Defending against ransomware with FreeNAS: Will this approach work?

[toolforger]

Hi all,

I am about to go digital, i.e. digitize everything and get rid of all the archive paper that has been accumulating in my life (as far as legally possible - not everything remains valid in digital form).
For this project, I plan to use FreeNAS as a backup against digital threats - filesystem bugs that may eat my data, malware that damages or disables my data, ransomware that encrypts my data.
Out of scope:
- Defending against NSA and such. No useful defense against 0-days.
- Defending against physical threads like fire and lightning. That's going to be handled by keeping a copy in a physically distinct location.

Basic approach:
The worst that could happen is a ransomware that encrypts not just my laptop data but also accesses all backup location that are writable from there.
To disable that attack, I want to disable everything in FreeNAS that gives outside boxes write access, i.e. FTP uploads, WebDAV PUTs, and whatnot.

Things to consider:
- How do I get a list of services that I need to disable/reconfigure? Is it enough to simply nmap the machine and inspect each open port found, or do I need to look further?
- Do I need to keep the web console alive? Alternatively, can I set up an X server on FreeNAS so that I can attach a monitor/keyboard/console directly so that FreeNAS does not need to accept any network connections for ssh/http(s) anymore?
- FreeNAS will need to get read access to all data that it should keep a backup of. We have Linux and Windows machines here; what's the best way to let FreeNAS pull from these? (I suppose rsync will work with Linux, but what about Windows?)
- I do not want to give FreeNAS a gateway to the internet. How do I organize updates?
- If FreeNAS is disconnected from the Internet, it gets its separate cabling to every machine that it serves. It is probably best to make FreeNAS the DHCP server for that network; how do I do that? (I saw mentions of jails, but nothing specific; I probably didn't RTFM, specifically not the section about installing stuff in them.) The challenge will be that I somehow need to set up a mirror of plugins/modules/packages/whatnot somewhere that the FreeNAS machine can access. (Yeah I know that that's a security hole; the saving grace is that I need to set that up only while I'm installing stuff, so the risk of malware infecting my local package repo is limited to relatively short times.)

The box is a Proliant with 12 GB RAM and a 14 GB Flash USB.

If a question is already answered, a pointer is fully enough. What I need is more a description of what best practices for this scenario would be, afterwards I'll just RTFM

Thanks in advance!

 

[chris crude]

I know periodic snapshots help you against network share encryption from ransomeware because the snapshots are read only. Not really worried about keeping it offline, my FreeNAS is behind a router with a basic firewall (SPI).

 

[danb35]

Alternatively, can I set up an X server on FreeNAS so that I can attach a monitor/keyboard/console directly so that FreeNAS does not need to accept any network connections for ssh/http(s) anymore?

No. At that point, you really aren't running FreeNAS any more. You could, if you wanted, set up a separate NIC (you may even have multiple NICs onboard already) for management only, and bind the web GUI to only that IP.

 

[Chris Moore]

To disable that attack, I want to disable everything in FreeNAS that gives outside boxes write access, i.e. FTP uploads, WebDAV PUTs, and whatnot.

FreeNAS is already pretty secure and you can make it so secure that you can't even access your data any more. You don't want that.
The best thing is to make periodic snapshots so you can roll back to a previous state and don't map the network drive, navigate to it when you want to access the NAS. A mapped drive is easily accessible to many viruses but they often don't have the ability to just search for another computer that isn't mapped.
Don't install an x server on FreeNAS as that introduces vulnerability that you don't want.

How do I get a list of services that I need to disable/reconfigure?

FreeNAS has everything disabled by default and you have to turn it on.

Do I need to keep the web console alive?

That is your management console, you don't want to disable it or the physical console, we have had people lose control of their NAS and have to do a reinstall because of trying to crank the security up to silly levels.

FreeNAS will need to get read access to all data that it should keep a backup of. We have Linux and Windows machines here; what's the best way to let FreeNAS pull from these?

You should have a backup client on the machine push data to the FreeNAS target, not the other way around unless you want to setup rsync but that is just a pain. There is a Windows (free) tool called 'SyncToy' that can be downloaded directly from Microsoft's website and it can be setup to run on a schedule through Windows Task Manager.

I do not want to give FreeNAS a gateway to the internet. How do I organize updates?

Why? FreeNAS reaching out to get updates does not create a security issue. Don't go crazy.

It is probably best to make FreeNAS the DHCP server for that network; how do I do that?

No, just setup static IP addresses. FreeNAS doesn't come with the ability to be a DHCP server, don't make changes like that, it is a bad idea.
You are going far too far down the rabbit hole here.

 

[Chris Moore]

I am about to go digital, i.e. digitize everything and get rid of all the archive paper that has been accumulating in my life (as far as legally possible - not everything remains valid in digital form).

