-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Freenas External Ip
- Thread starter Nowakkar
- Start date
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Yes, take your NAS off the public Internet before it gets pwned. Except that it's likely too late already.
- Joined
- May 19, 2017
- Messages
- 1,829
If I were to allow access from an external IP address (and there ould have to be a really good reason), I'd consider using a SSH service running on a non-standard port with a passwordless option. Ideally have a service auto-ban anyone failing more than 3 attempts for an hour+. Then tunnel in form there. But I don't really get the point of a FreeNAS on the internet.
IMO, the best use for that type of application is a small NAS like a Rpi + USB disk that you put out into the DMZ, harden as above, and if it burns down, oh well. As for FTP, it's possible, though unlikely, that a local ISP is blocking those ports. You might try using non-standard ports that don't arouse the usual suspicion.
I would NEVER use FTP for anything connected to the internet, however. Those passwords are going out in the clear, IIRC. You'd want to use SFTP as a minimum.
IMO, the best use for that type of application is a small NAS like a Rpi + USB disk that you put out into the DMZ, harden as above, and if it burns down, oh well. As for FTP, it's possible, though unlikely, that a local ISP is blocking those ports. You might try using non-standard ports that don't arouse the usual suspicion.
I would NEVER use FTP for anything connected to the internet, however. Those passwords are going out in the clear, IIRC. You'd want to use SFTP as a minimum.
No one knows my public ip.
Login password and ip I only know if in this case I am also exposed to attacks on the Internet? I have FTP on port 21.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
The bad guys do. It's one of only 2^32 or so IP's, and you should be terrified that your IP is probably already in several of the numerous Shodan-type search databases that the bad guys run. Basically the way that this works is that when a vulnerability is identified, they can run a search and get all the "hosts that appear to be a FreeNAS" or "hosts that appear to be a Hikvision camera" and quickly run a remote exploit script against your IP.
Hacked Hikvision IP Camera Map USA And Europe
Now with Europe and the USA, Interactive map showing Hikvision hacked IP cameras.
ipvm.com
etc
- Joined
- May 19, 2017
- Messages
- 1,829
Exactly.
IIRC, FTP sends the passwords in the clear so any compromised machine along the way will siphon off that info tout-de-suite.
Hence my suggestion to use SFTP or a SSH tunnel and even if, then on a non-standard port. Most hackers are lazy. But I'd still set up an autoban on anyone knocking unsuccessfully and also use passwordless SSH / SFTP for better security. You computer either has the right RSA file to present to the SSH server or you don't even get to login.
IIRC, FTP sends the passwords in the clear so any compromised machine along the way will siphon off that info tout-de-suite.
Hence my suggestion to use SFTP or a SSH tunnel and even if, then on a non-standard port. Most hackers are lazy. But I'd still set up an autoban on anyone knocking unsuccessfully and also use passwordless SSH / SFTP for better security. You computer either has the right RSA file to present to the SSH server or you don't even get to login.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
...along with anyone else who is on the network. FTP is a completely cleartext, unencrypted protocol.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Ah, the lovely days of old, where you could debug almost all your production services with telnet.
I kinda miss that. But then again, we had well-run networks too, where abusers and spammers wouldn't be tolerated.
