Security: How to Protect Against Hacking Attack?

[Monkey_Demon]

This morning I signed into my FreeNAS 11.3 system and checked my Alerts. One recorded 20,145 SSH login failures. They came from various IP addresses and used many different usernames. So I'm assuming this was an attack.

Assuming this was a hostile attack, I'm posting this here to ask for advice on how to protect my system from further attack. The network is a typical home setup: ISP -> Cable Modem -> Linksys Router -> NAS. The NAS itself is not completely configured for production yet, but it's good enough that more pressing work has gotten priority over finishing the configuration. (I'll probably wait until TrueNAS is released.)

In the meantime, I turned off SSH and root logins under SSH. When I need to use SSH, I'll turn it back on. Ditto, if I need to log in as root.

Here are my questions:

1. Can I save a copy of the Alert with all 20,145 failed attempts? How?
2. What other steps should I take (on the NAS drive, the router, with my ISP, or with any other systems on the home network) to protect from future attacks?

 

[John Doe]

why is the ssh port accessible from the outside?
is it required?
thought about putting openwrt or else on linksysrouter to limit cidr range (geoblocking according to IP)?

 

[Patrick M. Hausen]

I.

1. Don't expose your NAS to the Internet.
2. Not even SSH.
3. No, just don't!

II. If you absolutely must - e.g. we have the Internet facing servers in our DC accessible for administration - I recommend these precautions:

1. Only expose SSH and nothing else.
2. Disable root login.
3. Disable password authentication.
4. Yes, both.
5. Create an unprivileged user with SSH public key authentication, make that user a member of the "wheel" group.
6. Login and use su - to become root.
7. With SSH locked down like this just ignore the constant knocks on the door.

III. Better than that for your home setup:

1. Use a proven VPN method to access your LAN and your NAS and back to I.

 

[Monkey_Demon]

I.

1. Don't expose your NAS to the Internet.
2. Not even SSH.
3. No, just don't!

II. If you absolutely must - e.g. we have the Internet facing servers in our DC accessible for administration - I recommend these precautions:

1. Only expose SSH and nothing else.
2. Disable root login.
3. Disable password authentication.
4. Yes, both.
5. Create an unprivileged user with SSH public key authentication, make that user a member of the "wheel" group.
6. Login and use su - to become root.
7. With SSH locked down like this just ignore the constant knocks on the door.

III. Better than that for your home setup:

1. Use a proven VPN method to access your LAN and your NAS and back to I.

Thanks, Patrick. I'll try to implement as much of this as I can.

But what if you want to access the NAS from outside?

• E.g., To access media with a Plex app while you're traveling?
• Another E.g., to access your library of pdf books and articles while attending professional conferences?

 

[Samuel Tai]

That's the exact use case for a VPN.

 

[Patrick M. Hausen]

I have no experience with Plex but I run Nextcloud in a jail with the media dataset mounted read-only. There's a media player integrated in Nextcloud's web interface - all good

 

[danb35]

E.g., To access media with a Plex app while you're traveling?

You expose the Plex installation, in the Plex jail--not the NAS itself.

 

[Monkey_Demon]

Some further questions:

1. I currently subscribe to NordVPN and presume they have a *nix app. But I don't understand how it would allow a server to be reachable with a separate IP address. My usage has always been trying to reach a URI via a domain server with communications being routed through a VPN server. If this kind of VPN service would work, can someone please explain how?
2. Does this mean I'd have to run my own VPN server on the NAS drive? Again, unless it would know the IP addresses from which all remote requests would come, how would it distinguish illegitimate requests from legitimate ones?
3. Regarding Plex-in-a-jail, mine is in a jail, but I believe the standard installation does not use a jail. (They may have changed this. But I use Plex Pass, so I can't use the standard installation in any case, so I wouldn't know.)
4. Still, if a hacker cracked into the jail, wouldn't they still have access to the media Plex uses? If so, might they not pirate the media or access personal photos, etc.?
5. How bulletproof are jails? I know they're supposed to be, but aren't they at least subject to DOS attacks? And if Plex used writable media storage, wouldn't it be at risk.
6. Does this mean all other kinds of remote access, e.g. WebDAV, should be in their own jails?
7. Remote access to WebDAV has to be writable for my applications. So if the jail were cracked, wouldn't all the data be at risk?

