Web Server - Secure way to do it?

pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
brando56894 said:
If you have a weak SSH password and someone brute forces their way in to your NAS they have access to all of your data and all of your jails, if you just expose SSH from the jail that runs the webserver and someone brute forces their way in they're stuck within your jail and only have access to what you have allowed it to have access to.
Click to expand...
He didn't say to expose the SSH service from the NAS to the world.....
 
Jailer

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,977
pirateghost said:
never, man. it is assumed that you only admin your NAS from a secure network. @danb35 knows what he is talking about and would never recommend someone open SSH to the internet.
Click to expand...
Unless you're intending to start your own Chinese/Russian/Ukrainian private social network.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
pirateghost said:
@danb35 knows what he is talking about and would never recommend someone open SSH to the internet.
Click to expand...
Thanks for the vote of confidence, but SSH is fairly safe to open to the Internet. Disable password logins, and disable root logins, and you're going to be pretty darn secure. But that said, you understood my assumptions correctly. @brando56894, if you have a web server in a jail, and you expose that jail to the Internet, there's no corresponding reason to expose the NAS to the Internet, and plenty of good reasons not to.
 
B

brando56894

Wizard
Joined
Feb 15, 2014
Messages
1,537
danb35 said:
Thanks for the vote of confidence, but SSH is fairly safe to open to the Internet. Disable password logins, and disable root logins, and you're going to be pretty darn secure. But that said, you understood my assumptions correctly. @brando56894, if you have a web server in a jail, and you expose that jail to the Internet, there's no corresponding reason to expose the NAS to the Internet, and plenty of good reasons not to.
Click to expand...

Exactly! And for added security change the port from 22 to something high, security through obscurity. I agree that it's pretty damn secure if you take the right measures, it's called secure shell for a reason haha
 
R

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
brando56894 said:
change the port from 22 to something high
Click to expand...
It's amazing how much difference this makes to the number of failed logins on a publicly visible SSH server. For a while I experimented with a backupsy VPS, with SSH on 22, and auth.log showed failed login attempts every few minutes, all day, every day. When I moved SSH to a different port auth.log went completely quiet - literally no activity.
 
nightshade00013

nightshade00013

Wizard
Joined
Apr 9, 2015
Messages
1,258
Robert Trevellyan said:
It's amazing how much difference this makes to the number of failed logins on a publicly visible SSH server. For a while I experimented with a backupsy VPS, with SSH on 22, and auth.log showed failed login attempts every few minutes, all day, every day. When I moved SSH to a different port auth.log went completely quiet - literally no activity.
Click to expand...
Like I said before, moving things to non standard ports when you are the only one using the service helps a ton. Everyone knows what the standard ports are and will try to mess with them, using a different port requires someone to scan EVERYTHING and then try and make a guess which service is on that open port. Does little good to try and connect to a non standard port that is running a ssh server with a mail client they just won't work together.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
I guess I just don't see the issue. Why does it matter if the whole world is banging on your ssh server? If you're limited to public-key authentication (and there's no reason not to--even the free SSH client on my iPhone supports public key authentication), and you've blocked root logins, they aren't going to get in. I run a public-facing Linux web/mail server, and it does have SSH exposed on port 22, configured as I just stated. It also has Fail2ban running. I do see a number of blocked IPs due to failed logins, but that's to be expected.
 
nightshade00013

nightshade00013

Wizard
Joined
Apr 9, 2015
Messages
1,258
If the ENTIRE world is banging on your ssh server in your home it's pretty easy to be denied service. If a port is exposed and someone decides they want to be nasty and setup a DOS attack you will be shut down till the attack stops. On top of that if your ISP gets PO'ed they could determine that they are going to say you didn't follow their use rules and discontinue service. And who knows WHAT flaws may have already been found and not reported or will be found in the future in the SSH service.

And just because an IP address is blocked it does not mean that the computer behind the IP can be stopped from causing problems. It is very possible for that person to get the idea that because you banned them they should retaliate in some way, at least till they get bored and what will you do if they decide to let a botnet do the work and then leave it for a week.
 
asifuz

asifuz

Cadet
Joined
Mar 29, 2019
Messages
1
Bidule0hm said:
I guess what I would do is use a jail for the web server and open the 80 port for this jail only. I don't see any other secure way to do this but I'd love to know more on this subject as I'll maybe need to put a web server on my NAS too.
Click to expand...
....................................
I don't understand?????????? why you say many NAS website hosting threads "JAIL"........ is this really a crime???
Please let me know,,,, because I am going to build my public server and put my website into it,,,, and also doing some hosting for it.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Once again, please, in English, with some indication that you have at least a passing familiarity with what FreeNAS is and what it's used for.
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
I think he's worried about possible illegalities, because the word "jail" gets thrown around so much? That's a new one, anyway.

For the record, it's a name. A metaphor for the software that is running in there - it's jailed, it can't hurt the rest of the system (ideally).
 
You must log in or register to reply here.

Similar threads

gegtor
How to set up data encryption the most secure way
Replies
5
Views
3K
no_connection
N
H
How to set-up a secure remote access to files and Web GUI on TrueNAS?
Replies
2
Views
4K
Ericloewe
Ericloewe
J
  • Locked
What's the best way to recreate the speed of NTFS file table search on FreeNAS?
Replies
2
Views
1K
JTheNASBuilder
J
N
Secure connection to the server via ipmi
2 3
Replies
50
Views
4K
Whattteva
Whattteva
JC Denton
  • Locked
Best way to move to an encrypted setup?
Replies
5
Views
1K
tvsjr
T
Top