Which is better for remote access to FreeNAS?

[Windows7ge]

Some time ago I built myself my own home server running FreeBSD (FreeNAS). No matter what I've tried I cannot get public/private key authentication to work with any user I create unless I use it with root. At this point in time for my specific situation I don't believe it's possible and I'm tired of trying to get it working so I want to know:

 

Which is better in terms of remote access security?

 

Disable password login

Use public/private key authentication

Remote access via root user

or

Disable remote access for root

Use a regular password

Remote access via a new user I create (I've tested remote access with a created user using a password, it works)

 

I'll go with what the majority of the community recommends.

[Mikensan]

I wouldn't give access directly to freeNAS remotely. I would setup a jail and attach the datasets you want to access, and then connect to that jail. Or setup OpnVPN from your firewall or setup OpenVPN within a jail if you want access to the management interface / SSH remotely.

 

Both are bad options remotely imo. I'm willing to bet if you create a new user you're just going to put it in wheel anyway, so no difference if you were to use root right? So at least root with certs is more secure.. The login name will be sent cleartext in either scenario, so no difference.

[Windows7ge]

5 hours ago, Mikensan said:

I wouldn't give access directly to freeNAS remotely. I would setup a jail and attach the datasets you want to access, and then connect to that jail. Or setup OpnVPN from your firewall or setup OpenVPN within a jail if you want access to the management interface / SSH remotely.

 

Both are bad options remotely imo. I'm willing to bet if you create a new user you're just going to put it in wheel anyway, so no difference if you were to use root right? So at least root with certs is more secure.. The login name will be sent cleartext in either scenario, so no difference.

I've never considered using a jail for that. I don't need remote management just remote assess to my archive so if I can figure out how to do that it would be a viable option. Setting up the jail itself seems like a simple enough process from the WebGUI...not sure how to connect my vol to it.

 

Your bet is correct, my first attempt to get it working I put the new user in wheel. My second attempt I created a completely new group and added my new user to said group. It made no difference to anything. Although probably increased my security ever slightly if I'm understanding you correctly. "root with certs" What is certs? And clear text, makes sense if my traffic is actively being sniffed but if a bot scanning port 22 is trying to access servers I'd imagine getting off root would help my case. Just not sure if its worth it if I have to give up public/private key authentication. I do like your idea to add my dataset to a jail and remote into the jail. It would prevent a hacker from completely taking control of my NAS. They'd just have access to all my data if they got in...better than having both I suppose.

[Mikensan]

When I say certs I'm talking about the PKI / public key infrastructure. So keys/certs :-P

 

You could look at setting up owncloud as well, creates a dropbox like environment.

 

On the left navigation there's Jails, expand it until you get to your jail and you can "add storage" and chose what dataset you want to add.

[Windows7ge]

5 hours ago, Mikensan said:

When I say certs I'm talking about the PKI / public key infrastructure. So keys/certs :-P

 

You could look at setting up owncloud as well, creates a dropbox like environment.

 

On the left navigation there's Jails, expand it until you get to your jail and you can "add storage" and chose what dataset you want to add.

I see.

 

Eh, I prefer the complexity of both a CLI SSH session to my NAS and a SFTP client (WinSCP) when I need to download or upload files.

 

Well, I added a "new" drive (scrap drive I had laying around) and set it as the jails root.

Configured the jail with it's own IP & MAC address

Created a storage volume inside the jail

Mounted the storage arrays directory inside the storage config

Enabled the sshd service

started it and was promoted with a RSA key

Attempted to SSH into the jail under root and it prompted me for a keyboard authenticated password that I did not have. Tried making a new user with a known password and same issue. Was I suppose to write down that RSA key and use that as the password?

[LiMz]

I would never use password authentication.

Also your outward facing port shouldn't be 22 as that port gets sniffed often. (not as important but still beneficial)

 

generate an SSH Key pair on your client machine.

Password protect your public key

Copy your client public key into the ~.ssh/authorized_keys on your host machine.

Turn off password authentication on FreeNAS

 

Now all your traffic will be encrypted aswell as being much much more secure

 

[LiMz]

I have set my FreeNAS like this. And then I use a SOCKS tunnel to access my plugin config pages on my FreeNAS.

 

Are you using a Windows client machine? If you are I recommend bitVise, Although PuTTY will also work

 

[Windows7ge]

6 hours ago, LiMz said:

I have set my FreeNAS like this. And then I use a SOCKS tunnel to access my plugin config pages on my FreeNAS.

 

Are you using a Windows client machine? If you are I recommend bitVise, Although PuTTY will also work

 

I am using Public/Private key authentication (but it's under root) and the public key is password protected.

I am using a non-standard public port # (facing the internet) for my SSH sessions when using SSH via PuTTY or SFTP via WinSCP.

I disabled password authentication under root so if I attempt to connect to my public IP address (even when internal to the network) it prompts me: "Disconnected: No supported authentication methods available (server sent: publickey)" which is a good thing, that's what I want.

 

But is it OK to use this under root user? If it makes any difference I'm using SSH-RSA 2048-bits. Is allowing root access worth the drawback provided it's protected with public/private keys? I'd create a new user and do it but when I attempt it it rejects my key every time. Tried putting my dataset inside a jail but that resulted in a whole other ordeal that didn't work out. I know there's no way to make my NAS 100% secure if it's connected to the internet but I wanna do all that I can. (That doesn't involve building a pfsense box, I don't have the funds right now.)

