Security Recommendations
9 minute read.
Follow these best practices to administer TrueNAS securely.
- Modifying the base TrueNAS firmware image is unsupported and can create security issues.
- Keep TrueNAS up-to-date with the most recent updates for your supported version.
- Upgrade to new major releases promptly consistent with the deployment use case.
- Disable any network services when not in use.
- Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users, or keep them disconnected when not in active use.
- Configure Syslog settings to send logs to an external server (CORE | SCALE).
- In TrueNAS 24.04 (Dragonfish) or later, locally monitor and review audit logs using the Audit screen.
- In the System > Advanced Settings, always keep Show Text Console without Password Prompt set to Disabled.
The TrueNAS UI has several fields that allow users to write custom scripts. When a user writes a password into a custom script, the password is provided in cleartext form within system debug files, creating a serious security concern.
We do not recommend using custom scripting on TrueNAS, as it is a highly advanced feature for expert storage administrators and can lead to security breaches.
For information about any identified security vulnerabilities in TrueNAS products, consult the TrueNAS Security Advisories site. Check back regularly for updates.
TrueNAS open ports are 80 and 443.
TrueNAS provides a range of different storage services and uses TCP/IP for both data and management functions. All protocols can be securely encrypted and routed using VPN technologies. This approach is encouraged when using services directly over the Internet or WAN.
The TCP ports and services that listen for external connections:
| Inbound Port | Protocol | Service Name | Description of Service | Encrypted | Defaults |
|---|---|---|---|---|---|
| 80/443 | TCP | HTTP/HTTPS | Web interface REST API WebSockets API | Optional | Open |
| 22 | TCP | SSH/SFTP | Secure Shell Secure FTP ZFS Replication Rsync over SSH | Yes | Closed |
| 111/2049 | TCP/UDP | NFS v3 | Network File Service | No | Closed |
| 137/138/139/445 | TCP/UDP | SMB | Windows File Service | Optional | Closed |
| 548 | TCP | AFP | Apple File Service | No | Closed |
| 20/21 | TCP | FTP | File Transfer Protocol | No | Closed |
| 443 | TCP | WebDAV | HTTPS access to files | Yes | Closed |
| 3260 | TCP | iSCSI | Block storage over IP | Optional | Closed |
| 9000 | TCP | S3 API | Object storage over IP | Yes | Closed |
| 873 | TCP | Rsync | Remote synchronization | Optional | Closed |
| Not defined | UDP | Wireguard | Point-to-point encryption | Yes | Closed |
| 161/162 | TCP | SNMP | Simple Network Monitoring | Optional | Closed |
Outbound protocols do not listen for or accept external connections. These protocols and ports are not a security risk and are usually allowed through firewalls. These protocols are considered primary and might need to be permitted through a firewall:
| Outbound Port | Protocol | Service Name | Description of Service | Encrypted | Defaults |
|---|---|---|---|---|---|
| 80/443 | TCP | HTTP/HTTPS | Software updates and Pro-active support | Optional | Open |
| 25/465 | TCP | Sendmail/TLS | Send emails for alerts | No | Outgoing |
| 123 | TCP | NTP | Network Time synchronization | Yes | Outgoing |
| 514 | TCP | Syslog | Logging of alerts and changes | No | Outgoing |
Some elements of TrueNAS make external callouts to online locations. Manage these callout addresses as part of your general network configuration (e.g., TrueNAS and router allow/deny hosts, etc.) to further secure your system. Callouts are grouped into several classes.
Restrict new TrueNAS user accounts to the most minimal set of storage ACL permissions and access possible.
On TrueNAS 22.12 or newer, create the administrator account on install and disable root NAS administrative access.
In TrueNAS 24.04 (Dragonfish) or later, use the Credentials > Groups > Privileges screen to define limited access administrative roles, such as read-only or share administrators. Assign users to those groups to grant partial NAS administrative access. Members of privileged groups can access the UI but cannot perform administrative tasks outside those defined by their role(s).
Use complex passwords and Two-Factor Authentication for all TrueNAS administrator accounts.
Grant TrueNAS user accounts (local or domain accounts) access to SSH or console shells only if that user is explicitly trusted.
Using SMB, iSCSI, or NFS to share data is common for TrueNAS users. However, it allows outside connections to the system and must be configured to minimize security concerns.
Follow the iSCSI creation wizard to create an iSCSI share.
When creating a new Portal, consider adding a Discovery Authentication Method. This adds authentication between the initiator and the extent based on the chosen authentication method, CHAP or Mutual CHAP.
