FreeNAS Console

[gainil]

Hi,

I am new to FreeNas, just installed/configured it successfully.

I found it weird that if you (or anyone) have physical/direct access to the FreeNaS server console, and press "9 - Go to Shell"/"10- Reboot"/"11- Shut Down", it performs the requested task MERELY with a confirmation of Yes or No. Should it not ask for a password before making any changes? - something like VMWare ESX/ESXi

Please correct me if I am wrong on this, as I am new and have not fully explored it.

Also it will be great, if some one have idea how to disable the FreeNas console, or to put it into secure mode.

Thanks in advance

 

[gainil]

Any solution for this?

Sorry, may be this is the wrong forum, pls can some one guide me ?

Thanks

 

[aghadjip]

looks like system ---> settings --> advanced ---> enable console menu can be disabled. maybe thats what you are looking for.

 

[Daisuke]

OP, enable SSH and use any console you like to interact with your box. That is what I do.

 

[jgreco]

or you can disable the console menu through a quick edit of /etc/ttys in the system image.

 

[gainil]

Hi

Yes, aghadjip, I am looking to disable the console

I didn't find the things you mentioned - "looks like system ---> settings --> advanced ---> enable console menu can be disabled"

Can you please tell me exactly how that can be done?

jgreco, can you tell me in details if it is possible to enable and disable console by editing the /etc/ttys ?

Thanks guys for your replies

 

[Josemr]

First: Security

I agree with the OP, anyone can reset even wipe out the entire data of your server if they have access to the physical console, I think that security is one of the most important department in any server operating system, however you can add some security regarding the Web GUI but that's not enough, since the physical console is accessible by anyone and that's a security issue, also I don't see any local console security options nor documentation to address this issue manually.


P.S. I just registered because I'm in the same boat of the OP.
I'm sorry for my English.
Best Regards!
José

 

[cyberjock]

Isn't there a design flaw in providing physical access to your servers if security is a concern?

If I can physically remove your disks then it really doesn't matter what "security" you have with a monitor/keyboard attached. I'll just take your drives and use them somewhere else where I can extract the data I need. There's no need to be concerned with a monitor/keyboard even being attached!

IMO you are completely ignoring the fact that if you are concerned about your data I shouldn't be able to walk up to the server and touch it.

 

[jgreco]

It's quite common in many environments. In particular, I've seen lots of academic environments where a room has been "modernized" to be a computer lab, but since the facility wasn't designed for it, there isn't a separate lockable closet or room for servers and networking gear. In many colocation centers, there's a security guard at the door who will verify permission to remove equipment and log such removals, but internal protection will typically consist only of fences and video cameras, and there are easily exploitable weaknesses.

Security is a complicated thing. It is worthwhile to note that most locks are designed to keep honest people honest, and that virtually no amount of security will keep a determined, well-resourced attacker from being successful against you. I like to explain physical security with the door analogy:

Think about a door. You can close your bathroom door and set the privacy lock, but any adult with a solid shoulder can break that door, or with a pin (or flathead or whatever your particular knob uses) can stick it in and trigger the unlock. Your front door is more solid, but if it's wood, and not reinforced, I'll give my steel-toed boots better than even odds against it. What? You have a commercial hollow steel door? Ok, that beats all of that, let me go get my big crowbar, a little bending will let me win. Something more solid? Ram it with a truck. You got a freakin' bank vault door? Explosives, torches, etc. Fort Knox? Bring a large enough army, you'll still get in.

Console logins are a completely reasonable level of defense for certain environments. Consider a small office where the fileserver might contain sensitive materials such as payroll data or the boss' e-mail. Do you really want to trust that someone with a little Linux experience isn't going to get curious, one night when they're working late, all alone, and go poking around and looking at files?

So, let me wind this up as follows:

You're RIGHT, in any environment where an adversary could accomplish goals via theft, securing the server from physical removal is a necessary step.

However, in some cases, theft of hardware is a trite goal, because hardware is worth relatively little, and alerts the victim of the event. In many cases, it is the information *on* the server that's of true value, and it probably isn't that hard for someone to come along, attach a USB drive, run a few commands through that unprotected console interface, and have a copy of your juicy data. Or, worse, log in, twiddle the FreeNAS database, adding an additional user who then has access to shares until either someone notices or the server is reloaded and reconfigured from scratch, which might be months or years of illicit access.

