Security tips for home NAS use case

[entyrion]

Hi all,

I just got my first build up and running and things seem to be going smoothly so far. I am new to FreeNAS, FreeBSD, and being a sysadmin, so I'm concerned about the security of my NAS and network in general, especially since I plan to install plugins like ownCloud, Plex, Transmission, and probably Sickbeard, sabNZBd and the like very shortly.

Being a noob, I'm not sure to what degree each of these plugins will expose my NAS and network to security risks (I imagine ownCloud and Plex, which I intend to get working over the internet rather than exclusively over LAN) and create problems.

I've been searching the forums and online for simple, straightforward guidelines to securing FreeNAS, but I have had little luck and the guides I did find online tended to be rather old, so I fear they may be outdated. Do any of the more experienced users have any references they like to use, or any quick tips they can offer?

Thanks for your advice!

 

[cyberjock]

So, the recommendation around here is to forward zero ports to your FreeNAS box. Now I know if you want to use myplex you HAVE to forward a port on your router to the plex server. That's all I'd recommend. I'd also stay pretty dedicated to keeping Plex up to date to ensure you don't get hit with some security risk. If you don't plan to use myplex's feature, then I wouldn't forward that port at all.

If you want to access owncloud from the internet, there's a secure way to do that. VPN. That's exactly what we recommend people do.

The reason why you find little documentation on keeping FreeNAS secure is because generally the choices you make and the actions you take are NOT on the FreeNAS box itself. So trying to do a "how-to" or anything is basically impossible. It's something you should be able to do for yourself.

 

[entyrion]

Thanks for your input, cyberjock. Also, I appreciated your PPT :) Unfortunately, I'm a noob to network security in general; this will be the first time I've hosted any internet-facing services on my own hardware >.<

I don't mind RingTFM and learning new things along the way, but any recommendations on where to start from those more experienced would be appreciated. To focus my search, would the two primary security threats be internet-facing ownCloud and Plex services? I would consider Plex over the internet to be a secondary priority, so I can drop my need for media access over the internet in favor of tighter security; super easy, multi-device/platform media access and streaming on my LAN is all I'm really looking for.

I'm also going to set up Transmission's plugin, will this create any risks? As a more mid-term goal, I'd like to set up sabnzbd with sickbeard, couchpotato, etc to get a usenet setup going... will this expose any additional security risks I should be aware of?

Thanks agian to everyone for your thoughts and kind support.

 

[cyberjock]

Anything internet-facing is a dangerous game. My Plex box isn't in a jail. But if it were I wouldn't use the plugin. I'd use a jail so i could keep the jail up to date for myself. It's not too "cool" when your plugin has a security risk you can't easily plug yourself with a pkg upgrade command. Just 2 days ago I updated all of my jails(note that I use zero plugins). Every jail had at least 4 security bulletins against it. ;)

By far the most dangerous part is anything that's internet facing. Forward no ports and don't enable UPNP on your firewall and you should be just fine for 90% of problems.

The other 10% is getting your permissions correct for your files and keeping FreeNAS up to date. Using the same version a year later is not a good way to go. ;)

There's security risks with every program you use. Most of them don't forward ports, so you are only vulnerable to the program that is going out on the internet. If you keep those up to date appropriately then that's about the best you can do.

Security is a multi-pronged approach. And all it takes is one mistake in your armor to render all of your hard work useless. This is why businesses are hacked so regularly. Of course, they seem to do things that are completely retarded too, but that's another discussion.

 

[entyrion]

So, I've become rather paranoid about security (which is a good thing) and I decided that I'll only use Plex over my home LAN to avoid port forwarding, unless I get a newer router and can figure out a solution using only NAT. At the end of the day, LAN-only access to Plex and my media library is sufficient for me.

One goal I had was to set up an ownCloud server to reduce my reliance on Dropbox and other cloud services, and I was very excited when I found out that it can be set up in FreeNAS. However, now I'm very paranoid about forwarding ports. If I forward port 80 for example, to my ownCloud jail, would that expose all data on the NAS, as well as the network as a whole, to substantial security threats? Or would the threat be primarily confined to the jail only?

In a nutshell, what's the worst that could happen? If I do want to push forward with the ownCloud project, what steps can I take to enhance security while still allowing functionality to sync over the internet?

 

[panz]

Sorry @entyrion, you did say that you're are a sysadmin and a noob to network security? (Please excuse me I have serious difficulties in understanding English).

