

Now here is the obligatory line saying "Anything stored in the cloud unless you encrypt it yourself should not be considered completely secure". There are differing opinions on that line but it is said.

I agree, i dont use freenas, so i couldnt tell you if there's a possibility to encrypt stuff you sync to the cloud on the go.
Since most cloud stuff by default i accesible to any state dept. Using 3 letters i have a dislike for it, so for all personal stuff i replicate to a storage server i control off site.

I would look for a tool that encrypts stuff before it leaves your freenas box and sends it to any cloud provider.
Alternative could be placing a n40l with sas controller and big disks in z3 config offsite ( parents/friend/work)

 

[markarr]

With docker on the new freenas version there should be more options for this now. I use duplicity (on centos) for my backup to cloud now, it allows you set your own private key and it will encrypt the files before it uploads them to the destination.

 

[Socrates]

Thanks for your replies Mark, this helps a lot. I have a few more questions, i have pm'ed you.
But while we are still here, cant i use private key directly with freenas login, disabling the ssh etc, do i need to have centos with docker and then use the private key for centos?
I am sorry about a noobish question, i am sure i am not asking the right way, or i may have misunderstood, i am just new to this, and trying to learn my way through.

 

[markarr]

Thanks for your replies Mark, this helps a lot. I have a few more questions, i have pm'ed you.
But while we are still here, cant i use private key directly with freenas login, disabling the ssh etc, do i need to have centos with docker and then use the private key for centos?
I am sorry about a noobish question, i am sure i am not asking the right way, or i may have misunderstood, i am just new to this, and trying to learn my way through.

The key I use for duplicity is just a passphrase unique to that, the private key for ssh is different. I mentioned centos due to me not running freenas right now, and was giving an example of a software that encrypts the data before shipping it to the cloud.

 

[Kybber]

An alternative to duplicity may be to use EncFS with the --reverse option to bind-mount an encrypted view of a directory:

encfs --reverse /home/myuser /mnt/myencryptedhome

Then let whatever backup-software you prefer backup from /mnt/myencryptedhome instead. This can be combined with backup solutions that use proprietary clients, e.g. CrashPlan. CrashPlan does encrypt locally before sending files, but if you are a stickler for security then why not encrypt your files before CrashPlan sees them?

Edit: A bonus is that file names in the encrypted view are also scrambled.