There's a reason that most gear offers the option to protect its console. FreeNAS definitely has the capability to do what we're talking about, by the way, there's just no WebGUI checkbox to cause it to happen. My previous suggestion in this thread is sufficient for people who find themselves with such needs. It would be kind-of nice to see FreeNAS support this though, it probably wouldn't be too difficult to add some logic in /etc/netcli to do this.

 

[Josemr]

Got it

There's a reason that most gear offers the option to protect its console. FreeNAS definitely has the capability to do what we're talking about, by the way, there's just no WebGUI checkbox to cause it to happen. My previous suggestion in this thread is sufficient for people who find themselves with such needs. It would be kind-of nice to see FreeNAS support this though, it probably wouldn't be too difficult to add some logic in /etc/netcli to do this.

You're right, there is a Console protection option through the Web GUI, disabling the Console menu makes the physical Console to ask for credentials, the documentation just need to be a bit more detailed so people with little or no experience on FreeNAS can understand it.

I apologize my previous statement in this thread due my ignorance and my poor research, I'm just waiting on the 8.3 Final :D

P.S. +1 for the no WebGUI

Best Regards!
José

 

[joeschmuck]

My point of view is there should be security build in but if you go that route then the hard drives need to be encrypted to be effective and here is why I say this...

FreeNAS is available to everyone. If I wanted to pry into a FreeNAS system then I'd just make a bootable FreeNAS USB drive or whatever media is being used in the subject machine and boot from it. Mount the pool and have at it. Once done I would put back the original OS and reboot. The only thing the logs would show is FreeNAS was shutdown and rebooted. If you wanted to make it look good, just pull the power on the computer and hope data isn't corrupt.

If the drives are encrypted and that password is locked inside the original FreeNAS OS, then even doing what I'm suggesting will discourage the normal person. A true hacker will get around this of course.

Physical security is really the only way to ensure someone doesn't have unauthorized access to your data, assuming there are no holes in the system software or setup of course.

In my situation I have my server located in the basement completely headless. Now I'm not storing secrets but it discourages my kids from looking at it. Heck, that would mean work, moving a monitor to the basement ;)

And this is just my opinion, nothing more.

 

[jgreco]

The problem with that point of view is that it really only covers a small subset of use cases.

As an obvious counterpoint, what about someone who does not have access to the physical machine but does have access to the console? It is very common to have gear with IPMI, external KVM-over-IP systems, serial console, etc. I've seen a number of businesses with locked, air-conditioned equipment rooms that bring KVM access into a more comfortable office space for IT to manage them.

While "the only thing the logs would show" for your basement setup might be that FreeNAS was shut down and rebooted, in many commercial environments, loss of a fileserver causes red flags, alarms, pagers going off, people coming running, etc. Your success rate in such an environment is likely to be low.

You think you can just stick a USB key in and make it work? Ha, ha, it's pretty common for professional installations to lock down a server platform pretty tightly. It won't just boot off any old random USB key. The military has taken to epoxying their USB ports, which may be a bit excessive... but maybe not. Anyways, on our servers, we can turn off the external USB ports, AND set the USB drivekey order to internal, AND make it real picky about what USB device it'll take from the bootup list, AND make it so you can't type on the console without entering a password that is enforced by the BIOS (not the OS!)... those HP ProLiant boxes are real bastards. The environment is totally different than what a home user with a consumer grade motherboard might be used to.

In any case, you've kind of missed the point here. As it stands, someone who can gain access to a FreeNAS console has access to the data contained within the filer. Encryption doesn't help at all; filesystems employing encrypted disks still present unencrypted files at the OS level, or they'd be useless. So if I can type on the console and go "cd /mnt/yourstuff/secret", then "ftp off.site.com" or "mount /dev/usbharddrive; cp * /mnt/usbharddrive" or just "mv * /mnt/yourstuff/public", that's all bad stuff that is made more trivial by not having a protected console. Encryption doesn't save you from those risks.

