SOLVED Is root user the only credentials that can access GUI?

[mike360x1]

Hi there,

So, I would like to setup FreeNAS to be accessible from outside my local network by means of HTTPS: and port forwarding. My concern is, which users are able to access the GUI? I have tried my own user created accounts and see that they cannot login to the GUI. But, I would like to put my paranoia to rest :). Also, is there any way to change the GUI user?

To sum up:
Can anyone other than root access GUI?
Can I set another user to access GUI rather than root?
(It's vague but I heard that setting user to root makes it more likely for attackers to try accessing my machine)

Side question:
The password I use is strong with many variations to prevent it from being cracked by brute force. But, is it enough?
Is there something else I should add to my FreeNAS server to prevent it from being accessed?

Thanks in advance,
Michael L.

 

[SweetAndLow]

Only root can access the gui, no you can't change the user. One last thing, you should NOT expose the freenas GUI outside of your network! If you want remote access setup a vpn, ssh tunnel or some other kind of encrypted tunnel.

 

[mike360x1]

I understand. I looked over these possibilities. Namely, Glorious1's How to Access Freenas server remotely guide.
https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/
I would like to just keep my options open and also reduce some of the complexity.

A problem arises when I am a non-personal computer and want to access the server on the fly without needing to setup software.

Are there any workarounds?
I'm not familiar with the method that Glorious1 uses to SSH tunnel his FreeNAS GUI connection. Moreover, he uses Unix for all his instructions so I'm not sure how I can go about applying the same settings on windows because it does not include SSH with a CLI by default.

 

[gpsguy]

PuTTY is a free SSH client for Windows - http://www.putty.org/

Moreover, he uses Unix for all his instructions so I'm not sure how I can go about applying the same settings on windows because it does not include SSH with a CLI by default.

 

[danb35]

The best way, IMO, to access your FreeNAS server (and the rest of your LAN) remotely is through a VPN connection using public-key authentication. OpenVPN clients are available for all major (and many minor) OSs, and for both iOS and Android, so you shouldn't ever find yourself stuck without a way to connect. The next-best way to do it is by way of an SSH tunnel, and again, the SSH connection should use public-key authentication, not username/password; this is the method described by @Glorious1, IIRC. Again, SSH clients are available for virtually every desktop and mobile OS. Both of these are generally considered safe and secure.

For the sake of your data and your network's security, and to avoid a visit from @RussianMafia, do not expose the web GUI to the Internet. The fact that it's HTTPS won't really help you much--though it would prevent other folks on the network from sniffing your credentials, there's nothing to stop an attacker from brute-forcing your password, and there are likely other vulnerabilities that haven't been found, since the GUI isn't designed or intended to be exposed to the Internet.

 

[SweetAndLow]

I understand. I looked over these possibilities. Namely, Glorious1's How to Access Freenas server remotely guide.
https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/
I would like to just keep my options open and also reduce some of the complexity.

A problem arises when I am a non-personal computer and want to access the server on the fly without needing to setup software.

Are there any workarounds?
I'm not familiar with the method that Glorious1 uses to SSH tunnel his FreeNAS GUI connection. Moreover, he uses Unix for all his instructions so I'm not sure how I can go about applying the same settings on windows because it does not include SSH with a CLI by default.

I look forward to hearing the story when you get hacked.

Sent from my Nexus 5X using Tapatalk

 

[Mirfster]

Please heed the warnings and don't even think "what are the possibilities of someone hitting my box". There are tons of bots out there just running to sweep-up all those systems.

 

[Spearfoot]

Please heed the warnings and don't even think "what are the possibilities of someone hitting my box". There are tons of bots out there just running to sweep-up all those systems.

I can personally vouch for this. I run a Postfix mail server on a Digital Ocean droplet... So far this month it's been hit with over 6,000 hack attempts.

 

[mike360x1]

PuTTY is a free SSH client for Windows - http://www.putty.org/

I've tried that. Problem is that PuTTY only works for CLI not GUI.


@danb35 Good point. However, I realize that the built in windows VPN application doesn't support public/private key authentication. Is there any workaround without installing software?

 

[depasseg]

I've tried that. Problem is that PuTTY only works for CLI not GUI.

That's why you configure SSH forwarding. So you get the GUI access.

 

[mike360x1]

That's why you configure SSH forwarding. :) So you get the GUI access.

oh nono, don't get me wrong. I have setup SSH and port forwarded that. I can access freenas CLI using SSH but I'm not sure how to tunnel GUI through ssh on windows. :)

I've seen Glorious1's guide (linked above) on how to setup SSH tunneling but his instructions apply to unix computers. How would I adopt his instructions to fit my windows machine?

 

[Jailer]

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=ssh+tunnel+windows

 

[depasseg]

but his instructions apply to unix computers.

The directions aren't limited to Unix computers. What gives you that idea?

How would I adopt his instructions to fit my windows machine?

Follow his directions. Especially the section called "SSH Tunneling - Web Access". Firefox in his example can be on any platform - Windows, Unix, Linux, Mac, etc.

 

[danb35]

However, I realize that the built in windows VPN application doesn't support public/private key authentication. Is there any workaround without installing software?

No. PPTP, the VPN protocol natively supported by Windows, is laughably insecure. IPSec or OpenVPN are good choices, but both will require installing (free) software. Again, if you're anticipating a need to administer your server while you're away from home, install a suitable VPN client on your smartphone/tablet and use that to connect to the server--there's no need to install software on someone else's computer.

And @depasseg, no, @Glorious1's instructions do not cover how to configure PuTTY for the SSH tunnel--but @Jailer's Google search does.

 

[depasseg]

True, glorious1's directions don't have a screenshot of configuring Putty. However, the method to setup and use the tunnel is there.

 

[mike360x1]

Hey guys, thanks for all your great help! I managed to get SSH tunneling working with just putty and my browser :D thanks so much!!!