PS. I have a primary server and a backup server where I keep a full copy of everything. I then have an external disk enclosure attached to one of those servers with another data pool that with another backup. If I need to evacuate, I can just pull the external enclosure and take it with me. It is heavy, but not too heavy to carry out in a hurry.

Then I run a pair of firewalls, outer and inner with a DMZ in between and the IP address range shifts. I make it as secure as I can but I don't do some of the things you are suggesting. Some of those ideas would break the FreeNAS software or require a custom build.

 

[scwst]

Wouldn't the best defense in this case be to set up an air-gapped machine? The words "archive paper" make it sound like the server will be containing a lot of stuff that needs to be stored long-term without frequent access. I have no idea, however, how FreeNAS reacts to not having access to the Internet long-term.

(If enough people are interested in this, this might be an interesting feature for FreeNAS to add -- a mode where the system is set-up as an air-gapped "file vault".)

 

[Chris Moore]

I run two "air gap" networks where I work for data that is governmentally restricted.
FreeNAS does not need a connection to the internet but it will complain a little about not being able to check for updated or set the time from time servers. The updates are not frequent and you don't need to update at all unless there is a new feature you want or a fix that you need. When an update is released, it is easy enough to download the ISO, burn it to disk and do 'clean install' then load the config DB to get all the configurations back. The thing that is difficult is plugins, but if you only need a file server and not all the bells and whistles, FreeNAS is easy to keep offline. I have several kinds of offline systems that I maintain and the worst is Windows.

 

[danb35]

- I do not want to give FreeNAS a gateway to the internet. How do I organize updates?

This is crossing the line from "secure" to "truly paranoid", but you can always download the ISOs and use them to upgrade.

When an update is released, it is easy enough to download the ISO, burn it to disk and do 'clean install' then load the config DB to get all the configurations back.

No need to do a clean install; the installer will recognize your existing installation and upgrade it, preserving your configuration.

 

[Chris Moore]

No need to do a clean install; the installer will recognize your existing installation and upgrade it, preserving your configuration.

That usually works but it didn't when I went from 9 to 11. It is a good idea to have a backup of the config, just in case.

 

[danb35]

It is a good idea to have a backup of the config, just in case.

...which you should have anyway.

 

[Chris Moore]

For example, in one of the offline systems I manage for work, I have the system backup the DB every Sunday with a cron job.
I have modified many of the scripts that are available on the forum to save the output to a local directory in the storage pool so I can review them later because the system has no access to an email server. The directory with the reports and DB files (with another cron job) get rsynced to another server.
It was interesting to configure because one task must finish before the next began and each server has a part of the puzzle so that they both end up with the full story of both servers.
Sorry if this sounds all broken but I typed it in the car, on the way to work.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Chris Moore]

The box is a Proliant with 12 GB RAM and a 14 GB Flash USB.

We could make some hardware suggestions but could you give a little more about what you have and where you want to go with it?
Maybe a model number?

 

[toolforger]

Thanks guys - you're awesome!
Let me respond to each in turn:

cris crude: You mean the ZFS snapshots are read-only by design? Heh... I should have thought of that myself
In that case, keeping all services read-only isn't as important as I've been thinking, so demoting that from "killer feature" to "one of the nice-to-have things that may or may not be worth the trade-off".

danb: Yes, the Proliant comes with two NICs out of the box, so that's definitely an option.
danb, Chris Moore: A pity if FreeNAS doesn't have the option of putting up a jailed X server. It's certainly more secure than the standard setup of "just access FreeNAS through the browser", where keyloggers will get instant administrator access. A dedicated Linux box would move the attack surface one hop further away from the Internet, though it's going against against the KISS principle and requires managing yet another box (which would have to be bought specifically for the purpose, and stored somewhere when not in use, which is both a bit unfortunate).

Chris Moore:
Agreeing on most of your other answers, push-to-FreeNAS it is going to be, rsync for Linux and SynToy for Windows.

On the Internet connection: Yeah, I gather that if the machine needs to be connected to the clients, and that these might be running malware already, I guess disabling Internet access on FreeNAS isn't really making anything worse.

On DHCP: it's a stopgap solution. Right now our Internet connection is via Wifi, shared with two other tenants. Not a good carrier for backup, for more than one reason. Spring 2018 we'll relocate to another place and will have our own, cabled LAN.
So right now we have a cable LAN that has no route to the Internet, and no DHCP. And some of our laptops get routinely connected to LANs where DHCP *is* available, so users would have to constantly switch between static IP and DHCP IP, and that's not going to be acceptable for them.

