Register for the iXsystems Community to get an ad-free experience

Securely hosting remote replication server

Status
Not open for further replies.

SwisherSweet

Contributor
Joined
May 13, 2017
Messages
117
I am considering colocating a FreeNAS server I will purely use as an offsite backup server.

Since this server will be visible via public IP, I am concerned about keeping it secure.

Are there any published best practices to secure a server with this config?

For example, is an external firewall required? I prefer to not have that extra expense if there are other means of securing it.

If I use strong passwords, is the default FreeNAS config (9.3) secure? If not, are there particular steps one must take to lock it down?

I would need access only to web ui. Immediately that concerns me since I think that runs in http and not https.

I'll be using the built-in replication features for my remote backups.

Thank you.
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
FreeNAS is not designed to be Internet facing. You will require a firewall in front of it to protect it from the dangers of a public network.

Another option would be to use FreeBSD with a ZFS pool attached. You can still replicate to it and configure ipfw to block anything nasty.

ZFS replication happens over SSH, so it'll be recommended to run it on a non-standard port.
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,070
I am considering colocating a FreeNAS server I will purely use as an offsite backup server.

Since this server will be visible via public IP, I am concerned about keeping it secure.

Are there any published best practices to secure a server with this config?

For example, is an external firewall required? I prefer to not have that extra expense if there are other means of securing it.

If I use strong passwords, is the default FreeNAS config (9.3) secure? If not, are there particular steps one must take to lock it down?

I would need access only to web ui. Immediately that concerns me since I think that runs in http and not https.

I'll be using the built-in replication features for my remote backups.

Thank you.
This can be done, but it is a complicated setup and the fact that you are asking the question indicates you don't have the expertise to implement this yourself. You might be better served to hire someone to implement this, but if you want to do it yourself, I will give you my recommendation.

If you want to do it all on one hardware device, you will need a fairly strong system to do all the things.
1. I would suggest running VMWare on the bare metal and pass the disk controller through to a virtual instance of FreeNAS that will handle the storage.
2. In another VMWare virtual machine, you can run a firewall application like pfSense to handle protecting your FreeNAS from raw internet traffic.
3. At your local site, also run a pfSense firewall and setup a VPN between the two so that the remote FreeNAS system can appear to be on the same network, local to you.
4. Once you have the VPN setup to the remote site, you will be able to remotely manage the off-site FreeNAS and backup to it just as if it were local except that the connection will be slower.

Be sure your VPN is secure at the endpoints with strong encryption and this should serve you well. It won't be cheap to implement and it is not simple.

I am sure there will be someone to suggest an alternative though. This is just what I thought up.
 
Joined
Feb 2, 2016
Messages
573
is an external firewall required?

You value your data enough that you're doing offsite replication? Yes, you need a firewall.

If I were you, I'd buy an off-the-shelf, pfSense firewall and create a VPN connection from the primary to the target. You can get one not much larger than a pack of playing cards for $150. It runs on 5V DC so you can pull power from a four-pin Molex connector on the replication server. It's small enough you could mount it inside the case. You could even use an internal USB header to connect to the device's console.

You could also run pfSense and FreeNAS as VMs but that requires a lot of time and skill to get configured correctly. It's also harder to explain to the folks at the colocation facility if you have problems. I'd much rather throw $150 at the problem, keep it really simple and be done.

Cheers,
Matt
 

Stux

MVP
Joined
Jun 2, 2016
Messages
4,248
This can be done, but it is a complicated setup and the fact that you are asking the question indicates you don't have the expertise to implement this yourself. You might be better served to hire someone to implement this, but if you want to do it yourself, I will give you my recommendation.

If you want to do it all on one hardware device, you will need a fairly strong system to do all the things.
1. I would suggest running VMWare on the bare metal and pass the disk controller through to a virtual instance of FreeNAS that will handle the storage.
2. In another VMWare virtual machine, you can run a firewall application like pfSense to handle protecting your FreeNAS from raw internet traffic.
3. At your local site, also run a pfSense firewall and setup a VPN between the two so that the remote FreeNAS system can appear to be on the same network, local to you.
4. Once you have the VPN setup to the remote site, you will be able to remotely manage the off-site FreeNAS and backup to it just as if it were local except that the connection will be slower.

Be sure your VPN is secure at the endpoints with strong encryption and this should serve you well. It won't be cheap to implement and it is not simple.

I am sure there will be someone to suggest an alternative though. This is just what I thought up.

Heh. This is exactly what I'm doing with my Node 304 build ;)
 

Slavik

Dabbler
Joined
Jun 6, 2016
Messages
39
I think people here over-complicate the issue.

Is you need the system just for backup, you can simply block all ports, except SSH on the OS level.
And for SSH, disable password authentication, and keep only SSH keys authentication.

That would make system as secure, as it gets.

Adding VMWare & VPN make the system more complicated, less reliable and less secure. ESX / VMWare itself has it's own security issues and is not recommended to be exposed on the Internet.

If you need secure access to UI, configure SSH tunneling for port 80. Easy. Secure.
 

SwisherSweet

Contributor
Joined
May 13, 2017
Messages
117
I think people here over-complicate the issue.

Is you need the system just for backup, you can simply block all ports, except SSH on the OS level.
And for SSH, disable password authentication, and keep only SSH keys authentication.

That would make system as secure, as it gets.

Adding VMWare & VPN make the system more complicated, less reliable and less secure. ESX / VMWare itself has it's own security issues and is not recommended to be exposed on the Internet.

If you need secure access to UI, configure SSH tunneling for port 80. Easy. Secure.

Thanks, this makes sense to me. What's more, I will only be accessing this server from one location, which has a dedicated IP addresss. Couldn't I simply leave the default FreeNAS config but all traffic except that from my IP? If so, isn't there a way to do this in FreeNAS or the BSD OS itself? As an alternative, I could rent a firewall from the ISP real cheap or buy one of those sweet little $150 appliances mentioned earlier.
 
Status
Not open for further replies.
Top