Security in my FreeNAS server

[xtec]

Hey there,

I have a FreeNAS machine which I am using to share files within my network (only for this purpose). I am quite happy with my configuration and, as I've read many times in this forum, it is advisable to keep the machine running 24/7 in order to maintain the integrity of the system and the hard disks.

I dont intend to access my FreeNAS server from outside my network (remotely) and, therefore, I will only access the machine when Im home from the devices connected to the network.

According to FreeNAS documentation, if i dont set a gateway, every traffic from outside my network is blocked.

Thus, considering that I only want to access my FreeNAS from inside my network and nothing else, if i leave my "global configuration" section empty for IPv4 and "IPv6 Default gateway", does that mean that im blocking every traffic from the internet? By blocking all traffic from the internet, am I am reasonably protected against intrusions/attacks?

Thanks so much for all the answers

 

[Andrew T Schnable]

Probably the most important thing you can do is keep all the machines on your network up to date with security patches. So you will want to allow your freenas machine to download updates from the external update servers, and that will require that you have a gateway and some nameservers configured. You can skip the IPV6 configuration.

Local network security starts with your router - make sure that it is running the latest available software and make sure you have changed the default admin passwords.

 

[xtec]

In regards to other machines within the network, accessing the FreeNAS, those are all updated. Router is updated as well and the password has been changed.

But, when it concerns to the FreeNAS machine itself, isn't it more effective if I don't allow any connections from the internet to the machine in the first place?

I mean, considering that I don't want to remote access my FreeNAS, instead of keeping it all updated but eventually openning a door to attacks by setting a default gateway I would block all external traffic and, thus, prevent remote attacks.

I am asking that because, under the FreeNAS documentation, within the section "7.1. Global Configuration", it is mentioned that, by not including a default gateway, traffic from the internet is restricted and, thus, such configuration acts as a reasonable precaution against external/remote attacks.

Link for mentioned NOTE (section 7.1)
https://doc.freenas.org/9.3/freenas_network.htm

I would appreciate if I could discuss further opinions.

 

[sretalla]

You are much more likely to see an attack vector that hits one of your client PCs via a visited website or email or something like that which then spawns a local process scanning the LAN for vulnerable hosts... like your FreeNAS server might be if you try to avoid problems by only removing the default route.

I would estimate the value of default route removal as minimal to nothing.

If you're really keen on security, enable the firewall on the FreeNAS box (and go through all of the pain to configure it for everything you want to allow it to do).

If you don't want to go that far, just make sure all the services you run are configured for minimal access and that you never open port forwards to your box from the internet.

Patch your FreeNAS box as often as is practical.

Patch your client systems and use a good Anti-Virus with updates applied as they become available.

Take care when using your clients to visit the Internet, using a secure browser with a script blocker and only allowing scripts where you trust the site.

 

[xtec]

You are much more likely to see an attack vector that hits one of your client PCs via a visited website or email or something like that which then spawns a local process scanning the LAN for vulnerable hosts... like your FreeNAS server might be if you try to avoid problems by only removing the default route.

As far as I understood, you are saying that the flaws in security occur mainly when I access internet from my clients. I believe I am reasonably careful with the client machines within my network that access the internet.

Client machines accessing the internet:
1.Always use restricted accounts without writing permissions
2.With the latest security updates
3.All machines equiped with antivirus and firewall (all updated)

If you don't want to go that far, just make sure all the services you run are configured for minimal access and that you never open port forwards to your box from the internet.

Patch your FreeNAS box as often as is practical.

I do have 2 different accounts set up for freenas in order to restrict the access. One account can access, create and delete files/folders and the other account can only see the files (cannot write or delete content). Guest users cannot access the server.
Moreover, the only service enabled on my FreeNAS is the SMB (and the "Guest account" setting is set up to "nobody").

I am just not sure on how to configure SMB for minimal access, enabling me to only access/modify content for the 2 mentioned accounts (with the respective credentials). How can I restrict the SMB service for minimal access then?

Is this a decent configuration??


Thank you so much

 

[sretalla]

You should certainly turn off:

NTLMv1 auth
Allow Execute Always
Zeroconf share discovery

on SMB settings.

