Jump to content

A short time ago I built myself my own Mini-ITX storage server.

 

ASRock 2750D4I

Integrated 8 core Atom processor

32GB Kingston ECC 1600MHz UDIMM Memory

64GB Samsung SSD for boot device

3x3TB WD Red drives in a raidz1 configuration for storage

A not appropriate Rosewill 400W desktop power supply (Because I had it on hand)

APC 680W MAX UPS

Running FreeNAS 9.3-RELEASE-p31

The entire system pulls around 60W idle. 70-75W under load.

 

About a week ago on a weekend during which time I know I wasn't accessing the storage array outside of my home I decided to enter the IPMI and remote manage the server. On the display their were some error messages stating "Failed Authentication Connection Rejected from IP: ###.###.###.###" (Not word for word what the display said, but it was along those lines.) I did not recognize the public IP's listed I decided to ping them. One of them out right failed but the other came back saying 232ms which  in comparison to other pings I've done tells me whoever tried to access my server was very far away. This spooked me a little so I've been increasing the security on my mini storage server. Things I've done so far include:

 

Disabled password login for root user under SSH advanced settings.

 

Am currently using public/private keys. People have recommended disabling root login completely which I attempted at first but the new user I created could not authenticate with public/private keys. It kept giving me server rejected key errors until I tried public/private keys under root user which then it worked without issue.

 

Changed from using SSH on the standard port 22 to a random virtual port using SSH, I'm aware that a port scanner would see around this very quickly but it's still one more thing to deter an attacker.

 

My home router has some questionable firewall protection although I don't really see what it's doing except for DDOS protection.

 

So far these are the things I've implemented to protect my server from unauthorized access. I've looked into programs such as Fail2Ban and DenyHosts but I have yet to find a solid installation tutorial, scrolling through the comment sections of these I see people complaining that they got stuck, something didn't start, or their server is still getting attacked. So...to sum this up, are their any other protection implementations I can do that don't involve buying a hardware firewall. Or are my current protection settings sufficient to deter amateur hackers and bots. 

Link to comment
https://linustechtips.com/topic/581439-freenas-server-security-question/
Share on other sites

Link to post
Share on other sites

a complex enough password will keep off any amateur hacker. lower case, upper case, numbers, symbols and at least 12 chars. this will protect from brute force or dictionary attacks.

You should look up how to fix your public/private key issue because root should NEVER be accessible from the wild. 

Computer Case: NZXT S340 || CPU: AMD Ryzen 5 1600 || Cooler: CM Hyper212 Evo || MoBo: MSI B350 Mortar || RAM Vengeance LPX 2x8GB 3200MHz || PSU: Corsair CX600 || SSD: HyperX Fury 120GB & 240GB || HDD: WD Blue 1TB + 1TB 2.5'' backup drive || GPU: Sapphire Nitro+ RX 580 4GB

Laptop 1 HP x360 13-u113nl

Laptop Lenovo z50-75 with AMD FX-7500 || OS: Windows 10 / Ubuntu 17.04

DSLR Nikon D5300 w/ 18-105mm lens

Link to post
Share on other sites

If you question the firewall and general intruders you may want to look into pfsense or openwrt, a dedicated pfsense box to run a gig or two network wouldnt be insanely pricey compared to that build. If nothing else I'm sure you can find away to get an email when some external user tries or access a port/local ip/device. 

32gb of ram, for 9tb of storage? 

 

                     .
                   _/ V\
                  / /  /
                <<    |
                ,/    ]
              ,/      ]
            ,/        |
           /    \  \ /
          /      | | |
    ______|   __/_/| |
   /_______\______}\__}  

Spoiler

[i7-7700k@5Ghz | MSI Z270 M7 | 16GB 3000 GEIL EVOX | STRIX ROG 1060 OC 6G | EVGA G2 650W | ROSEWILL B2 SPIRIT | SANDISK 256GB M2 | 4x 1TB Seagate Barracudas RAID 10 ]

[i3-4360 | mini-itx potato | 4gb DDR3-1600 | 8tb wd red | 250gb seagate| Debian 9 ]

[Dell Inspiron 15 5567] 

 

 

Link to post
Share on other sites

1 hour ago, Cryosec said:

a complex enough password will keep off any amateur hacker. lower case, upper case, numbers, symbols and at least 12 chars. this will protect from brute force or dictionary attacks.

You should look up how to fix your public/private key issue because root should NEVER be accessible from the wild. 

In FreeNAS Root is part of the group Wheel. I set up the new user in Wheel and gave him as much accessibility as possible and even assigned it as the owner of the storage array. Standard SFTP, and SSH via password worked fine with the new user but as soon as i tried public/private key authentication the server immediately rejected every attempt to connect. Kept saying private key rejected. I did some research as to why this keeps happening but to no luck as far as a solution. I think one forum had someone mentioning a similar issue and that it might be a bug so they submitted a bug report. I'll continue to search for a solution to that and when/if I find one I'll disable remote Root access and assign the new user.

