User Tools

Site Tools


faq:0096

Q: How do I make sure my NAS4Free server is secure?
A: You can ensure basic security by following the NAS4Free Security Checklist. Items #1-7 provide basic security, #8 and above can provide hardened security for your server and network depending on your implementation.

  1. Change the WebGUI admin/root password (the default is: nas4free)
    1. Use a very strong password if you intend to access NAS4Free over the Internet, see below.
    2. Please Note: - admin/root accounts use the same password.
    3. Please Note: - Users that are members of the wheel group can su to root if they know the root password.
  2. Change WebGUI admin user name (the default is admin), to protect your system against dictionary attacks. Don’t use ‘admin’ or ‘administrator’
  3. DO NOT give shell access to everybody.
  4. DO NOT use plain FTP over the Internet, it is not secure, use SSH or SFTP instead to encrypt your traffic.
  5. DO NOT enable Password Authentication with SSH, set-up and use NAS4Free - SSH Password-less / Key Authentication.
  6. Don’t allow the root account to access SSH. Under Services|SSHD, make sure the “Permit root login box” is NOT checked. If this is checked, someone can log in as root if they know or crack your password. If this is not checked, they must guess your user ID and your password.
  7. Always use https protocol to access WebGUI interface. You do not have to have a security certificate to do this. Though you will get a warning message if you don’t.
  8. DO NOT open your WebGUI server to the Internet, rather open a tunnel via SSH from client to server.
  9. Check your logs regularly. While NAS4free has security measures to protect against some brute force attacks, it never hurts to make sure you have not been hacked into.
  10. Have some kind of hardware firewall in place. Netgear, Linksys or similar routers are a good start. They are cheap and relatively easy to use. For greater security build and customize your own router / firewall, M0n0Wall and Vyatta are two good candidates. Only pass through the ports you need to make services work. Port 22 for SSH, port 443 for HTTPS. This will be under the application/gaming section of the Netgear or Linksys router configuration. Better yet, don't use known port numbers at all, use unassigned, private ports per IANA recommendations.
  11. Use a long password and not something that is a word that is found in any language dictionary. (Google your proposed password. If it has no hits in Google, that is a good thing.) Include numbers as part of your password.

Now that you know what to do you should find out how to do it. Let's go through the list:

Item #1 - Change the admin password in WebGUI Tab> System|General|Password: See – SUG Section 3.1.1-System|General|Password

Items #2, #4 - Change admin user name and access protocol in WebGUI Tab> System|General: See – SUG Section 3.1-System|General Setup

Items #5, #8 - Configure SSH setup in WebGUI Tab> Services|SSH: See – SUG Section 6.4-Services|SSH

Of course, you will need to create a non-admin user, create SSH key, and upload it to your NAS4Free server. Please read OpenSSH manual and OpenSSH FAQs for details.

If your NAS4Free server is behind a router, as most are, you also need to configure port forwarding. See the following for help:

  • What is Port Forwarding? Just in case you are not sure.
  • How To Configure Your Router. If you have no idea how to configure your router, these people can probably help. Skip any ads, don't spend any money, just click into the free guide for your make and model of router and follow the instructions.

If you have configured everything properly you can now do SSH tunneling from a *nix PC. Issue the following in a CLI ( terminal ) window:

$ ssh -v -p 22 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address

This creates the tunnel.

Then open your web browser and type address

https://localhost:8888/

and you should have access to the WebGUI.

Windows users can follow the instructions in How to Access the WebGUI via SSH Tunnel from a Windows Shortcut.

If you don't have a static IP address, use a free service such as DynDNS.

An alias will make it quick and simple to start your tunnel and Linux users can create an alias with the following, high-level procedure:

$ cat .bashrc
alias ssh-nas="ssh pvt@192.168.1.250"\\ alias ssh-dir="ssh pvt@192.168.1.1"
alias tunnel-nas="ssh -v -p 22 -L 8888:localhost:443 tvp@xxx.dyndns.org"\\ \\
# sudo alias
alias apt-update="sudo apt-get update"
alias apt-install="sudo apt-get install"
alias apt-remove="sudo apt-get remove"
alias mount="sudo mount"
alias umount="sudo umount"
alias suvim="sudo vim"
$ tunnel-nas

If you do not understand what is being done in the previous procedure please spend some time looking up the commands.


Thanks to Danmero for original Security Checklist.
Thanks to Phan Vinh Thinh, How to secure your NAS4Free server for additional steps.
Thanks to ldkraemer for additional suggestions.

faq/0096.txt · Last modified: 2014/02/19 14:29 (external edit)