I'm in love with FreeNAS. Unfortunately, over the last year I've become increasingly aware of the many security risks that seem to be overlooked by the community. I'm not saying that everyone is as security conscious as I am but I find it somewhat staggering that default out of box FreeNAS configuration leaves so many holes open for a would be attacker.
When setting up file system permissions for my plugins I noticed that the method for FreeNAS to check status and change configuration for the plugins was via FastCGI bound to a large consecutive port number. At first I assumed this port was only accessible via the FreeNAS IP or something similar but after some investigation I discovered that it was access to this FastCGI port was completely unrestricted.
In most cases this could prove to be a bit of an annoyance, as an attacker could send malicious commands to turn on or off your plugins causing the administrator some headaches, but this unrestricted access could also be used to view or change the settings of any plugin installed on your FreeNAS system, something I personally view as an unacceptable risk.
To prevent this kind of access I've enabled ipfw rules for all the plugins that I'm running to only accept connections on that port from the FreeNAS IP.
I wish that the security woes ended there, but unfortunately they continue with many issues associated with how much unrestricted access is given to a single username/password combination for the WebGUI.
As far as I know the root user is the only one who has access to the WebGUI with no method of allowing access for another user or disabling the root user all together. Regular use of the root account is and should be strongly discouraged for any BSD or Linux based operating system, yet FreeNAS forces the use of the root user account.
It really baffles me, especially when out of the box FreeNAS does not encrypt access to the WebGUI allowing transmission of the root password in plain-text each time the root user is logged in. In addition my attempts to configure HTTPS access has left me with so many bugs it almost feels like the developers are ignoring them. With HTTPS enabled the WebGUI can not acquire status information from the plugins and adding new plugins or attempting to upgrade old plugins fails. Albeit this is my personal setup and it might simply be a bug, but the truth is that for me at least HTTPS seems almost un-useable.
Ultimately here is my request:
When setting up file system permissions for my plugins I noticed that the method for FreeNAS to check status and change configuration for the plugins was via FastCGI bound to a large consecutive port number. At first I assumed this port was only accessible via the FreeNAS IP or something similar but after some investigation I discovered that it was access to this FastCGI port was completely unrestricted.
In most cases this could prove to be a bit of an annoyance, as an attacker could send malicious commands to turn on or off your plugins causing the administrator some headaches, but this unrestricted access could also be used to view or change the settings of any plugin installed on your FreeNAS system, something I personally view as an unacceptable risk.
To prevent this kind of access I've enabled ipfw rules for all the plugins that I'm running to only accept connections on that port from the FreeNAS IP.
I wish that the security woes ended there, but unfortunately they continue with many issues associated with how much unrestricted access is given to a single username/password combination for the WebGUI.
As far as I know the root user is the only one who has access to the WebGUI with no method of allowing access for another user or disabling the root user all together. Regular use of the root account is and should be strongly discouraged for any BSD or Linux based operating system, yet FreeNAS forces the use of the root user account.
It really baffles me, especially when out of the box FreeNAS does not encrypt access to the WebGUI allowing transmission of the root password in plain-text each time the root user is logged in. In addition my attempts to configure HTTPS access has left me with so many bugs it almost feels like the developers are ignoring them. With HTTPS enabled the WebGUI can not acquire status information from the plugins and adding new plugins or attempting to upgrade old plugins fails. Albeit this is my personal setup and it might simply be a bug, but the truth is that for me at least HTTPS seems almost un-useable.
Ultimately here is my request:
- A tiered permission system for access to sections of the WebGUI.
- Disable or discourage root access to the WebGUI.
- Enable HTTPS by default.
- Prevent shell access without login by default, both in WebGUI and console for FreeNAS and Jails.
- Rethink using FastCGI for plugin configuration and status or enable firewall rules to prevent remote access to the FastCGI ports.
- Enable ipfw firewall on FreeNAS install by default and only allow access for services and jails that are actively running.