 

[Patrick M. Hausen]

I currently subscribe to NordVPN and presume they have a *nix app. But I don't understand how it would allow a server to be reachable with a separate IP address. My usage has always been trying to reach a URI via a domain server with communications being routed through a VPN server. If this kind of VPN service would work, can someone please explain how?

You are confusing two different services here that are named the same because the underlying technology is the same. In corporate IT this is called the "road warrior" scenario in contrast to a permanet office-to-office connection. A mobile user connecting to resources at a fixed location. Most of the times your office LAN. In most enterprise cases this also redirects your routing so all your Internet access goes through the VPN and out of your office firewall. This is the technology we are talking about.
Now NorthVPN and other providers offer a service that lets you connect to their network via "road warrior" setup so you are visible to the rest of the Internet as if you were at their location. Mostly used for privacy reasons or to circumvent geoblocking.

What we suggested you do is setup a VPN server at your home network and then connect to that by essentially the same technology you use with NorthVPN. One of the most established and robust products would be OpenVPN which can be run in a jail on FreeNAS. Although the best location to put a VPN server would be the router at home that you use for your Internet connection. You might want to check if your model supports anything like this.

Does this mean I'd have to run my own VPN server on the NAS drive? Again, unless it would know the IP addresses from which all remote requests would come, how would it distinguish illegitimate requests from legitimate ones?

Not on the NAS drive per se but on the NAS machine, yes. Or on your router.

Regarding Plex-in-a-jail, mine is in a jail, but I believe the standard installation does not use a jail. (They may have changed this. But I use Plex Pass, so I can't use the standard installation in any case, so I wouldn't know.)

I don't know what you mean by "standard installation". If you want to run additional applications on FreeNAS that do not come with FreeNAS out of the box, they always go into jails or VMs. You cannot install software on FreeNAS.

Still, if a hacker cracked into the jail, wouldn't they still have access to the media Plex uses? If so, might they not pirate the media or access personal photos, etc.?

Yes, of course. So the question is: is this Plex thing an application that is supposed to be Internet facing, i.e. reasonable hardened, audited and with regular updates? Is there a security check website by the vendor that lets you audit your installation?
I don't know. I do know an application that is supposed to be run like that and that's what I use: Nextcloud. For example here's their security audit tool: https://scan.nextcloud.com

How bulletproof are jails? I know they're supposed to be, but aren't they at least subject to DOS attacks? And if Plex used writable media storage, wouldn't it be at risk.

Well the jail itself I consider as bulletproof as software comes. It's technology that is 20 years old and constantly being worked on.
As for DoS attacks: there's not much you can do to protect a simple home line. I could flood your uplink and essentially cut you off the net if I knew your public IP address. I would not worry about that.

As for access: everything you put up for public access is at risk. There are different things one can do to mitigate that:

• use a trustworthy application
• encrypt the traffic - HTTPS and Letsencrypt make that easy nowadays
• use strong authentication, SSH public keys, two factor authentication, ...
• use multiple layers - no exposure at all, VPN connection first, then access to the services
• only read-only exposure for public access, read-write from your LAN
• ...

Does this mean all other kinds of remote access, e.g. WebDAV, should be in their own jails?
Remote access to WebDAV has to be writable for my applications. So if the jail were cracked, wouldn't all the data be at risk?

1. Yes.
2. And yes. If you use insecure software for DAV, your data will be at risk. That is really not rocket science. Nextcloud (i'm repeating myself) is a DAV service that is considered reasonably trustworthy. Or use a VPN ...

Summary: if you put up services on the public Internet you have the responsibility and need the skills of a professional system administrator (like I am) who does precisely this - run hundreds of customer servers on the public Internet for a living.

Kind regards,
Patrick