toolforger
Explorer
- Joined
- Aug 8, 2017
- Messages
- 60
Hi all,
I am about to go digital, i.e. digitize everything and get rid of all the archive paper that has been accumulating in my life (as far as legally possible - not everything remains valid in digital form).
For this project, I plan to use FreeNAS as a backup against digital threats - filesystem bugs that may eat my data, malware that damages or disables my data, ransomware that encrypts my data.
Out of scope:
- Defending against NSA and such. No useful defense against 0-days.
- Defending against physical threads like fire and lightning. That's going to be handled by keeping a copy in a physically distinct location.
Basic approach:
The worst that could happen is a ransomware that encrypts not just my laptop data but also accesses all backup location that are writable from there.
To disable that attack, I want to disable everything in FreeNAS that gives outside boxes write access, i.e. FTP uploads, WebDAV PUTs, and whatnot.
Things to consider:
- How do I get a list of services that I need to disable/reconfigure? Is it enough to simply nmap the machine and inspect each open port found, or do I need to look further?
- Do I need to keep the web console alive? Alternatively, can I set up an X server on FreeNAS so that I can attach a monitor/keyboard/console directly so that FreeNAS does not need to accept any network connections for ssh/http(s) anymore?
- FreeNAS will need to get read access to all data that it should keep a backup of. We have Linux and Windows machines here; what's the best way to let FreeNAS pull from these? (I suppose rsync will work with Linux, but what about Windows?)
- I do not want to give FreeNAS a gateway to the internet. How do I organize updates?
- If FreeNAS is disconnected from the Internet, it gets its separate cabling to every machine that it serves. It is probably best to make FreeNAS the DHCP server for that network; how do I do that? (I saw mentions of jails, but nothing specific; I probably didn't RTFM, specifically not the section about installing stuff in them.) The challenge will be that I somehow need to set up a mirror of plugins/modules/packages/whatnot somewhere that the FreeNAS machine can access. (Yeah I know that that's a security hole; the saving grace is that I need to set that up only while I'm installing stuff, so the risk of malware infecting my local package repo is limited to relatively short times.)
The box is a Proliant with 12 GB RAM and a 14 GB Flash USB.
If a question is already answered, a pointer is fully enough. What I need is more a description of what best practices for this scenario would be, afterwards I'll just RTFM
Thanks in advance!
I am about to go digital, i.e. digitize everything and get rid of all the archive paper that has been accumulating in my life (as far as legally possible - not everything remains valid in digital form).
For this project, I plan to use FreeNAS as a backup against digital threats - filesystem bugs that may eat my data, malware that damages or disables my data, ransomware that encrypts my data.
Out of scope:
- Defending against NSA and such. No useful defense against 0-days.
- Defending against physical threads like fire and lightning. That's going to be handled by keeping a copy in a physically distinct location.
Basic approach:
The worst that could happen is a ransomware that encrypts not just my laptop data but also accesses all backup location that are writable from there.
To disable that attack, I want to disable everything in FreeNAS that gives outside boxes write access, i.e. FTP uploads, WebDAV PUTs, and whatnot.
Things to consider:
- How do I get a list of services that I need to disable/reconfigure? Is it enough to simply nmap the machine and inspect each open port found, or do I need to look further?
- Do I need to keep the web console alive? Alternatively, can I set up an X server on FreeNAS so that I can attach a monitor/keyboard/console directly so that FreeNAS does not need to accept any network connections for ssh/http(s) anymore?
- FreeNAS will need to get read access to all data that it should keep a backup of. We have Linux and Windows machines here; what's the best way to let FreeNAS pull from these? (I suppose rsync will work with Linux, but what about Windows?)
- I do not want to give FreeNAS a gateway to the internet. How do I organize updates?
- If FreeNAS is disconnected from the Internet, it gets its separate cabling to every machine that it serves. It is probably best to make FreeNAS the DHCP server for that network; how do I do that? (I saw mentions of jails, but nothing specific; I probably didn't RTFM, specifically not the section about installing stuff in them.) The challenge will be that I somehow need to set up a mirror of plugins/modules/packages/whatnot somewhere that the FreeNAS machine can access. (Yeah I know that that's a security hole; the saving grace is that I need to set that up only while I'm installing stuff, so the risk of malware infecting my local package repo is limited to relatively short times.)
The box is a Proliant with 12 GB RAM and a 14 GB Flash USB.
If a question is already answered, a pointer is fully enough. What I need is more a description of what best practices for this scenario would be, afterwards I'll just RTFM
Thanks in advance!