HTTPS and SSH HELP!

[DOHM]

Hi,

I'm struggling to set-up secure access to my Web GUI. I think I should be using HTTPS and SSH, but I'm not really sure how to go about enabling them.

1. For HTTPS I simply enabled it in my Web GUI, but after that I don't really know what to do. I'm trying to understand how I'm supposed to make RSA Key And Cert Keys and have them signed so that a red x doesn't come up on my browser.

2. For SSH I would like to use a SSH Tunnel like shown in http://www.freenaskb.info/kb/?View=entry&EntryID=190 But where does creating a Host private key come in, and will creating this tunnel only allow my windows machine log onto the GUI?

Any walkthroughs or more info would be appreciated.

J

 

[pirateghost]

SSH has nothing to do with the webgui.....

you should spend some time reading the documentation instead of creating new threads all over the place.

 

[DOHM]

Thanks for the advice pirateghost...

I have done a lot of reading of the documentation but am still unable to fully understand how to secure access to my FreeNAS from the outside world.

This thread ,http://forums.freenas.org/showthread.php?1288-hacking-attempts/page2&highlight=block+access, gets at what I'm looking for.

Would setting up a public/private key with SSH allow only the user with the keys and a SSH client to log into the WebGUI as well as have access to my CIFS shares, or is there an easier way to allow only those within my private network access to the WebGUI.

I have enabled HTTPS and changed the web admin and root to different users with good passwords, as well as set-up different username and passwords for the the CIFS shares, as extra security for now.

The goal would be to not allow access to my WebGUI from anywhere but my private network. I haven't entered anything but the default settings in my Global Configurations Tab..mainly the IPv4 Default Gateway field.

Any patience would be appreciated.

 

[pirateghost]

by default, your shares and webGUI are ONLY accessible by your LAN. It appears you dont fully understand how NAT works. Unless there are ports forwarded and firewall rules in place, nobody from outside your internal network will see your FreeNAS box. If you have an IP address that falls in the LAN-only subnets, then you are fine.

no, setting up SSH with public/private keys will not do a damn thing for CIFS shares, nor will it do anything for the webGUI as SSH is for SSH/SFTP ONLY...

 

[DOHM]

I guess since I can access my WebGUI through my Iphone, on 3G, that my network has ports forwarded, firewall rules, and/or not a LAN-only subnet by default.

Thanks for your response.

I'll ask some questions to the network people.

 

[pirateghost]

What is the IP that your FreeNAS box has? Is it within a private space?

If every machine on the network has a public IP address, then there is nothing LAN there. If it is within a private subnet, then there is no way you can access it from outside the LAN

 

[DOHM]

It's a Public IP that my FreeNAS is on, and I don't have the "power" to change the IP. There's no other security measures I can run from the machine itself from people hacking in or bots trying brute force?

 

[pirateghost]

If all you have available is a public IP, there is no way in hell I would put ANY data on that network. Get a router and put your stuff behind a router.

 

[DOHM]

I'll pick up a router and see what it can do.

Thanks.