Security considerations for internet access to web GUI

[qwertymodo]

Ok, so I know the general consensus on WebGUI access via the internet is "don't" but I'm curious if it could be done reasonably with the right configuration. First of all, my FreeNAS box is behind a firewall, and I'm only opening up specific ports. I have SSH port forwarding set up on a non-standard port >20000 and I've never logged a single login attempt failure, where servers I've seen configured on routers forwarding port 22 would get >100 attempts per day. Would forwarding a non-standard port be enough to mitigate automated attacks against the WebGUI? Obviously, I would only be exposing HTTPS and not plain-text HTTP (I actually have my server set to HTTPS-only). Currently, I am using SSH tunneling and FoxyProxy to access the WebGUI remotely, but the frustrating thing there is that my SSL cert is issued by name only and not IP address, so I have to go through the extra hassle of ignoring the SSL errors caused by the name mismatch any time I try to access the machine remotely (actually, I have to deal with it at home too because I don't have split DNS set up and I'm using a CA-signed cert rather than self-signed, so it's issued for my public domain name.

 

[DifferentStrokes]

Would you be willing to consider a VPN connection?

 

[qwertymodo]

VPN is more hassle than my current SSH tunnel solution.

 

[ovizii]

have you tried shadowsocks? it installs in 5 minutes inside a jail and on your client machine its a simple on/off switch. https://forums.freenas.org/index.php?threads/setting-up-shadowproxy-on-freenas.30870/ there are GUIs so no command line fumbling...

Just an idea.

 

[fracai]

A few points:

Using non-standard ports will help, but it's just obfuscation and I wouldn't expect it to provide any lasting protection.

Using SSH tunnels is effectively a VPN in that you're hiding your services behind a secure connection. Basically, I trust that the SSH tunnel is going to be easier to keep up to date and secure than the FreeNAS web gui, especially if the tunnel is hosted in a jail or some other location that you can update independently.

Ultimately though, VPN is not a hassle. Mine is hosted on my router (OpenVPN is easy to configure using Tomato firmware (Shibby), but there are plenty of tutorials on getting it set up by hand) and also easy to connect to using 3rd party apps on Mac and iOS (I'm sure there are clients for Android and Windows too). Prior to having set up the VPN I had a variety of SSH tunnels and SSLH to allow connecting securely to a shell and the web gui; the VPN is far easier to maintain and access.

So in the end, I think it's possible to connect relatively securely without using a VPN, but I think it's easier and more complete to just use the VPN.

Why is it a hassle for you? Configuration? Network restrictions?

 

[anodos]

Setting up a VPN will also give full access to IPMI on your motherboard (if you have IPMI).

 

[qwertymodo]

The problem with a VPN is that FreeNAS is the only machine capable of acting as the server (my router doesn't support dd-wrt or tomato), so I can't access IPMI if the server goes down, which is 99% of the reason I'd want to access it.

 

[Andy Holmes]

Ive been working on getting remote access to my freeNas and im happy with what ive done so far, although its only CLI.
I have forwarded a high port to ssh on a secure jail running on my freenas, ive set up sudo, restricted ssh to a single user and also implemented google authenticate so I have to verify my login with a code that changes every 30s as well as my user/password combo. Once in I can ssh to my freenas install.

For GUI access, im not sure, as I dont want to mess with the base install as its probably frowned upon. however, if possible, I *could* install knockd and get it to apply a firewall rule that allows port 443 to be seen from a public network. Then with an app you could knock (send port connects to a set order of ports) and voila, your web gui would appear. With configuration you could get knockd to close the ports when finished or after a set length of time.
If this seems safe to do, ill give it a try and let you know how i get on if you wish?

 

[fracai]

I've always been intrigued by the idea of port knocking, but it's always seemed like too much of a headache to work with. I don't want to discourage any ideas, but I used to have my own custom setup involving sslh, stunnel, and nginx to get access to various services on my network and in the end a VPN has been far easier to build, manage, and use.

 

[qwertymodo]

The other issue I have with VPN/SSH tunneling is that any time I'm at work there will be address conflicts with the subnet I'm using at home (10.1.0.0/24).

Sent from my One M8 using Tapatalk

 

[fracai]

I've only hit address conflicts once, but I'm planning to change my layout to avoid this in the future. You've got the whole 10.x.x.x address space, so pick a range that you're less likely to hit.

 

[qwertymodo]

Yeah, but I don't feel like redoing my entire home network assignments again. Curse you, ipv4...

Sent from my One M8 using Tapatalk