Link to post
Share on other sites

1 hour ago, RedWulf said:

If you question the firewall and general intruders you may want to look into pfsense or openwrt, a dedicated pfsense box to run a gig or two network wouldnt be insanely pricey compared to that build. If nothing else I'm sure you can find away to get an email when some external user tries or access a port/local ip/device. 

32gb of ram, for 9tb of storage? 

 

I've thought about a pfsense box but it's not something I want to get into right away. Perhaps in the future but for now I have searched around the FreeNAS WebGUI for an intrusion reporting option but I haven't found anything yet that will send me an e-mail with a report of attempted accesses. I'm sure it can be implemented even if FreeNAS seriously doesn't have it as a programmable option but I don't have the knowledge to implement it myself.

 

As for the RAM. People said that FreeNAS likes about 1GB per TB of storage. When I was initially testing if FreeNAS would be a feasible OS to use on the server I had a old desktop computer with a 3930K and 64GB of UDIMM non-ECC 1866MHz memory (This was just a test, not a permanent solution in any way.) During the test I copied my full archive to the array I created using 3x2TB drives. When it finished copying the RAM utilization was 45GB out of 64GB. After building the server, copying all the data over and a few days of general day to day use RAM utilization is around 22GB out of 32GB at all times. (Unless I restart the server then it resets to 0GB or 500MBish for idle system operation.) Checking it right now I am currently utilizing 22GBs. So I have great headroom to have multiple users on it, make some jails, if I decide to implement a virtual firewall (of which I haven't the knowledge how) then I have the memory and CPU power to leverage that and according to what I've been told is when using FreeNAS is give it as much physical memory as you can because using swap files slows down the system dramatically.

Link to post
Share on other sites

When setting up public/private key login: some sshd versions are very strict about the permission level of your .ssh directory and .ssh/authorized_keys. Make sure they are writable only by the user (ie, chmod 755 .ssh; chmod 644 .ssh/authorized_keys). Unfortunately, my FreeNAS server is off right now, so I cannot test my hunch. I just know that this is something you must do on CentOS as the default is group writable as well.

 

Also, when changing the port, do not pick another obvious one. Ports 222, 2222, are 22222 are all too easy to guess. If somebody had already found your server on port 22 and suddenly cannot connect, they will just try using some of the other ones and continue their attack.

 

If you are worried about port scanners picking up your new random port, you might consider port knocking instead.

CPU Intel i7-7700 | Cooling Noctua NH-D14 SE2011 | Motherboard ASUS ROG Strix Z270F Gaming | RAM Corsair Vengeance LPX 3.6GHz 32GB | GPU EVGA GeForce RTX 3070 FTW3 Ultra Gaming |

Case Fractal Design Define R5 | Storage Samsung 980 PRO 500GB, Samsung 970 EVO+ "v2" 2TB | PSU Corsair RM850x 2021 | Display ASUS VP247QG + Samsung SyncMaster T220 | OS Garuda Linux

Link to post
Share on other sites

12 hours ago, CWP said:

When setting up public/private key login: some sshd versions are very strict about the permission level of your .ssh directory and .ssh/authorized_keys. Make sure they are writable only by the user (ie, chmod 755 .ssh; chmod 644 .ssh/authorized_keys). Unfortunately, my FreeNAS server is off right now, so I cannot test my hunch. I just know that this is something you must do on CentOS as the default is group writable as well.

 

Also, when changing the port, do not pick another obvious one. Ports 222, 2222, are 22222 are all too easy to guess. If somebody had already found your server on port 22 and suddenly cannot connect, they will just try using some of the other ones and continue their attack.

 

If you are worried about port scanners picking up your new random port, you might consider port knocking instead.

I'll take a look at your theory and try it out but I do have to mention that my experience with terminal/shell is rather limited I don't know all the commands to edit files via command line. I think vim "file name" lets me get into a file to make edits. I do suppose the amateur that I am with this kind of OS I could cheat, just SFTP in and use the included .txt file editor to make changes. I don't have enough experience with all the file directories to know what controls what so I don't know what settings will fix my issue. Back to google I guess.

 

The new port I'm using consists of a random not in any sequence of numbers port. It won't be easy for someone to randomly guess it.

 

Port Knocking, I'll look into it. However a port scanner isn't a huge concern of mine because I'm only looking to protect myself from the amateur hackers and bots. I know there's no sure way to lock down my NAS 100% without taking it off the Internet but since I'm not a target for anyone I'm willing to bet a kid or a bot wouldn't use a port scanner, even if that was the case I think they would have a difficult time trying to get around the public/private key authentication. However, if I can without breaking the bank or tearing my hair out lock down my NAS as much as possible I would like to.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×