Web Server - Secure way to do it?

[Clinderw]

I have been thinking about potentially moving my wordpress installation over to Freenas. My largest concern though is exposing stuff on my NAS to the internet that i don't want shared. I've done some preliminary research on pfsense and the forums here. It seems many suggest not doing it. Is there an intelligent good way to do this that doesn't potentially compromise or extremely minimizes the risk to the NAS?

If there is already a thread that maybe i didn't find please feel free to point me that way.

Thanks

 

[Bidule0hm]

I guess what I would do is use a jail for the web server and open the 80 port for this jail only. I don't see any other secure way to do this but I'd love to know more on this subject as I'll maybe need to put a web server on my NAS too.

 

[pirateghost]

Install apache(or nginx), MySQL, and php in a jail.

 

[Clinderw]

That is my understanding of how you'd do it too but forwarding ports is generally frowned upon based on what i've read on here. Looking to see if anyone has any suggestions to make it more secure or do this in an intelligent way.

I'm far from a networking expert, i'm trying to do research on pfsense too to see if that would assist in securing this.

 

[pirateghost]

A jail gets its own IP address on your network. When you forward a port to a jail, you are not touching the freenas management IP

 

[Jailer]

You can do it but just make sure you do your research, LOTS of research, on how to properly secure and harden your installation. There's a lot more to it than just installing everything and throwing it behind a firewall.

 

[Jailer]

Looking to see if anyone has any suggestions to make it more secure or do this in an intelligent way.

The link below is a pretty good one on getting you started. But again don't just rely on one link, do lots of research before you expose it.

https://project.altservice.com/issues/560

 

[DJ9]

If your interested in just spinning up a server and playing around with things, I'd suggest trying DigitalOcean. Plenty of promo codes around so you can get 2 months free for the $5 plan. (not associated in any way with these folks, just a happy customer) https://www.digitalocean.com/

 

[Jailer]

Yeah but that takes all the fun and satisfaction of doing it yourself. ;)

 

[danb35]

Yeah but that takes all the fun and satisfaction of doing it yourself

I guess that depends what you install on your droplet. If you just install a base FreeBSD system, then you can still have the "fun and satisfaction of doing it yourself", with the added benefit that there's no possible way for an attacker to hose your NAS. Or you can install LAMP/FAMP, or even Wordpress, and have it mostly done for you.

 

[Robert Trevellyan]

I have been thinking about potentially moving my wordpress installation over to Freenas..... Is there an intelligent good way to do this that doesn't potentially compromise or extremely minimizes the risk to the NAS?

Is your existing install with a hosting provider, or is it on a standalone machine on your LAN? If the former, then I would leave well alone. If the latter, moving it to a jail or a VM won't be any more risky, and has potential upsides, e.g. if it does get owned, you can revert it to a snapshot instead of restoring from backups.

 

[Jailer]

If you're really serious about doing this the guides on digit ocean are great.

If you want a FAMP stack with Wordpress follow these two guides: FAMP stack Wordpress

If you want a FEMP stack with Wordpress follow these two guides: FEMP stack Worpress

 

[brando56894]

I've done both FAMP and FEMP stacks on my NAS, I've just done it in a jail the way everyone above has suggested. Just follow simple security practices such as not running any services as root and enabling SELinux if you decide to use virtualbox. Also I would suggest using a different root password for that jail than you do for all your other jails and your main system, or you could disable root SSH logins completely. I'd suggest setting up an Intrusion Detection System such as Snort just to make sure that no one is breaking in. I kinda got pissed off with some of the old packages available in ports and how long it took to install some things, so I decided to move my stack over to Linux running on an Odroid XU4 ARM SBC and then have my NAS just do storage tasks/heavy lifting.

My LEMP/FEMP stack has been running for months and the only attacks I've seen was a day or two where I didn't have the stack configured properly and it was throwing 5xx errors and some script kiddies decided to look for the setup scripts for wordpress and mysql, it just made me laugh because they couldn't get to anything because at that time I was only using it for reverse proxies and hadn't gotten around to configuring PhpMyAdmin or any actual websites.

 

[danb35]

or you could disable root SSH logins completely.

Or better yet, disable SSH completely--there's no need to have it running in the jail at all. If you do want it for some reason, public key authentication would be much more secure than basic passwords.

 

[brando56894]

Yea I was going to say that but you need a way to control the server and the web console from the FreeNAS GUI sucks IMO, keys would definitely be your best best but the only problem is you always need to have your private key available or else you're screwed.

 

[danb35]

SSH to FreeNAS server, jls, jexec (JID# of jail) (desired shell). No need for SSH to be running inside the jail itself. Agreed that the shell from inside the web GUI sucks, but it is convenient to have it there if you just need to run a command or two (and you're already logged in to the web GUI).

 

[nightshade00013]

It is possible to install a firewall in the jail and only allow specific ports, the biggest thing I would do is only forward the one port needed to the box for access and not put the jail IP in the DMZ. If the only port forwarded you really shouldn't need to worry about anything including SSH. If this is for your own use you could even go as far as to use a non standard port and forward that port to the jail as port 80. That way you could put in your home IP or Dynamic DNS name and a port to access the site (i.e. http://www.hereismyfunkydomain.dynamicdnshostname.com:56278) and it would be able to pull up your webpage for you or someone who you give the information to. Kinda like how you can access plex the same way with the 32400 port via http from anywhere as long as the forward is in place, then just log in. Even if you have SSH on, if the only port forwarded to the jail ip is 80 it will not work, the jail will be listening on a different port for the connection so it plain should not work. While a port scan could show up the port if you pick something that is high in numbers and not used by anything common I doubt anyone will bother even trying to check. Most port scanners are looking for some VERY common things running on default ports to attack. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

I set something up for my in home use only so it's just running on port 80 and without forwards it's all good. I will say the one problem I had (Drual) was that it was a pain to try and figure out what packages needed to be installed to make it work correctly for even the basics. Once I setup the AMP stack I ended up doing a (pkg install drupal) so that all the other needed packages would be put in and then just moved the Drupal files into the apache folder so the site would be accessible and work. I searched for quite a while and could not find a list of dependencies that were needed so I could serve a html page or the php page but the back end did not work.

You may also find that if you're doing this on a home connection that the standard port 80 is blocked. Some ISP's in an effort to make sure you are not hosting a website or server will block some common ports. http://www.cox.com/residential/supp...rticleId=cacf82f0-6407-11df-ccef-000000000000

 

[brando56894]

SSH to FreeNAS server, jls, jexec (JID# of jail) (desired shell). No need for SSH to be running inside the jail itself. Agreed that the shell from inside the web GUI sucks, but it is convenient to have it there if you just need to run a command or two (and you're already logged in to the web GUI).

I would say that's ten times worse than just enabling SSH in the webserver because if someone finds a way in they have access to your entire NAS and not just the jail ;)

 

[pirateghost]

I would say that's ten times worse than just enabling SSH in the webserver because if someone finds a way in they have access to your entire NAS and not just the jail ;)

What?

Please explain the logic behind that...

 

[brando56894]

What?

Please explain the logic behind that...

If you have a weak SSH password and someone brute forces their way in to your NAS they have access to all of your data and all of your jails, if you just expose SSH from the jail that runs the webserver and someone brute forces their way in they're stuck within your jail and only have access to what you have allowed it to have access to.