Ive been reading some horror stories on various forums (veeam backup being one of them), of some randsomware / malicious actors logging into FreeNas / SANs / NAS and wiping snapshots , in addition to encrypting files (for ransom). Grated these are rare, and the vector is often a motivated actor running a key-logger for days/weeks and grabbing creds when an admin logs into the FN/NAS/ECT 's web gui (or ssh), and then using same pc the actor gains access.
So what ive been looking for are 3x things:
1- ability to add 2FA to the web gui (like google authenticator or DUO)
2- some way to get alerts on a successful login to the web gui.
3- a way to disable the web gui via the console, such that when you need to access/use the webgui you must first enable it via the direct console (physically at the FN box, or via ipmi vkvm)
There are many posts / mods on accomplishing this just for ssh logins to freenas (although most are old / not very pretty/hacks), i have yet to find anything on either #1 or #2 for the freenas web gui.
anyone have any ideas on how to accomplish any of these 3 ? (i do think this is important, and is becoming increasingly important as time goes on).
thanks
(the only of the 3 i have a hunch on is #3, in that you can set the IP address the web gui binds/replys on- so if its possible to set or change this via the console/shell, then one could just set it to a null or trash IP, and then when gui access is needed set it back to bind to 0.0.0.0 or the correct IP address - sloppy solution, if its even possible via the console)
edit- for #1- looks like this may be planned for FN version 12 , i really hope it actually makes it into the release: https://jira.ixsystems.com/browse/NAS-102263
(still interested in ideas on how to make this happen now or on FN 11 , as im sure for many, like myself, it will be a very long time that we upgrade to v12 once its released (ie for stability) so we do still need a 2FA solution/workaround on FN 11.x tks
edit for #3- maybe have a rough solution, via console, go into shell, and run service nginx stop (which should disable the web gui), and when you need access, service nginx start ? Does anyone see any problems or issues that can arrise from have nginx STOPPED a majority of the time on a FN box? (ie could that break or mess with something else im not thinking of?). tks
So what ive been looking for are 3x things:
1- ability to add 2FA to the web gui (like google authenticator or DUO)
2- some way to get alerts on a successful login to the web gui.
3- a way to disable the web gui via the console, such that when you need to access/use the webgui you must first enable it via the direct console (physically at the FN box, or via ipmi vkvm)
There are many posts / mods on accomplishing this just for ssh logins to freenas (although most are old / not very pretty/hacks), i have yet to find anything on either #1 or #2 for the freenas web gui.
anyone have any ideas on how to accomplish any of these 3 ? (i do think this is important, and is becoming increasingly important as time goes on).
thanks
(the only of the 3 i have a hunch on is #3, in that you can set the IP address the web gui binds/replys on- so if its possible to set or change this via the console/shell, then one could just set it to a null or trash IP, and then when gui access is needed set it back to bind to 0.0.0.0 or the correct IP address - sloppy solution, if its even possible via the console)
edit- for #1- looks like this may be planned for FN version 12 , i really hope it actually makes it into the release: https://jira.ixsystems.com/browse/NAS-102263
(still interested in ideas on how to make this happen now or on FN 11 , as im sure for many, like myself, it will be a very long time that we upgrade to v12 once its released (ie for stability) so we do still need a 2FA solution/workaround on FN 11.x tks
edit for #3- maybe have a rough solution, via console, go into shell, and run service nginx stop (which should disable the web gui), and when you need access, service nginx start ? Does anyone see any problems or issues that can arrise from have nginx STOPPED a majority of the time on a FN box? (ie could that break or mess with something else im not thinking of?). tks
Last edited: