Fail2Ban or SSHGuard and Ports. I'm a bit confused.

[UF8FF]

Hey everyone,

I just recently got my FreeNAS server up and running and so far everything is running well except for a few hiccups. But all in all, the forums have been a great help. I have all my burn in testing done and thanks to all the fantastic documentation here I have a working Plex server (mind you I will be erasing and starting over because I have a 5th drive on the way). I have noticed that port-scanners were trying to log into my server so I have changed to using SSH keys, disallowed password logins, and changed the port for SSH but I wanted to go a step further.

Now, I do want to say that I have read quite a few comments from users directed at other users like myself like 'why do you even have it open to the WAN' and etc. etc. For me it's simply because I like to be able to change a few things here and there when I'm at work and don't have access. But I may set up a Raspberry Pi OpenVPN to help with this stuff. Regardless, I want to be able to wrap my head around the following if just at very least to understand why some things are working and why some things don't.

(https://forums.freenas.org/index.php?threads/hacking-attempts.1288/ and https://forums.freenas.org/index.php?threads/constant-hacking-attempts.11856/)

I looked into it and found that fail2ban seems to be exactly what I want so I followed a few tutorials, namely these ones:

• https://forums.freenas.org/index.php?threads/howto-install-file2ban-on-freenas-9-x.16170/
• http://howtounix.info/howto/sshguard-freebsd

and I am now extremely confused.

[strikeout]Firstly, whenever I try to use pkg install it usually can't find anything in the repositories. From what I am gathering that's because the USB stick that I'm running FreeNAS off of usually won't hold much in the /usr/ports folder, if anything at all. I figured pkg install would search freshports.org or another repository but it seems to only be searching local folders. Is this normal?[/strikeout]

• So following the first guide I am not sure how to actually download the file other than just download it and then scp it to a folder.
• In the first guide it specifically says we want to protect the entire NAS so we don't want to install it in a Jail -- but everything I read on the forums says otherwise.

After following the first guide it instructs you to reboot and run

service fail2ban start

That is all fine and dandy but when I did that it told me that the service was not in /etc/rc.d/ so I manually moved it, it started, but it doesn't seem to actually be doing anything when I try to log in from another user. It obviously blocks me because I don't have the right public key, but I want it to lock me out.

This led me to fresh ports. Fresh ports is even more confusing because in the sshguard file it says that to install you just change directory to the ../ports/security/sshguard and then make install clean but that can't happen because I don't have the ports on my machine locally, so do I have to find them from a git first and clone them? Should they be downloadable through a pbi or something? On OS X I'm used to finding things using apt-get or brew. Is pkg basically those but looking at local repositories instead of public ones?

I checked 13.2.2 in the FreeNAS documentation and that was about as clear as mud for me.

Thank you so much for your help. I'm sorry if I am so amateur that my questions just don't make sense. This is my first venture into server admin and as excited as I am to learn, it is so far quite the challenge but also so far damn fun.

UPDATE:
Now I understand why you can't do pkg install in the root of the boot drive -- the FreeBSD.conf file doesn't allow for it. So that clears up a LOT of what I was asking. I'm still confused though as to why fail2ban won't ban my IP even after following the instructions.

 

[jgreco]

FreeNAS is an appliance and isn't meant to be modified by end users, except through the GUI. It is not meant to have random apps installed as part of the base system. It's like your iPhone or Android. You don't get a root prompt in a terminal window. You can forcibly work around that, but it isn't designed for it and it may void your warranty. Package tools may not work on the base system because there's no need for them to work so there's no reason to think that the developers spent any time to make sure that all the little bits and pieces needed are there.

I have read quite a few comments from users directed at other users like myself like 'why do you even have it open to the WAN' and etc. etc. For me it's simply because I like to be able to change a few things here and there when I'm at work and don't have access.

You do not want to expose your NAS to the Internet. It has not been designed for that. There are almost certainly a variety of ways to attack an unprotected FreeNAS install, because the design of the system is focused on providing services to the attached networks. There's no particular reason to think that a huge amount of effort has been spent in securing the web portal or remote management API's, or that the various sharing protocols were designed to be secure in such a use, and as time passes and a NAS doesn't get upgraded, more vulnerabilities may appear. You only want to expose your NAS to relatively trusted networks.

 

[Glorious1]

You do not want to expose your NAS to the Internet.

Still, a lot of people do access their NAS over the internet without problems. UF8FF has done the right things by using SSH keys, disabling password logon, and changing the SSH port. Unless the Chinese government comes after him he should be good I would think.

On a slightly different note, how would you NOT expose your NAS to the internet? I'm actually trying to learn here. The local network is connected to the internet, and the NAS is connected to the local network . . .

 

[Mirfster]

On a slightly different note, how would you NOT expose your NAS to the internet?

Firewall on your router

 

[danb35]

UF8FF has done the right things by using SSH keys, disabling password logon, and changing the SSH port.

Yes, all of that's good--for SSH. Of course, SSH isn't a file-sharing protocol, file-sharing is what FreeNAS is designed to do, and protocols like CIFS, AFP, and NFS can't be as easily locked down. And, of course, there's the web GUI itself. So if the box is just out on the Internet (as opposed to, say, being behind a firewall with a single port forwarded through for SSH), all of those are exposed as well.

 

[pirateghost]

On a slightly different note, how would you NOT expose your NAS to the internet? I'm actually trying to learn here. The local network is connected to the internet, and the NAS is connected to the local network . . .

There is a huge difference between outbound connections and inbound connections. By default NAT will only let packets back in that are responding to a connection initiated from the internal network.

NAT is not the best defense, or offense, but it is better than sticking the device bareback on the internet.

 

[Glorious1]

Yes, all of that's good--for SSH. Of course, SSH isn't a file-sharing protocol, file-sharing is what FreeNAS is designed to do, and protocols like CIFS, AFP, and NFS can't be as easily locked down. And, of course, there's the web GUI itself. So if the box is just out on the Internet (as opposed to, say, being behind a firewall with a single port forwarded through for SSH), all of those are exposed as well.

But you can tunnel WebGUI access and file sharing through SSH.
Still, I need to really figure out what my router firewall is doing (Motorola SBG6580 firewall set to "low") - I'm clueless in that regard.
OP, sorry, this is probably not helping you much.

 

[pirateghost]

But you can tunnel WebGUI access and file sharing through SSH.
Still, I need to really figure out what my router firewall is doing (Motorola SBG6580 firewall set to "low") - I'm clueless in that regard.
OP, sorry, this is probably not helping you much.

Even without the firewall you have this thing called NAT

 

[jgreco]

Still, a lot of people do access their NAS over the internet without problems.

Of course. Any idiot should be able to do that. It's the doing-it-securely part that's a problem.

UF8FF has done the right things by using SSH keys, disabling password logon, and changing the SSH port. Unless the Chinese government comes after him he should be good I would think.

You'd think. But having port 80 (or 443 or the WebGUI on any other port) is a huge risk, plus exposing any of the other filesharing protocols - whether deliberately or accidentally - is really bad.

For example, what if you originally set up your filer to do NFS, carefully setting the allowed IP addresses, etc., to restrict things? Time passes. You then decide to enable CIFS. You forget that one side of the NAS is exposed to the Internet. Now all your files are potentially browseable on the Internet.

On a slightly different note, how would you NOT expose your NAS to the internet? I'm actually trying to learn here. The local network is connected to the internet, and the NAS is connected to the local network . . .

Your local network should have a firewall between it and the Internet. In the craptacular average case, this may only be a NAT gateway (what non-networking people refer to as a "router") but it could be a much more thorough device like a pfSense or Sophos box.

 

[UF8FF]

I'm on mobile right now so I'll be reading and responding at greater length later but i do want to say two things:

1. Port 80 is absolutely closed off
2. I appreciate everyone in the thread. I'm not going to lie; I thought I was going to be laughed out with this thread! I appreciate the genuine answers and concern thus far!

 

[jgreco]

Well, after we tell you how dumb something is, we can usually move past that in good comfort "cuz you'ze been a-warned." It is in no way an endorsement of a poor choice of action.

Personally, I expect that anyone big enough to own their mistakes should be allowed to make them.