You should also consider on each share to turn off:

Allow guest access
Browsable to network clients
Apply default permissions (although this may complicate your life a lot for little reward)

You can also consider using a Hosts Allow list, but I would question the benefit if those clients are the ones that will already connect the share and if they are compromised, there's no benefit to the setting... it would only help if another client arrives on your network and presents a threat. (also implies that you use static or DHCP reserved IP addresses for the clients that will access FreeNAS)

Otherwise, I think you're well set to be as protected as you can be while still having a network connection.

Safe surfing. ;)

 

[Jailer]

By not configuring a gateway you are not allowing your FreeNAS machine to connect out. If your router/firewall/gateway appliance is doing its job it wont allow unsolicited connections in. The best thing you can do to mitigate vulnerabilities is to keep your machine up to date.

If you are that paranoid about security you can use a client machine on your network to download updates and manually apply them to your FreeNAS machine.

Personally I think you are making a lot more out of this than needed.

 

[xtec]

You should certainly turn off:
NTLMv1 auth
Allow Execute Always
Zeroconf share discovery

on SMB settings.

You should also consider on each share to turn off:

Allow guest access
Browsable to network clients
Apply default permissions (although this may complicate your life a lot for little reward)

-NTLMv1 auth: It was already off on my system
-Allow Execute Always: I have turned off
-Zeroconf share discovery: I have turned off this setting similarly to the computer browser service on windows which is also disabled on my machine

In my SMB sharing:
-Allow guest access: was already turned off on my system

However, the other 2 settings I didnt disable for different reasons:
-Apply default permissions: I left it as it was because, as you said, it might not be worth to change this default configuration (I could get into more problems than benefits from changing this setting)
-Browsable to network clients: I had to leave this setting on in order to browse my server files from my ipad. Although I can see the files on my windows 7 client, I cannot do the same on my ipad :(

You can also consider using a Hosts Allow list, but I would question the benefit if those clients are the ones that will already connect the share and if they are compromised, there's no benefit to the setting... it would only help if another client arrives on your network and presents a threat. (also implies that you use static or DHCP reserved IP addresses for the clients that will access FreeNAS)

Well, not being an expert on this field, I dont know how to set up a "Hosts Allow list". Moreover, as I could understand from your explanation, setting up that "Hosts Allow list" could be a bit tricky and not a worth measure, so I guess I'll leave it as it is hoping that my current configuration is reasonably and generally safe to leave my server on 24/7.

Thank you so much sretalla for all your detailed explanations. It has been very helpful to follow your advices and learning from someone who is definetly an expert on this subject. Thanks a lot!!

By not configuring a gateway you are not allowing your FreeNAS machine to connect out. If your router/firewall/gateway appliance is doing its job it won't allow unsolicited connections in. The best thing you can do to mitigate vulnerabilities is to keep your machine up to date.

If you are that paranoid about security you can use a client machine on your network to download updates and manually apply them to your FreeNAS machine.

Personally I think you are making a lot more out of this than needed.

Thank you so much Jailer for your reply. I do understand that it is advisable to keep my FreeNAS update and, therefore, set up a default gateway so that I can connect my FreeNAS to the internet. In spite of that, I feel a bit curious on why the default setting of FreeNAS is not to set a default gateway (and in documentation it is said that default gateway is left blank for precaution reasons). So, I guess this is a matter of a trade off between having the server with the latest updates and blocking all outside connections.

Could I set up a default gateway for like the time I manually update my machine?

I mean, could I define a default gateway, go to manual update and update te machine and then (with freenas updated) I would remove again the default gateway??

This way, I would periodically update the machine without leaving it open to recieve connections 24/7.

About taking too seriously this seurity thing, is not that I am trying to guarantee 100%the safety of the server, but I think that if I can make it a little safer just by changing small settings, I think it's worthy for a little more of peace of mind.

 

[sretalla]

Could I set up a default gateway for like the time I manually update my machine?

I mean, could I define a default gateway, go to manual update and update te machine and then (with freenas updated) I would remove again the default gateway??

This way, I would periodically update the machine without leaving it open to recieve connections 24/7.

You could. I don't think you should.

Technically your machine isn't any less open to receive connections without a default gateway (UDP packets don't require a default gateway to come in), rather it will be unable to reply to that connection (but that doesn't mean that the packet [that really should have been blocked by your router/firewall in any case] arriving in your system won't deliver enough code to take over and open up the default gateway on its own... we're really in government-level espionage/targeted expert hacking territory here).

As @Jailer has mentioned, your router should be preventing anything on the Internet just deciding to talk to your FreeNAS box unsolicited and you should be able to safely allow your FreeNAS box to talk out when it needs to (checking for updates as a minimum).