 

[entyrion]

Hi panz! No, the only thing I administer is my own home LAN, and my recent FreeNAS build is my first server, so up to this point, administering my LAN was rather straightforward; keep the router locked down, patch software holes as they come up, and don't be dumb. With the addition of FreeNAS to my home network, especially since I want to set up servers for Plex and ownCloud for example (and I'd like ownCloud to be internet-accessible), now all of a sudden I have to start thinking more like an administrator and ask security questions.

I'm just a hobbyist and a regular dude who built a FreeNAS box at home; the nuts and bolts of servers and network security are new to me. I'm happy to learn, but I want to make sure I'm not making some critical mistakes that will expose my data to substantial risk in the future.

 

[panz]

I suggest you studying the good documentation at the pfSense site and Forum and setup a machine with pfSense to act as a firewall to your own network.

pfSense is something like what FreeNAS is, but on the side of network security and firewall. You will find that a pfSense box with pfBlocker and Snort is one of the most secure firewalls you could ever find (it's based on FreeBSD too).

 

[SmallGuy]

In a nutshell, what's the worst that could happen? If I do want to push forward with the ownCloud project, what steps can I take to enhance security while still allowing functionality to sync over the internet?

For me, the worst case is an hacker who take control of your jail, and then is able to to make new attacks on your Private LAN and/or over Internet from your Jail, so from your ISP IP address.
As general rules, what I would recommend is (not exhaustive):
-use firewall as already said.
-use exclusively 'secure' protocols (ssh, https)
-be aware of the known vulnerabilities for the protocol you use, and take dispositions to limit them (setup the strongest way)
-manage and trust properly your certificates/keys
-use strong passwords
-use up to date jail ;)
-chroot your applications and give them the strict minimum permissions they need (the application you install potentially got some vulnerabilities)
-use up to date applications
-set up IPFW on your jail, and allow only the traffic needed (one more layer).

Keep in mind it's generally always possible for an good hacker to take control. But he is generally lazy (or incredibly motivate for some ideologic reasons, or by importance of the information you own, but that's generally not the case for a home user).
The goal is to discourage him, by increasing the difficulty to find a security breach.

 

[entyrion]

Thanks to both panz and SmallGuy for your input! As an additional option to port forwarding to the jail, I have also been considering a) setting up a VPN to connect to the LAN to access ownCloud, or b) possibly using a separate machine such as a Raspberry Pi to host ownCloud... would using a separate physical machine, and port forwarding to that be any more secure than port forwarding to the jail within the NAS box?

 

[joelmusicman]

No. The security or lack thereof is 99% in your software (edit) and network configuration.

 

[ser_rhaegar]

If you go with panz's suggestion of pfSense, you can setup a VPN so you can connect to your home network securely and use ownCloud/Plex remotely. I do not use pfSense, but I do the exact same thing with my ASA.

 

[entyrion]

So, I'm testing out how to configure IPFW on my Transmission jail/plugin and I have it working for the most part. NFS and Transmission itself are fully functional, but the plugin doesn't quite want to cooperate with the FreeNAS web ui anymore. Notably, the tree entry isn't there and the plugin entry says "off" although it's currently functional. These two logs note the problem:

Code:

Apr 17 23:04:11 freenas manage.py: [freeadmin.navtree:526] Couldn't retrieve http://192.168.0.102/plugins/transmission/1/_s/treemenu: timed out
Apr 17 23:04:16 freenas manage.py: [plugins.utils:92] Couldn't retrieve http://192.168.0.102/plugins/transmission/1/_s/status: HTTP Error 504: Gateway Time-out

I suspect that there are port(s) that I will need to open to allow manage.py to do its thing? I tried a couple including 92, 526, 80, and 443 in the jail with no luck. Which ports should be open to maintain GUI functionality for the plugin?

Also, as a side note, if/when I use the plugin's ez-mode update in the future, would it save these firewall settings (or any other custom settings for that matter), or will I need to reconfigure IPFW after an update?

Thanks!

 

[entyrion]

As an update, I asked on the FreeNAS irc channel and someone recommended that I use tcpdump to watch the traffic for each jail to try to figure this out. I managed to identify two ports that, when opened, allow the plugins to properly display and interact with the FreeNAS web interface: 15700 and 12346. I found that when trying to set up ipfw on multiple plugins, opening these ports on the first plugin will work, then you have to choose new port numbers for the next plugin. I simply incremented both by 1 for each subsequent plugin (e.g. 15701 & 12347 and so on).

