Security of Remote FreeNAS Replication

[fricker_greg]

Hey all,

I have been running two separate FreeNAS systems,

A. Supermicro x9srh-7tf, 64 GB ECC, E5-1620 v2, 4tb wd red x 6 in single raidz2 with a few datasets that I wish to backup

B. Supermicro X10SDV-4c-TLN2F with 32 GB ECC ram, 4tb x 6 in single raidz3 with backup of the datasets from A.

They had both been in the same physical network and I completed the initial backup, then I moved one off site and am just now getting to where I am setting it up for remote backups.

What I have done now:
1) static IPs of NASes with different IPs
2)Dynamic DNS on each network's router ( a and b)
3) Initial backup

What I plan on doing:
1) remote replication task from A to B

Questions for you all
1) Are there any other security concerns that I need to be made aware of or precautions that I should be taking - I am a little concerned about opening this up to the web? Should I change the port and how do I do so?
2) is the standard encryption setting secure enough?
3) I plan on using plzip as my poor upload (8mbits / s) would be the limiting factor and I have the CPU power
4) I want to keep 3 months of snapshots on A and would like to keep 1 year of snapshots on B. To do this, do I uncheck "delete stale snapshots on remote system" and then establish my own rules for snapshots on the remote system? If I do that, how do I establish this as the snapshots are not being created on B and the only way I know to specify time to keep snapshots is in the dialogue where you indicate that you would like to make them x often

Thanks guys, the forums have been a great help for me when setting these guys up originally

 

[fricker_greg]

on point 1 - I did change my default port via router on outside and inside, so no problem here.

 

[fricker_greg]

I should also add that both boxes are 9.10.2-U5 and the initial replication was set up during 9.3 before the semi automated way to do it. I do currently have them syncing up but am just trying to make sure that I am doing this as securely as possible. All relevant servers and routers have strong passwords

 

[nojohnny101]

I'm sure others will have additional recommendations, but the only additional precaution I took was to make the public facing SSH port greater than 1200. This is not a necessary step but could cut down on the hits you get from bots scanning the most commonly used ports.

 

[fricker_greg]

Thank you. I didn't know exactly what to pick but avoiding commonly used ports, I went into the thousands.

 

[tvsjr]

IMO, this is what VPNs are made for. Technically, the encryption should be sufficient, but you're still leaving a service port open to the Intarwebz. I'd put a VPN between the two locations.

 

[fricker_greg]

So, how would that work? I have seen people make reference to this method before, but my use of VPNs has been one machine tunneling into the VPN then from there to the net. Would I sign up for a VPN service and then route a connection from A to VPN that is always on? How would I do this? Would I then have to have a connection from B to VPN and then how would I link them up at the VPN?

Apologies, I know my understanding here is lacking.

 

[fricker_greg]

I guess my other question is, since my zfs replication traffic is occurring via an encrypted SSH connection to a remote host that requires a specific key for connection to the remote port, is there a security benefit to using VPN? Currently, my ability to VPN into B's network is done via a VPN I have set up on B's router, so it is not that robust. Also, I use A for plex with external ports so that I can watch from afar and I use it as my main NAS at home, if I were to directly connect A to B's network by VPN then would I not loose that?

 

[danb35]

IMO, this is what VPNs are made for. Technically, the encryption should be sufficient, but you're still leaving a service port open to the Intarwebz.

...so instead of that, you have a different service port (the VPN port) open to the Innertubes. Either way, something's going to be open to the wide, wild Internet.

 

[tvsjr]

So, how would that work? I have seen people make reference to this method before, but my use of VPNs has been one machine tunneling into the VPN then from there to the net. Would I sign up for a VPN service and then route a connection from A to VPN that is always on? How would I do this? Would I then have to have a connection from B to VPN and then how would I link them up at the VPN?

No, you would configure a site-to-site VPN. Let's say you have 192.168.1.0/24 at site A and 192.168.2.0/24... a site-to-site VPN connects the two so they act like they're all local, even though the traffic is going over the Internet.

...so instead of that, you have a different service port (the VPN port) open to the Innertubes. Either way, something's going to be open to the wide, wild Internet.

True, but it's defense in depth... just another layer to stop/slow down any ne'er-do-wells.

 

[fricker_greg]

tvsjr, I see what you are saying, but it seems to me that the encryption of SSH and VPN would be similar as far as preventer ne'er do wells. I do appreciate your comments though.

For others reading the thread, what have you done when you set up remote zfs replication? Have you gone the VPN route or done the zfs replication over SSH route?

 

[tvsjr]

It probably is... VPN just adds another layer. In my experience, it's basically never that I want to run a single service between two sites, so it's worth the effort to have a tunnel between the two.

 

[fricker_greg]

gotcha, I understand. Thanks for the input.