The most secure system you can have is in a locked room with no network and where nobody has the key... it's also powered off and completely useless. I don't see the point of attaining perfect security. I prefer using my computers.

You seem very concerned by security... is somebody specifically targeting you or are you storing information of great importance to mankind?

 

[xtec]

You could. I don't think you should.
Technically your machine isn't any less open to receive connections without a default gateway (UDP packets don't require a default gateway to come in), rather it will be unable to reply to that connection (but that doesn't mean that the packet [that really should have been blocked by your router/firewall in any case] arriving in your system won't deliver enough code to take over and open up the default gateway on its own... we're really in government-level espionage/targeted expert hacking territory here).

Im sorry i dont understand what do you mean... Do you think I should set a default gateway so that i can get updates? if so, all i need to do to get the machine updated is to set a default gateway or do I need other options on, in order to have my FreeNAS updated? Im sorry for my dumb questions but im really not an expert on this and the default configuration of FreeNAS is without a default gateway (which makes me think that people who dont know much about networks and/or FreeNAS configurations, normally stay with their FreeNAS machines outdated).

The most secure system you can have is in a locked room with no network and where nobody has the key... it's also powered off and completely useless. I don't see the point of attaining perfect security. I prefer using my computers.

I do understand that and thats why Im not trying to make my FreeNAS machine inaccessibe even for me (by making for example impossible for my ipad to see my files)... Im just trying to have a reasonably safe configuration considering that I can still do what I inttend to do with my FreeNAS which simply is to share files among cients within my house/network.

You seem very concerned by security... is somebody specifically targeting you or are you storing information of great importance to mankind?

No not at all.... the thing is that, this is the first time I set up a machine to act as a server. Although I've assembled, configured and maintain computers for years, network subjects are really not something Im good at (Im a total noob at this).

I was just worried because my machine is on 24/7 and though I dont want/need it to be so safe that it becomes a useless machine, I rather not leave it all open with no security at all if I have the chance. If I can make it a little more safer and still be able to use my server for sharing files among my machines at home I think thats the way to go. And learning more about this subject of networks and connectivity (which I really dont know much about) is always a big plus for me :)

 

[sretalla]

Im sorry i don't understand what do you mean... Do you think I should set a default gateway so that i can get updates?

OK, I'll have another attempt... maybe I'll manage to be clearer this time.

Having a default gateway is useful for installing updates, but is also useful for handling jail installation or updates and maybe some other things that you would find important or not. Installing updates without a default gateway will be unnecessarily difficult. Adding and removing the default gateway is not going to make you significantly more secure and will make your process to update more complex (admittedly not by much). I don't recommend doing it, just have a default gateway all the time (All of my FreeNAS servers do).

Where you should focus your attention is on properly protecting your clients (we've established that you're already doing that) and protecting your network (so far only briefly mentioned that you are updating your router and have changed the default password).

If you are using a good router/gateway, it will have a built-in firewall and be configured in NAT mode (not bridged).

Operating your network in NAT (Network Address Translation) mode will mean that your clients and servers are not actually addressable from outside the router/firewall.

That means your FreeNAS server (let's say for the sake of example 192.168.0.10) can't be contacted from anywhere but your home network because 192.168.x.x networks are private address space and don't route on the Internet.

When you want a service offered by one of your computers to be available outside (on the Internet), you need to tell your router/firewall to link it's address (let's say 231.65.89.7) and a particular port associated with that service (let's say 443 if it's for a secure web server - https) with something called an inbound port mapping or port forwarding.

So in this example, when I want to connect to your service, I need to use this URL: https://231.65.89.7/

But when that request packet arrives at your router/firewall, it will understand that it isn't the computer that's going to answer that request and will forward it to 192.168.10:443, which will then handle it and respond. This works because you set the port forwarding up. If you had not done that, the request arrives at the router/firewall which will simply block or drop the packet as it has nowhere to go.

In the opposite direction, the FreeNAS box can establish an outbound connection without needing this port forwarding as the Router/firewall lends its address to FreeNAS for the outbound conversation and keeps track to ensure that only the packets returning from the target of this conversation are allowed to go back to your FreeNAS box.

I don't know if this is a full enough explanation to make you feel comfortable about adding the default gateway, but in principle, if your router/firewall is doing it's job properly, it is already providing the protection against the concern you have in specifying the default gateway.