Now that I have my firewalls up on all of my plugins, my next step is to set up the firewall on FreeNAS itself. I'll use tcpdump here too, but does anyone have any experience with what ports to leave open? I'm thinking http/https, ntp, smtp for system emails, nfs (which includes several ports), and the ports mentioned above for plugin web gui inegration... is there anything else I should be aware of? Any ports for network discovery or any other services that I'm missing?

Edit: I found these resources helpful with this process:
http://www.freebsd.org/doc/handbook/firewalls-concepts.html
http://knowledgelayer.softlayer.com/procedure/set-simple-freebsd-firewall-using-ipfw
http://www.freebsdwiki.net/index.php/Tcpdump
http://www.openmaniak.com/tcpdump.php

 

[joelmusicman]

That's some really good info! So in order to do the incrementing ports, do you need to create port forwarding rules?



Another thing I thought about was to setup a jail running an nginx server solely to forward requests to the individual jails, so instead of remembering 192.168.1.204:9091, it would be http://freenas-server.net/transmission, etc. Note that something like this would only resolve inside my LAN as I wouldn't have the name registered (or maybe I will in the future once I have everything hardened, SSL, etc).

 

[entyrion]

Hi joel, other than setting up the ipfw rules to open the ports in the plugin, I didn't have to do anything else; FreeNAS sees and interacts with the plugins properly on its own (edit: or, at least I haven't found any bugs yet). Also, that's an interesting idea for nginx :)

 

[joelmusicman]

Also, have you tested jail storage shares created in the FreeNAS GUI to work with those settings?

 

[entyrion]

Also, have you tested jail storage shares created in the FreeNAS GUI to work with those settings?

I have nfs shares created with the FreeNAS gui and mounted into the plugin jails (e.g. torrent "watched" and "downloaded" directories, etc) that work perfectly after I bound the nfs-related ports, then included them in the ipfw rules for each plugin. (I used this to get started: http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS)

 

[joelmusicman]

I have nfs shares created with the FreeNAS gui and mounted into the plugin jails (e.g. torrent "watched" and "downloaded" directories, etc) that work perfectly after I bound the nfs-related ports, then included them in the ipfw rules for each plugin. (I used this to get started: http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS)

That's one way to do it! I prefer to add the storage directly to the jail (using the gray folder icon on the "View Jails" screen) as I think it would result in a faster connection. Of course its also possible that the network stack knows that the traffic is internal and never hits the NIC.

I was also reading through the ipfw page, and noticed that it has quite a few services listed (FTP, SSH, etc) that I wouldn't need. I'm assuming that you delete or comment those for jails that don't need those services and add the ports used by the services? With the exception of CrashPlan, I don't think any of my jails actually need their own SSH port open as I typically SSH into FreeNAS and then jexec into the jails.

 

[entyrion]

That's one way to do it! I prefer to add the storage directly to the jail (using the gray folder icon on the "View Jails" screen) as I think it would result in a faster connection. Of course its also possible that the network stack knows that the traffic is internal and never hits the NIC.

I was also reading through the ipfw page, and noticed that it has quite a few services listed (FTP, SSH, etc) that I wouldn't need. I'm assuming that you delete or comment those for jails that don't need those services and add the ports used by the services? With the exception of CrashPlan, I don't think any of my jails actually need their own SSH port open as I typically SSH into FreeNAS and then jexec into the jails.

Interesting, I haven't used that method to share storage between a jail and the NAS; I basically just used the same shares I set up for my desktop and created additional mount points inside each jail. I'll have to read up to confirm if my method was not the recommended one! Edit: It looks like I was confused. I reviewed the manual section 10.2.2.2 starting on p. 231, and this is the method I used to link storage between my plugin jails and the NAS itself... did you do something different? I think my confusion was in saying that I "mounted the shares into the jails" which is not entirely accurate; as the manual mentions, this process merely creates pointers to the data on the NAS. If this is the case, I may not need nfs ports open after all... I will test tonight to confirm if closing the nfs-related ports in the plugin jails has an impact on sharing with the NAS.

As to your question, yes, I just used that Softlayer page for the template really (I'm a noob and hadn't used ipfw or used a CLI to set up my own firewall before). I deleted or commented most of the standard services like ftp, ssh, and all that if the jail didn't need them and added new rules for things like nfs, or that particular plugin's web ui, etc.