Suspected Hack - Need advice on security

[therealpure]

Hey all,

I have a freenas box setup with a HP Server. It has 2 x 2tb drives in it setup with ZFS.

I run FTP, Plex, CP, SB, Sab on it. I have a DynDNS setup through noip so I can access if over the web.

I can back home the yesterday and a load of my files were gone. I mean totally gone, searched everywhere. I now suspect that the files have been deleted by someone accessing my server. I looked back in the logs that show the % of storage used and I can see around 2pm on Thurs this week the space on the drive started increasing (I assume when the files were getting deleted!). I a bit freaked out by this intrusion!

I believe I can't recover the files as I haven't set a ZFS snapshot. I do some of the files backup else where but have lost a ton of movies.

What can I do ?? Should I have a firewall setup or how can I ensure access is truly controlled. There is only one user I have made on the freenas. I have now changed the passwords of both this user and root. I also have turned off DynDNS and FTP access for now while I try and secure the server.

 

[SweetAndLow]

You shouldn't have freenas exposed to the internet for anything that allows inbound connections. What this means is don't port forward anything to your freenas box.

 

[toadman]

If you need to access the server remotely the best way to do it is over a VPN. Depending on your network setup there are several ways to configure one. That way you're not exposing FreeNAS directly to the net. (But you are exposing your VPN server.)

 

[cyberjock]

What SweetAndLow said. We keep telling people that forwarding ports is one of the stupidest things you can do if you want a secure setup. If the software that is forward-facing has some kind of vulnerability it's just a matter of time before you are pwned.

And it looks like you were pwned.

The crappy thing is that, unless you know how they got into your server and what they did and didn't have access too, your box may still be compromised. Whoops!

Welcome to the world of 'be secure or be sorry'.

 

[DrKK]

You should try to determine what the vector was.

Did the person come in on ftp? Check your logs in /var/log. I think there's one for ftp called xferlog or something.

Normally, (no offense), someone that makes the mistake you've made is going to find that understanding and setting up VPN's is a bit of a reach.

If you need FTP access, or something like it, I instead suggest you use SFTP via the SSH service, and use certificate authentication. You will find other posts on that in the forum.

 

[therealpure]

But what if I want Plex access over the net. I would need to port forward to do that right?

You shouldn't have freenas exposed to the internet for anything that allows inbound connections. What this means is don't port forward anything to your freenas box.

 

[therealpure]

So setting up VPN access to the freenas box is more secure?

My network setup is just my freenas box ethernet connected to my home router. I will have a look around to get some info about setting up a VPN on the freenas.

If you need to access the server remotely the best way to do it is over a VPN. Depending on your network setup there are several ways to configure one. That way you're not exposing FreeNAS directly to the net. (But you are exposing your VPN server.)

 

[therealpure]

Cheers for the reply. I checked that xferlog file and it just says

"
Oct 11 01:32:26 freenas newsyslog[1660]: logfile first created
"
Which is after all this happened.

I think SFTP sounds like a better idea I will check that out. I've deactivated the port forwarding for FTP access now. I think it must have been via the FTP access that this all happened.

You should try to determine what the vector was.

Did the person come in on ftp? Check your logs in /var/log. I think there's one for ftp called xferlog or something.

Normally, (no offense), someone that makes the mistake you've made is going to find that understanding and setting up VPN's is a bit of a reach.

If you need FTP access, or something like it, I instead suggest you use SFTP via the SSH service, and use certificate authentication. You will find other posts on that in the forum.

 

[SweetAndLow]

But what if I want Plex access over the net. I would need to port forward to do that right?

Having a port forwarded to a jail is safer than forwarding to your freenas box. The jail gets security updates and should have less services running, no ssh, no ftp and no apache. On top of that Plex needs only read access to your data. The only way to get in would be to find an exploit with the Plex service which is unlikely(but probably will happen one day).


And for your other comment about ftp port forwarding. I think ftp does everything in the clear including your password and username so that should never be used outside of your lan.

 

[therealpure]

Ok so if I port forward say port number 32400 to the freenas box and have plex on that it should be safer. No ssh or ftp access and hence my data will be safe

Having a port forwarded to a jail is safer than forwarding to your freenas box. The jail gets security updates and should have less services running, no ssh, no ftp and no apache. On top of that Plex needs only read access to your data. The only way to get in would be to find an exploit with the Plex service which is unlikely(but probably will happen one day).

 

[SweetAndLow]

Ok so if I port forward say port number 32400 to the freenas box and have plex on that it should be safer. No ssh or ftp access and hence my data will be safe

You could change the port to something other than the default but even if you didn't you are safe.

I use the UPnP so I get a port that is different than the default.

If you truly did have an intrusion I would look into reinstalling freenas and restore using a backup configuration file.

 

[cyberjock]

Plex has had a few security problems this year. In fact, one security problem was the result of an improperly made PBI (whoops).

UPnP is actually quite dangerous. Normally you want to control what does and doesn't get to forward ports. UPnP makes it open for any program that requests it. Sure, it's easy as ports are automatically forwarded. But it comes at great risk.

 

[Mlovelace]

If you want to host content across the WAN I recomend one of these. It has worked well for my home network and has nice IPSec VPN throughput for its price.
http://www.sonicwall.com/us/en/products/TZ-215.html#tab=specifications