 

[Jailer]

Could I set up a default gateway for like the time I manually update my machine?

I mean, could I define a default gateway, go to manual update and update te machine and then (with freenas updated) I would remove again the default gateway??

When you add a default gateway the IP address gets added as a nameserver entry to your /etc/resolv.conf file. I don't know off hand if that entry will be removed if you subsequently remove it from the GUI. I'd have to do some testing to confirm.

Well, not being an expert on this field, I don't know how to set up a "Hosts Allow list". Moreover, as I could understand from your explanation, setting up that "Hosts Allow list" could be a bit tricky and not a worth measure, so I guess I'll leave it as it is hoping that my current configuration is reasonably and generally safe to leave my server on 24/7.

This is best left to your gateway appliance/firewall. Don't go changing anything on the base FreeNAS system, it's an appliance and meant to be used as is. Any changes you make would likely not survive a reboot and definitely would not survive and update.

In spite of that, I feel a bit curious on why the default setting of FreeNAS is not to set a default gateway

Because IX has no idea of what RFC1928 address a users network would be using so it's impossible to have a default setting and doing so would likely break a new installation.

About taking too seriously this seurity thing, is not that I am trying to guarantee 100%the safety of the server, but I think that if I can make it a little safer just by changing small settings, I think it's worthy for a little more of peace of mind.

Again I think your worrying about this a bit too much. If you want good security set up users and use sane access and permissions for those users as that's the most likely attack vector.

Don't mistake my comments as dismissing security completely but it's a rabbit hole you can easily chase yourself into if your're not careful.

 

[xtec]

Sretalla, I really appreciate all your explanations but I think that some parts are a bit too technical for me to understand all the principles behind. I am trying to learn from experts like you guys and thats why I registered in this forum so that I could have the help and knowledge of people who deeply understand these subjects.

I clearly know that default gateway should be set up though.

My router does have a firewall but I am not confortable to tune specific configurations and the default firewall configuration says (I left it the way it is):
-inbound policy: reject
-outbound policy: accept (Outbound access is allowed to the following services: DHCP, DNS, IMAP, SMTP, POP3, HTTPS, HTTP, FTP, Telnet.)




Jailer, as I have mentioned, I'll set a default gateway (permanently) because I now can see from your explanation and also from the valuable explanations of sretalla the importance of
setting it up and realizing that adding and removing the gateway could become a problematic situation.

Again I think your worrying about this a bit too much. If you want good security set up users and use sane access and permissions for those users as that's the most likely attack vector.

Well, i do have two users set up for my FreeNAS so that one can modify content and the other one just see and execute it (I access my server through the more restricted user on a daily basis)

As i have mentioned before, I believe this is not a question of worrying a bit to much. I just wanted to know that my current configuration was adequate and reasonably safe for my purpose and if it is, Im delighted :)

Again, thank you all so much for all the help and time.

:)

 

[sretalla]

Sretalla, I really appreciate all your explanations but I think that some parts are a bit too technical for me to understand all the principles behind. I am trying to learn from experts like you guys and thats why I registered in this forum so that I could have the help and knowledge of people who deeply understand these subjects.

I clearly know that default gateway should be set up though.

My router does have a firewall but I am not confortable to tune specific configurations and the default firewall configuration says (I left it the way it is):
-inbound policy: reject
-outbound policy: accept (Outbound access is allowed to the following services: DHCP, DNS, IMAP, SMTP, POP3, HTTPS, HTTP, FTP, Telnet.)




:)

Your firewall setup looks fine to me.

I think that you can count yourself as sufficiently secure to use your system as designed without excess risk.

Best of luck with it.

 

[xtec]

Hello sretalla. Your clarifications have been really really helpful for me to properly configure my FreeNAS!!

Btw, I just added a default gateway 192.168.x.x (and "nameserver 1": 8.8.8.8). It all went fine and I can now check for updates.



I just dont understand one thing that does not have to do with all this and I dont know if you could help me once again:

when I go to my router configuration page I can see the addresses of all machines connected to my network (phones, tablet and computer client) but I cannot see my FreeNAS.

This has been happening since I have set up a static IP for my FreeNAS for convenience (before setting a static IP on FreeNAS from the shell, the server address was showing up on my router page). Is this normal??

