limiting access to treunas server

[chanklish]

hello
I am looking to physically limit access to my server according to a schedule by any of the following :

• Disable and enable network according to a schedule
• turn off and on the server according to a schedule

I am using an HP Proliant ML350 g8 - is this possible to be done through truenas?
thank you

 

[Whattteva]

I am looking to physically limit access to my server according to a schedule by any of the following :

Impossible to do things in the physical world through a software like TrueNAS. Well... maybe through a scheduled shutdown command in a cron job.... but you're saying physically, so that sounds more like unplug cables or move the server to a different place.

 

[chanklish]

Impossible to do things in the physical world through a software like TrueNAS. Well... maybe through a scheduled shutdown command in a cron job.... but you're saying physically, so that sounds more like unplug cables or move the server to a different place.

you are right , but physically i meant stopping access on the physical level and not by permission or ACL ..

 

[Johnny Fartpants]

Limit access to what? The web-UI?, SMB shares?, NFS?, SSH?

 

[chanklish]

Limit access to what? The web-UI?, SMB shares?, NFS?, SSH?

everything.. i want it to be close to dead , just as a last resort against ransomware

 

[garm]

truenas is immune to randsomware.. its called snapshots, you cannot just rewrite all content.. for data you really need to protect just remove write access and have data being pulled to the server

 

[chanklish]

truenas is immune to randsomware.. its called snapshots, you cannot just rewrite all content.. for data you really need to protect just remove write access and have data being pulled to the server

already have snapshots but i am still looking for something more extreme

 

[garm]

 

[chanklish]

i wouldve went this way if HR accepted hehehe

so no way to schedule disabling ethernet or power ?

 

[Johnny Fartpants]

All of the above can be limited specifically within an internal network but simply turning your NAS off and on isn't really sustainable.

I would suggest you highlight the services you use/need like WebUI and SMB for example and explore how these services can be secured. WebUI for example can be secured within your internal network along with a password and also 2FA if you really want belt and braces. Scale goes one step further by essentially doing away with the only root login option. SMB access to data is controlled version permissions on your given datasets and sub-folders and if you so wish can also be limited to specific IP addresses.

 

[Whattteva]

What in the world do you have that you are so paranoid? I'd imagine it's much much more incriminating than simple pr0n *ahem* I mean uh... Linux ISOs

Anyway.... just uh.... turn it off when you don't need it.

 

[chanklish]

I am CISM,CISA , CISSP , CEH , etc .. i know the principles on securing data , etc .. i help local NGOs probono with IT and im looking for the best "install and forget" solution ... small NGO tend not to have IT or budget for any It intervention

I can schedule disabling ethernet in windows(linux is out of the question as these people tend to be older with very little IT knowledge).. can schedule power down and use Wake on lan for power ups .. but i still prefer free nas for its smaller overhead and no licensing ..

was thinking about an electric timer but this looked too crude

 

[HoneyBadger]

You could set up a scheduled/cronjob to shut the system down, and schedule a power-on timer in the BIOS/UEFI, or use IPMI/iLO commands to remotely power the server on; however, this isn't really protection against ransomware, as that would tend to be introduced by a user, who would probably be using their client system at the same time that the TrueNAS machine would be powered on and have its data accessible. Snapshots are part of a defense-in-depth approach to this.

Physical security is more than just having the system being unpowered, as the same tool suggested by @garm above to "disable network connections" could also be used to perform a rather direct "denial of service" attack on the server itself.

 

[winnielinnie]

I mean uh... Linux ISOs

It's always been about the totally legal Linux ISOs.

From a reputable news report[1] published in December 2022:

"[NAS owners] are enthusiastic about downloading, storing, and torrenting totally legal Linux ISOs 24/7 over an encrypted VPN. That makes up about 97% of home users with massive NAS storage."

 

[danb35]

It's always been about the totally legal Linux ISOs.

Hey, don't forget the FreeBSD ISOs!

 

[Whattteva]

Hey, don't forget the FreeBSD ISOs!

Agreed. Quite frankly, I have more BSD ISO's actually (TrueNAS CORE, FreeBSD, GhostBSD, OPNsense). I'm also archiving PC-BSD/TrueOS. It's such a shame that project died cause I'm actually a big fan of Lumina desktop.

 

[Davvo]

If you want to physically lock out access when the server is powered down you probably should look into encryption, with the caveat that you will need to manually input the password every time to unlock the system.

However I know very little about it so don't expect me to answer your questions; my knowledge is spotty, superficial and very limited.