Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Best practices for securely accessing FreeNAS over the internet

Status
Not open for further replies.

qwertymodo

Member
Joined
Apr 7, 2014
Messages
144
The two main reasons I am building my FreeNAS machine are for archive/backup of my important documents and to use it as "personal cloud" storage for files I may want to access from outside my home network, or on someone else's computer or public/lab computers. For the first goal, BTSync works great to silently and automatically back up my files without the NAS actually being publicly accessible, but for the latter I actually need to be able to access the NAS from outside my home network. Obviously, this opens up a whole new can of worms, and as I'm not an experienced sysadmin, I'm looking for some advice on best practices for securing myself, while still allowing myself access.

First of all, I have searched around, and having found threads like this one, so I'm aware of the fact that FreeNAS is not designed to be connected publicly. However, what I'm not clear on is whether or not this means it shouldn't be made publicly accessible at all? Or does that simply mean that it should be placed behind a dedicated firewall device instead of acting as its own firewall? So, I guess the best way for me to approach this is to just lay out what I'm hoping to do, and then ask for general advice on best practices in achieving it in a secure manner.


-I plan to have a small number of users able to access this NAS, each with their own user account. Mostly, it will just be me, but I want to allocate some space for a few friends and family members. Most likely no more than 5-10 users total. I may also include a guest account with read-only permissions to handle this particular situation.

-All of my users will be running Windows clients, so CIFS sharing would be nice, but if it's not possible to do it securely, that's okay. Personally I can live with SFTP or something similar, and my less-computer-literate family can stick with the OwnCloud interface.

-The bulk of my usage will be a combination of BTSync and OwnCloud, and I'd like the OwnCloud WebUI to be available publicly. I have my own domain name, so I'd like to be able to access OwnCloud as a subdomain on my domain.

-This will be hosted by a friend who is currently hosting several servers at his house. Obviously, I'll need to confirm with him what he has in terms of firewall, etc. but another consideration is that I won't have physical access to the machine. I won't want to expose the FN WebGUI to the internet, but I'll need some way of accessing it remotely. I'm assuming that can be done through an SSH tunnel?

-My board supports AES-NI, so I'll be using full-volume encryption. Not sure if that really matters from the standpoint of network-side security, but I figured I'd mention it.


Basically, I'm an experienced computer user looking at my first foray into hosting, without any real experience or training on that end of things. I understand this is a complex topic, I understand that I need to do my research, but I also understand there's a lot of bad advice out there from people who know more than me but less than they should. So yes, I've searched and I've read, but sometimes there's no substitute for an actual dialog. If you don't want to answer because this has been asked and answered a million times, nobody's forcing you to. If you do feel like answering, it would be greatly appreciated.
 

Rand

Neophyte Sage
Joined
Dec 30, 2013
Messages
829
Have you considered simply up a VPN at your friends place?
That should cover most use cases and circumvent the public accessibility.
VPN Clients are available for nearly all types of devices
 

qwertymodo

Member
Joined
Apr 7, 2014
Messages
144
I've considered it, but the one use case it doesn't cover is wanting to access files from a computer that is not my own, such as the computer lab at school. Yes, I could run a "portable" VPN client, but I'd still have to carry my config and user cert with me on a flash drive or something. I do understand the increased risk of accessing my data on a "public" computer, like keyloggers or other malware, but that's an entirely separate matter altogether, and those specific risks are no different than the risks I take by logging in to any of my online accounts on those computers.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Frankly, anything except a VPN is a major security risk. If they get access to your server from an open port they'll potentially have access to every single machine on your friend's network. Yes, you might consider it to be inconvenient to have to carry around your VPN info. But weigh that against having your friend's network get pwned. THAT is an inconvenience!

So no, VPN or don't even think about it.

As for your comment about using your VPN on a public computer, you should NEVER be doing that. Your cert IS your encryption. Putting that on a public machine is just asking for trouble to start with. Just like online banking, you should never be logging into places that you want to keep secure from a public machine. EVER.
 

Rand

Neophyte Sage
Joined
Dec 30, 2013
Messages
829
I've considered it, but the one use case it doesn't cover is wanting to access files from a computer that is not my own, such as the computer lab at school..
If you have a data plan use your phone to access @home via VPN then copy the files over via USB or Email them.
 

SmallGuy

Neophyte Sage
Joined
Jun 7, 2013
Messages
560
If you have a data plan use your phone to access @home via VPN then copy the files over via USB or Email them.
And secure properly your phone! :D
(Think loss or steal, much more than the common 4 digits "protection")
 

Rand

Neophyte Sage
Joined
Dec 30, 2013
Messages
829
Yes full encryption is useful and dont use pattern either;) (Let alone fingerprint:p)
 

qwertymodo

Member
Joined
Apr 7, 2014
Messages
144
The only reason I don't have my phone fully encrypted anymore is because CWM Recovery still doesn't support decryption, despite the fact that TWRP has had it forever, and TWRP broke with CM11, so trying to run nightlies makes updating a complete PitA...
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Yes full encryption is useful and dont use pattern either;) (Let alone fingerprint:p)
I choose random numbers.. like 1,2,3,4! Glad I'm secure.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526

qwertymodo

Member
Joined
Apr 7, 2014
Messages
144
What a coincidence! My root password is *****!

Sent from my Galaxy Nexus using Tapatalk
 

DJ9

Member
Joined
Sep 20, 2013
Messages
183
There are no secure passwords on luggage. Snap On screwdriver for the win. ;)
 

qwertymodo

Member
Joined
Apr 7, 2014
Messages
144
Having thought about it some more, the fact that I'm wanting to allow other people who are not on my local network to access this machine for storage, and who are also not necessarily the most tech-savvy, means that pretty much no matter what I'm looking at a security risk due to the human factor. If I give VPN access to users who are not necessarily the most security-conscious, that's no better than public access anyway. I think the best bet may just be to keep the machine at my own home without any form of public access and stick with BTSync for my other users, which can operate behind my router and firewall. That way they still get automated backup/sync, just not the web interface, and I can still have all of the other bells and whistles for myself when I'm at home. I really would have liked to make that work, but I suppose it's probably for the best...
 
Status
Not open for further replies.
Top