Be aware that discovery authentication only secures initial discovery. iSCSI data traffic is not encrypted and should be isolated from regular data traffic or other types of network communication. One common approach is to create a dedicated network or VLAN (Virtual Local Area Network) specifically for iSCSI traffic.
Entering a list of Initiators and Authorized Networks is also recommended. This allows you to define systems or networks that can connect to the extent. When these options are empty, all initiators and all networks can connect to the extent.
During NFS share creation, define which systems are authorized for share connections. Leaving the Authorized Networks or Authorized Hosts and IP addresses lists empty allows any system to connect to the NFS share. To define which systems can connect to the share, click *Advanced Options, then enter all networks, hosts, and IP addresses to share access.
NFS service settings are in Services after clicking the (pencil).
For greater security and more granular access control, enable the NFSv4 protocol. To apply NFS ACLs, click Advanced Options on the add or edit NFS share screen, then enter Access details.
Select a Purpose during SMB share creation. This changes the share configuration with one click. For example, when selecting Private SMB Datasets and Shares from the list, TrueNAS adjusts the Advanced Options so the share is set up for private use. To fully customize the share settings, select No presets as the Purpose. Unless you require a specific purpose for the share, we recommend selecting Default share parameters as the Purpose.
SMB service settings are in Services after clicking the (pencil).
Do not use NTLMv1 Auth with an untrusted network. This encryption option is insecure and vulnerable.
When an administrator group is required, verify the group members are correctly configured. Administration group members have full permission to modify or delete the share data.
Using Secure Shell (SSH) to connect to your TrueNAS is very helpful when issuing commands through the CLI. SSH settings are in Services after clicking the (pencil).
For best security, disable all login options for root or admin accounts in the SSH service options. Instead, create and exchange SSH keys between client systems and TrueNAS before attempting to connect with SSH.
Be careful when prompted to overwrite any existing SSH key pairs, as this can disrupt previously configured SSH connections. SSH key pair overwrites are permanent.
- Open Windows Powershell or a terminal.
- Enter
ssh-keygen.exe. - Type in a location to store the new key pair or press Enter to use the default location (recommended) shown in parentheses.
- Type in a passphrase (recommended) for the keypair or press Enter to not use a passphrase. Confirm the passphrase.
- Open the Terminal app
- Enter
ssh-keygen -t rsa -b 2048. This uses the RSA algorithm to create a key of 2048 bits, which is generally considered acceptable. - Type in a location to store the new key pair or press Enter to use the default location (recommended).
- Type in a passphrase (recommended) for the keypair or press Enter to not use a passphrase. Confirm the passphrase.
- Open the shell.
- Enter
ssh-keygen. By default, this uses the RSA algorithm to create a 3072-bit key pair. - Type in a location to store the new key pair or press Enter to use the default location (recommended).
- Type in a passphrase (recommended) for the keypair or press Enter to not use a passphrase. Confirm the passphrase.
- Open the shell.
- Enter
ssh-keygen -t rsa. This uses the RSA algorithm to create the key pair. - Type in a location to store the new key pair or press Enter to use the default location (recommended).
- Type in a passphrase (recommended) for the keypair or press Enter to not use a passphrase. Confirm the passphrase.
Root account logins using SSH are never recommended. Create TrueNAS user accounts with limited permissions and log in to these when using SSH. If a critical situation requires root login, first set up two-factor authentication (CORE | SCALE) as an extra layer of security. Disable the Log in as Root with Password setting as soon as the situation is resolved.
Unless required, do not set Allow TCP Port Forwarding.
Many SSH ciphers are outdated and vulnerable. It is not safe to enable any weak SSH ciphers. Block both the CBC and Arcfour ciphers by going to Services > SSH > Edit > Advanced Options and adding this line in the Auxiliary Parameters:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
In TrueNAS 13.3, 13.0, and earlier, these features are obsolete and should not be used in production environments.
For production environments, use the tested and supported virtualization features available in TrueNAS 24.04 or newer. TrueNAS Enterprise customers can contact the TrueNAS Support team to schedule a TrueNAS deployment.
Review any application or virtual machine (VM) deployment scenario for additional security exposure or vulnerabilities. The TrueNAS team cannot resolve security vulnerabilities introduced from within user-deployed virtualized environments.
After configuring a VM, disable any VNC or SPICE virtual machine display devices.
Update applications regularly. TrueNAS monitors connected application catalogs and trains and displays available updates on the Installed applications screen.