Thanks again for all

 

[Ericloewe]

Apply default permissions (although this may complicate your life a lot for little reward)

That's an option to reset the permissions to something sane so that you can get back in after screwing them up. Not something you're ever meant to use regularly or rely on, unless you happen to want to give everyone read access.

 

[sretalla]

when I go to my router configuration page I can see the addresses of all machines connected to my network (phones, tablet and computer client) but I cannot see my FreeNAS.

This has been happening since I have set up a static IP for my FreeNAS for convenience (before setting a static IP on FreeNAS from the shell, the server address was showing up on my router page). Is this normal??

It's probably normal (different behavior on different routers).

You would possibly need to define your FreeNAS IP as a static DHCP lease (if your router allows for it) in order to continue to see it there.

I don't think it's really necessary as long as you know the address and it isn't inside the DHCP range.

Apply default permissions (although this may complicate your life a lot for little reward)
That's an option to reset the permissions to something sane so that you can get back in after screwing them up. Not something you're ever meant to use regularly or rely on, unless you happen to want to give everyone read access.

Yes, that's an excellent point. I had made my additional comment with the intention of not messing up any permissions that had been put in place by having that setting on, but as you say, those are some wide-open defaults, so let's change that recommendation to "should definitely be turned off"

 

[xtec]

hey Ericloewe!! Thanks for your insight about that particular option. So far, I had unchecked it and left it that way till now.

I do set different access permissions for two different accounts on my FreeNAS machine. As I have mentioned one account, which is the one I use regularly, I use it to see my media and open the content (I also access my FreeNAS with my account with that restricted account)

The other account has permissions to modify content and, thus, I use it whenever I feel the need to add, delete or edit files on my FreeNAS (something that I dont do/need all the time so I dont see the need to have full permissions all the time while accessing my files there).

From your point and also from sretalla's opinion (who has been helping me a lot to learn more about FreeNAS configurations), I believe it is a good practice to uncheck that option. While unchecking it does not affect my utilization's experience, I believe that by removing that option I make the system a little less open, which is always a plus.

Thanks again for mentioning your valuable opinion Ericloewe.

xtec said:
when I go to my router configuration page I can see the addresses of all machines connected to my network (phones, tablet and computer client) but I cannot see my FreeNAS.
This has been happening since I have set up a static IP for my FreeNAS for convenience (before setting a static IP on FreeNAS from the shell, the server address was showing up on my router page). Is this normal??


It's probably normal (different behavior on different routers).

You would possibly need to define your FreeNAS IP as a static DHCP lease (if your router allows for it) in order to continue to see it there.

I don't think it's really necessary as long as you know the address and it isn't inside the DHCP range.

Well, that was my main concern sretalla. If it is a normal behaviour and does not affect my FreeNAS usage, I dont see much point for further configurations in order to see the FreeNAS on my router page. I access my FreeNAS WebGUI very easily and the machine is working flawlessly for 10 days nontstop.

Thank you very much

 

[Mal de Mer]

I've had this problem for some years as I have company sensitive data (mostly source code files) on my network because I telecommute. If you're serious about network security I would suggest investing in a hardware firewall (about $200 and up) and running a first class firewall package like pfSense on it. All non-LAN data should be routed through the firewall.

You should set up a firewall rule to prevent all incoming packets getting to your freeNAS box - this should be the default for every network not running a server that needs external access. Then you can block all data from your FreeNAS box to outside your LAN with another rule and add a few exception rules as needed.

The exceptions I have are DNS and NTP to my pfSense box only (it provides those services for my network), HTTP and HTTPS to iXsystems for FreeNAS updates, and SMTPS to the mail server at my company for email alerts, etc. (Of course, other systems on my LAN have different firewall rules that aren't as restrictive.) I believe this setup makes a FreeNAS box reasonably secure with minimal fuss and bother.

As I run an wireless AP, I think it's reasonable to set up static DHCP addresses tied to the MAC address of every device on the LAN, and deny DHCP addresses to any unknown MAC addresses that try to connect even if they have the AP password. pfSense is a wonderful product, and well worth the money (it's free).

 

[RegularJoe]

low hanging fruit :

Email clients with HTML email
Email clients with attachments
social media applications that can render remote data
auto port forwarding on SOHO firewalls for kids playing games and such
web browsers(IMHO chrome is the best, auto updating and updating plugins)
Internet sites hosting flash content
Internet sites hosting java applications
Internet sites using inline adobe acrobat objects
guests who want to use your wifi and have a jailbroken phone with malware