That's not to say that encryption can't help save you from some stuff - it can. It's just not really relevant to the issue at hand.

 

[joeschmuck]

It's probably my narrow view of what I'd think FreeNAS is for. I don't see any company actually using FreeNAS for it's servers. The risk it too high from both a security and stability stand point and no call in support for when it goes belly up. I can see a small startup business using it maybe but if it has customer information on it then the drives should be encrypted and not accessible without a password. And I see your points in the above posting with respect to security and why the console should be protected, it does make sense. I wonder if TrueNAS has a locked down console.

 

[gainil]

Thanks Josemr,

Disabling the Console Menu from Web GUI solved what I wanted :)

Reading all the posts, I would just say there is no harm in putting an option to increase the security of terminal. You just have to remember, "Its a mischievous world out there" :)

Thanks again

 

[Josemr]

I'm glad you solved your issue like I did :), thank you also for posting this thread, it cleared me few doubts about the terminal security, thanks to jgreco, however disabling the console menu should be automatically triggered(Locked) if you change the user and root password at the same time from the webGUI(For Security Reasons), also if anyone like to have the console menu enabled for easy use, but user/root password has been set, the console should ask for credentials if a menu option has been selected, this is a fundamental security basis, however this is a partial issue and has a workaround, but I hope the FreeNAS Dev Team will consider this, since this will make this software even more robust.

Regards!
SFME ;)
Jose

 

[cyberjock]

I'm glad you solved your issue like I did :), thank you also for posting this thread, it cleared me few doubts about the terminal security, thanks to jgreco, however disabling the console menu should be automatically triggered(Locked) if you change the user and root password at the same time from the webGUI(For Security Reasons), also if anyone like to have the console menu enabled for easy use, but user/root password has been set, the console should ask for credentials if a menu option has been selected, this is a fundamental security basis, however this is a partial issue and has a workaround, but I hope the FreeNAS Dev Team will consider this, since this will make this software even more robust.

Regards!
SFME ;)
Jose

You do know that if you forget your root password the only savior is the console? That's why it's not locked by default. For most of the people out there they don't even hook up a monitor or keyboard to it. If you disabled the console automatically that would be really bad for those few that forget their passwords.

Besides, FreeBSD seems to go with the thought process of NOT doing things automatically and leaving it up to the admin to do it if he wants it. I prefer this approach. The drawback is that if you don't know what you are doing you can really screw stuff up.

 

[jgreco]

It would be counter-intuitive for a password change in the GUI to trigger locking of the console. In general, those of us who are interested in security are going to be pretty good about wandering around and setting the various options appropriately, and the goal merely needs to be to make options available. A GUI checkbox to enable authentication on the console would be nice, and since authentication already works on the other vty's, it could be argued that this is halfway implemented. However, on a default system, if you disable the console menu without changing the root password, it isn't obvious how to "get in" since the root password is undefined. That said, there are no serious impediments to getting in to a FreeNAS system from the console as long as a reboot is acceptable. ;-)

 

[Josemr]

You do know that if you forget your root password the only savior is the console? That's why it's not locked by default. For most of the people out there they don't even hook up a monitor or keyboard to it. If you disabled the console automatically that would be really bad for those few that forget their passwords.

Besides, FreeBSD seems to go with the thought process of NOT doing things automatically and leaving it up to the admin to do it if he wants it. I prefer this approach. The drawback is that if you don't know what you are doing you can really screw stuff up.

It would be counter-intuitive for a password change in the GUI to trigger locking of the console. In general, those of us who are interested in security are going to be pretty good about wandering around and setting the various options appropriately, and the goal merely needs to be to make options available. A GUI checkbox to enable authentication on the console would be nice, and since authentication already works on the other vty's, it could be argued that this is halfway implemented. However, on a default system, if you disable the console menu without changing the root password, it isn't obvious how to "get in" since the root password is undefined. That said, there are no serious impediments to getting in to a FreeNAS system from the console as long as a reboot is acceptable. ;-)

You guys have a good point about that, intuitiveness and User interactions are much better than doing things automatically in most cases, even better when you have plenty of detailed options to Interact / customize with, sometimes I forget it ;)