Security best practices

C

carterstreet

Cadet
Joined
Apr 20, 2019
Messages
3
I recently had an attack. The wiped out all my Freenas datastores by deleting the storage and making a new one.

So, with all that said, how do I prevent this in the future? Any best practices?
 
HoneyBadger

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,112
carterstreet said:
Nope
Click to expand...
I would have to assume that you've got a fairly weak root password then, and somehow got compromised inside your network. It's not outside the realm of possibility to have a fancy exploit in a sharing protocol give a remote attacker unauthorized login, but the most likely answer is "password wasn't strong enough."
 
C

carterstreet

Cadet
Joined
Apr 20, 2019
Messages
3
Cool....thanks!! Does freenas have something like fail2ban that blocks after too many failed attempts?
 
HoneyBadger

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,112
carterstreet said:
Cool....thanks!! Does freenas have something like fail2ban that blocks after too many failed attempts?
Click to expand...
Not integrated by default unfortunately and the past iterations of feature requests have been closed as "nice to have but won't implement" - I believe the current way that it's done is to set up a FreeBSD jail, enable sshd there (as opposed to directly on the FreeNAS host) and install fail2ban there. Then you SSH to your jail IP, and again to your FreeNAS host.

Of course that won't stop someone trying to bruteforce the machine over HTTP(S), so have a strong password regardless.

I suppose you could pull the PBI installer from a matching TrueOS version (also made by iXsystems and is the base OS that FreeNAS is now built on, IIRC) and install that - but you'd be completely on your own as far as it continuing to work post-update. Someone made a thread about doing that on 9.x here:

https://www.ixsystems.com/community/threads/howto-install-file2ban-on-freenas-9-x.16170/
 
Heracles

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi Carter,

As an appliance, FreeNAS is designed for storage first. It relies on the infrastructure around it for its security. As such, to deploy an actual firewall instead of a nat-ing router can help a lot.

Honeybadger got a major point right. Weak passwords are easy to exploit and it is a very common intrusion channel.

So much that you would be better not to use it when you can avoid it. For that, you would be better to re-configure SSH for requiring a crypto key instead of a password.

For the Web interface, I put mine behind HAProxy and HAProxy requires a client-side certificate for letting anyone access the WebUI. This is more advanced, but also very robust.

But at the end, you just received another proof of how important backups are....

Have fun hardening your server,
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Security best practices"

Similar threads

H
TrueNAS and ESXi best practices 2022 ?
Replies
3
Views
11K
HoneyBadger
HoneyBadger
J
FreeNAS/TrueNAS Best Practices for VMware NFS datastore [2018]
Replies
9
Views
20K
K_switch
K
D
Security best practices
Replies
0
Views
1K
dse93
D
sfcredfox
  • Locked
FreeNAS / VMware Storage Best Practices
Replies
0
Views
4K
sfcredfox
sfcredfox
D
  • Locked
CIFS/SMB Permissions/Configurations For Mac OS X Users
Replies
2
Views
7K
dkusek
D
Top