Safe "backup" share for neighbours over the internet

[aadje93]

So on freenas, we had the option for SCPonly on the shell, so the user account could only use SCP/SFTP and no acces to the system whatsoever.

But now on truenas Scale, how would i setup a dataset from start to finish for sharing to a windows using neighbour(s). Setting up a VPN is off course a option with SMB share, but the vpn could potentially interfere with their internet acces, so i don't want trouble there (the vpn would restrict in a vlan to only the truenas machine.

SFTP would be the easiest option as there is software that can make a network drive from a SFTP share so every backup software can use it.

Now, when i create a user, it can acces the root directory of the system. I want to restrict the users to their own home directory. I created a dataset in root of the pool "neighbour storage" and then a dataset for each neighbour. But how would i restrict users to their own dataset, and only allowing them file acces through SCP/SFTP and nothing else, while not even able to read the directory's of "neighbour storage" so they could see which other neighbours have storage reserved at my place for off-site backups.


(yeah, we thought about making a LAN through all the houses, or using a wifi solution, but that didnt work out to great :+, and i want to make it future proof so family from elsewhere in the country can acces it too)

On the firewall side, i know the IP's of said neighbours, so i can restrict of scp/sftp to their specific IP's instead of the whole wide web.

 

[elvisimprsntr]

Both CORE and SCALE support Nextcloud via plugins/apps

 

[somethingweird]

it's possible to restrict SFTP users to their home directory. Just google "SFTP jail home directory" - or something similar to that.

 

[aadje93]

Both CORE and SCALE support Nextcloud via plugins/apps

I was looking into that, but do is still get shadow copy working with Nextcloud? (Like the event of ransomware its easy to roll back the data)

it's possible to restrict SFTP users to their home directory. Just google "SFTP jail home directory" - or something similar to that.

I prefer not to rumble in the commandline on a truenas/freenas machine as its highly advised to not do it. Only work from the webui etc. Altough we even get a shell in the webui, i prefer a true webui route. But i will look into nextcloud for safe sharing

 

[elvisimprsntr]

I wasn't going to say anything at first, but you must really trust your neighbors (and family) not to place pirated or illegal material on your NAS.
The end result is you will be dragged into what ever legal issues they may have by hosting the material. Not to mention you would potentially expose your NAS and your own network to malware. Seems like a monstrously bad idea. I would tell them to buy their own NAS. You can offer to help set it up, but that is as far as I would go.

 

[aadje93]

I wasn't going to say anything at first, but you must really trust your neighbors (and family) not to place pirated or illegal material on your NAS.
The end result is you will be dragged into what ever legal issues they may have by hosting the material. Not to mention you would potentially expose your NAS and your own network to malware. Seems like a monstrously bad idea. I would tell them to buy their own NAS. You can offer to help set it up, but that is as far as I would go.

actually thingking about that too now, i could make a story that my provider doesn't like it anymore due to the data throughput and that a nas isn't that big of a deal. A small Synology DS2XX and 2 4TB disks is plenty storage for now.

 

[somethingweird]

I prefer not to rumble in the commandline on a truenas/freenas machine as its highly advised to not do it. Only work from the webui etc. Altough we even get a shell in the webui, i prefer a true webui route. But i will look into nextcloud for safe sharing

Create a jail/container for SFTP, isolate it away from truenas/freenas. If you screw up the jail/container.. just throw it away and try again - while keeping truenas/freenas safe. Personally nextcloud is a huge learning curve for me. Maybe I'm old school - love my cli.

Jail/containers should be cattle not PETs. -

 

[indivision]

I was looking into that, but do is still get shadow copy working with Nextcloud? (Like the event of ransomware its easy to roll back the data)

You could do this by making a separate dataset for each user and assigning that storage area when you create their account in Nextcloud. Then, set up snapshots on each dataset through TrueNAS.

 

[aadje93]

I will look into nextcloud as solution, seems realy nice.

But is it safe to roll back a dataset snapshot with nextcloud?

 

[indivision]

But is it safe to roll back a dataset snapshot with nextcloud?

In the sense of catastrophic recovery, yes.

But, would that interfere with the Nextcloud software? Maybe.

I suspect not because it is already designed to read changing file information often, syncing with remote folders, etc. So, I think that even if you rolled back to different file states Nextcloud would see the differences and adjust the same as it would if you powered it down, changed some files in a folder it watches and then powered it back up.

Of course, this is something you could test up front to be sure.

 

[aadje93]

Its more in case of ransomware, resetting the snapshot is pretty easy then, but i could off course make a SMB share from the snapshot locally, and let them copy their data to a cleaned laptop.

Does nextcloud encrypt the data too?

 

[indivision]

Yes. You can optionally enable encryption.

There are a lot of built-in security features, including geoblocker, password policy, suspicious login, two-factor authentication and ransomware protection.