[LiMz]

2 hours ago, Windows7ge said:

I am using Public/Private key authentication (but it's under root) and the public key is password protected.

I am using a non-standard public port # (facing the internet) for my SSH sessions when using SSH via PuTTY or SFTP via WinSCP.

I disabled password authentication under root so if I attempt to connect to my public IP address (even when internal to the network) it prompts me: "Disconnected: No supported authentication methods available (server sent: publickey)" which is a good thing, that's what I want.

 

But is it OK to use this under root user? If it makes any difference I'm using SSH-RSA 2048-bits. Is allowing root access worth the drawback provided it's protected with public/private keys? I'd create a new user and do it but when I attempt it it rejects my key every time. Tried putting my dataset inside a jail but that resulted in a whole other ordeal that didn't work out. I know there's no way to make my NAS 100% secure if it's connected to the internet but I wanna do all that I can. (That doesn't involve building a pfsense box, I don't have the funds right now.)

I use mine under root. I don't see why it's an issue. 

 

The only way someone is going to get in is if:

 

They crack your password protected private key. 

Connect to your nas with your ssh key pair.

Then copy their key onto your NAS.

 

OR

 

They get onto your local network and access your freenas Web gui via root.

Then open a shell and put their public key in. 

 

 

Both scenerios are highly unlikely. 

The first one would only be possible if your traffic was not encrypted.  If you're using key pairs your traffic is so no worries =)

[Windows7ge]

3 minutes ago, LiMz said:

I use mine under root. I don't see why it's an issue. 

 

The only way someone is going to get in is if:

 

They crack your password protected private key. 

Connect to your nas with your ssh key pair.

Then copy their key onto your NAS.

 

OR

 

They get onto your local network and access your freenas Web gui via root.

Then open a shell and put their public key in. 

 

 

Both scenerios are highly unlikely. 

The first one would only be possible if your traffic was not encrypted.  If you're using key pairs your traffic is so no worries =)

Nice, thank you. I'm not a target for anyone so I'm just trying to protect myself from amateur hackers and bots. Using my NAS's motherboards IPMI function (from within the network, I have not opened the remote management tools to the internet.) it shows me the NAS's activity in the CLI. A while ago I had two attempted accesses but ever since I implemented all these security measures it hasn't happened since. Is it accurate to say they were probably bots scanning port 22? Cause after switching to a random non-standard public port I haven't seen any attempted accesses outside of my own activity. Hopefully their aren't any bots using port scanners.

[LiMz]

Yup port 22 is famous.  My silly router can't have a different outward facing port so I'm stuck to using 22. But I know as soon as they try to access with password it throws an error that auth method isn't supported.

 

Once you have a tunnel in you can pretty much do anything. So i love ssh because if how flexible it is. 

 

Give bitvise a shot I'm sure you will like it. 

 

 

[Windows7ge]

14 minutes ago, LiMz said:

Yup port 22 is famous.  My silly router can't have a different outward facing port so I'm stuck to using 22. But I know as soon as they try to access with password it throws an error that auth method isn't supported.

 

Once you have a tunnel in you can pretty much do anything. So i love ssh because if how flexible it is. 

 

Give bitvise a shot I'm sure you will like it. 

 

 

Thank you for your help but I have one more question. Would you happen to know whether or not it really matters if I used the same port on both end or if I should use port 22 on the internal network?

Example:

Inbound port: 6000

Outbound port: 22 (Internal network from router to NAS)

or if it really does't matter if I were to just

Inbound port: 6000

Outbound port: 6000

The only drawback I see to this is if I start a web browser session and my browser just so happens to use to exact virtual port number as my NAS and potentially sends the connection from my router to the wrong device and I end up with a "Server not responding" or something along those lines. Closing the tab and starting over should result in a different port which should fix the issue should that ever occur, if it's even possible...probably not because the router would register the request with a specific MAC & IP address but who knows.

[LiMz]

@Windows7ge I would keep your internal number standard ie 22. One reason is the reason you stated, the other reason is quite subjective, I do some websites on the side and some plugins are hard coded into pointing to a specific port so when i fiddle with the standard port on my apache / mysql servers it breaks a lot of the time.

 

other times becuase i have changed the default port i have to remember it and specify it in the web address which is a headache sometimes.

 

I don't think it will be that much of an issue for SSH though. 

 

On the flip side I have a silly stock router from my ISP that can't have different Out/In ports for forwarding. both out/in have to be the same so in that case it may be useful to change the port.

 

in short: shouldn't make a diff for SSH, however if i were you I would leave the internal as standard

[Windows7ge]

16 hours ago, LiMz said:

@Windows7ge I would keep your internal number standard ie 22. One reason is the reason you stated, the other reason is quite subjective, I do some websites on the side and some plugins are hard coded into pointing to a specific port so when i fiddle with the standard port on my apache / mysql servers it breaks a lot of the time.

 

other times becuase i have changed the default port i have to remember it and specify it in the web address which is a headache sometimes.

 

I don't think it will be that much of an issue for SSH though. 

 

On the flip side I have a silly stock router from my ISP that can't have different Out/In ports for forwarding. both out/in have to be the same so in that case it may be useful to change the port.

 

in short: shouldn't make a diff for SSH, however if i were you I would leave the internal as standard

Thank you for the help, you were very informative.