On physically separate back: This needs to be outside the house right off the bat. You're not always at home when a fire hits. Unless you pack your backup drives whenever you leave the house.
But with read-only ZFS snapshots, maybe there's another option: Is a remote vserver with ZFS a viable option, with the data encrypted and never decrypted outside the FreeNAS box? In that case, the backup data pool could just be replicated to the remote vserver. (Obviously not a good option over Wifi, I'd set that up in Spring 2018.)

scwst: Airgap won't work since somehow the data must go from the work machines to FreeNAS, and the work machines need Internet connection.

Chris Moore again (you're really active, thanks!): I wasn't looking for hardware suggestions actually (that info was just for completeness), but here goes anyway:
HP ProLiant MicroServer Gen8, 12 GB RAM, two identical 4.0 TB data HDDs and a 14 GB USB stick for the OS:

Code:

# camcontrol devlist
<TOSHIBA HDWE140 FP2A>             at scbus0 target 0 lun 0 (pass0,ada0)
<TOSHIBA HDWE140 FP2A>             at scbus1 target 0 lun 0 (pass1,ada1)
<FLASH Drive SM_USB20 1100>        at scbus7 target 0 lun 0 (pass2,da0)

 

[danb35]

You mean the ZFS snapshots are read-only by design?

If not, they wouldn't be very effective snapshots, would they?

 

[Chris Moore]

Chris Moore again (you're really active, thanks!)

I spend more time on here than I should. It is how I relax after a long day of work solving computer problems.

I don't know if you have seen this little article on the ixsystems.com site, but I thought I would point you at it because it might be applicable to your situation.
https://www.ixsystems.com/blog/defeating-cryptolocker/

 

[toolforger]

If not, they wouldn't be very effective snapshots, would they?

They'd be snapshots that would be useful as a starting point for an alternate data evolution.
Essentially just a CoW copy, which ZFS actually is built on.

I guess that ZFS snapshots were first implemented because it's so easy: Just make a copy of the entire filesystem and declare it read-only. (CoW is a really nice enabler, I had a CoW-based operating system in the 80ies and haven been missing it all the time until ZFS came along.)

 

[toolforger]

I spend more time on here than I should. It is how I relax after a long day of work solving computer problems.

I don't know if you have seen this little article on the ixsystems.com site, but I thought I would point you at it because it might be applicable to your situation.
https://www.ixsystems.com/blog/defeating-cryptolocker/

Well, they assume that ZFS itself is never compromised.
Which is reasonable today, but if ZFS hits mainstream (could happen anytime within the next five years) it won't be more than a year or two until the Bad Guys start to use privilege escalation exploits against FreeBSD. Or against Linux if ZFS is getting traction there.

IOW I don't expect the "ransomware is a joke" status to hold for maybe the next 10 years, and I don't want to be forced to re-architect everything at that point in time.
Maybe I'll really have to set up a separate X server box. Or I'll have to nag the FreeNAS devs to add X. Or whatever it is that FreeNAS is going to evolve within the next 10 years - policy changes aren't unheard of on that timescale

 

[MatthewSteinhoff]

I plan to use FreeNAS as a backup against digital threats - filesystem bugs that may eat my data, malware that damages or disables my data, ransomware that encrypts my data.

This isn't an exotic request.

Snapshots.

That's it. Nothing magical. Nothing exotic. Nothing that isn't already built into FreeNAS.

Snapshot your live data. For static, archive data, snapshots take next to zero space. No data changed? Your snapshot will fit on a 5 1/4 floppy with room to spare. Little if any downside to snapshots.

Ransomware encrypts your data? Big deal. Roll back to the last snapshot. It'll take just minutes if not less. Since you snapshot often and your data rarely changes, it'll be easy to see when the ransomware hit because you'll have a huge byte change.

To the above, I'd add offsite replication using the built-in FreeNAS tools but you suggested that is out of scope.

Cheers,
Matt

 

[toolforger]

Snapshots.

Just for the record: That's what I gathered. I didn't fully recognize how I could leverage them.

To the above, I'd add offsite replication using the built-in FreeNAS tools but you suggested that is out of scope.

My initial plan was indeed to use a manual process, just to keep FreeNAS disconnected from the Internet. I just noticed (in this thread) that this approach isn't going to do for me what I thought it would do, so I'll probably do something with an off-site vserver from some service provider.
Right now I'm in the process of re-evaluating the strategy, doing a more in-depth read of the Manual and see what's possible and what isn't, noting down questions that I have and answers that I find. I guess I'll be back with many questions answered and more questions open once I am finished reading, which will take a while - I'm currently at page 57 of 341, though I hope that many of these 341 pages are specialized stuff and I won't be needing all of it. We'll see I guess

 

[Chris Moore]

There are many links to other documents. A full review will take some time.
Do you plan to obtain new hardware for the server or re purpose existing?

Sent from my SAMSUNG-SGH-I537 using Tapatalk