How To Lock Down And Secure TrueNAS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from lauren systems we're going to talk about securing your truenast core installation now i did say specifically truenas core and most of these will generally speaking applied to trueness scale but as of january 2022 trunan scale has not been fully released in the future once it is released you can check my channel if you're watching it in that future there's probably going to be a video on that topic and more specific that you're not scale but today we want to cover some general good security practices for configuring your trueness core system and let's get started with that but first if you'd like to learn more about me and my company head over to lawrences.com if you like to hire a short project such as storage consulting there's a hires button right at the top if you want to support this channel other ways just affiliate links down below to get your deals and discounts on products and services we talk about on this channel and the first thing worth mentioning is multi-factor authentication let's just get that one right off the top it's easy to do in truenash but i want to make sure you're doing it properly there's a little bit of a problem so to speak that you can create for yourself if you're setting this up when you enable it and you create the secret and you click on enable which right now it says disable two factor we can go ahead and click disable show you what it looks like we're going to go ahead and caution once two factors enabled the one-time password will be required to sign in assistant be sure you immediately set up another two-factor device confirm please note it did this without asking me if i actually clicked on that show qr code or displayed the secret i highly recommend you make sure and when you set this up and hit enable open up maybe an incognito window or a different browser try to log in make sure it works and that's really important this is one thing that where people have found themselves in a little bit of a problem where you turn on two factor which i highly recommend doing but you also end up not realizing that oh i didn't copy the qr code or i didn't do that i just hit enable and then i logged out and logged back in but i forgot to show qr or reveal the secret so you can copy it into your app so fyi on that second thing of note please note i have the window set to one this is a specific feature here the window to extend the validity of passwords beyond the interval setting basically having one means the one before and the one after will work the reason i did this is i recommend doing it if you are worried all about the system ever getting out of sync if you do have ntp server center it shouldn't be an issue but if these codes that roll every 30 seconds on interval and you have a machine more than 30 seconds out of sync when it comes to time you will find yourself unable to log in now i don't exactly know how often this happens but it's happened a couple times where the system seemed to wander just a little bit out of time and never more than just a few seconds out of time so this solved it for me hopefully that helps someone out who's had trouble with the 2fa i've seen some posts and forums about that next thing that seems obvious and it's a good practice in general is making sure everything is on the latest version trudeau's core is at 12.0 u7 as of right now in january of 2022 well beginning of january so just make sure it's up to date this solves not just feature problems but sometimes solve security problems because as they update the modules if there's a flaw in something such as smb for an example you will find that that's part of the update is to fix any of those flaws in the different components that make up your shernas system next thing is all about the admin interface i just want to bring this up that making sure that you lock down the ad interface is one of the utmost important features of true nas and i'll touch on it more when i get to the part about snapshots but essentially you need to keep people from getting in here more than anything else now if and ideally you should have a system set up with multiple network interfaces and then you can have one of those interfaces dedicated to being management now if you're a home user this is probably less of an issue but i've talked a lot on this channel about segmenting networks and the more you segment your networks the better overall security you will have by creating these rules and isolating different segments the network to not allow what they refer to as lateral movement and that's what a lot of these next steps are going to be about network segmentation and interface segmentation instead of creating firewall rules which isn't really a option through the ui here in freenas truenas because this has been this way for quite a while the system has where you bind it to the ip addresses you want so this right here is the vlan i do not think ever needs to access the admin interface these two i do want access to the app interface so you just check these on and off as needed and this is what allows the interface to be bound to those addresses that means they're accessible from those networks i do recommend making sure you have the web interface http hvs redirect turned on and after that just save the config and you're good to go next on the network segmentation list it's going to go over to the services first is always really simple which services do you need on are you using those i hope you're not using ftp even though it is still available here inside of trunast but if you don't need a service you turn it off if it's not in use disable it until you need it and this really goes down for any of these services secondary is bind these services only to the network interfaces that they're used on really this is simple to do if we have like the smb protocol we can go here we go into an advanced and right here is the ip addresses that we can bind it to i don't care for it on this network i need it on this network here this is where a few things need to connect via smb it's perfectly fine to have the admin interface somewhere else but only allow the samba shares to be right here same thing if we went over to like nfs f or s3 any one of these you just bind it to the interfaces where it's relevant and that just helps eliminate any potential issues from being exposed on networks where it's not needed to go a step further some services such as iscsi or nfs both support narrowing the scope of what can even connect to them based on ip addresses that way when you're doing any of the sharing you're limiting it in scope even further so the more you can limit in scope and practice these principles of least privilege the safer everything is specifically let's talk about ssh though where i highly recommend only having ssh with the keyed authentication this checkbox here allows a interactive or password-based auth i highly recommend limiting it to key authorization so if you do need ssh on for whatever reasons or maybe you're doing some replication and connecting over it to send things that's fine but you want to do it all with key management and i've got videos on ssh and key management let's move on to the jails and the jail system here the jails are not something i use a lot so i set these two jail demos up and i have an entire video because it's out of scope to talk about some of the intricacies of setting this up but yes jails can be tied to different vlans so this jail is tied to the 1669 slash 0-24 vlan 2 but i want the jail on that interface so it can then talk to that network this is ideal for situations where let's say you have a media streaming service or tools such as plex and you want plex to be in the iot network with the other devices so it can stream and cast directly to them but you don't want maybe your samba shares or your admin interface in that network or maybe you take from your computer and share the data you can have that bound to the smb and then your jails will expose data only inside of plex over to that media streaming network without other things being tied to it and you can set this up on a per jail basis i'll leave a link to the video i have where i talk about jails different networking and different vlans and setting that up and configuring it but it's another one of those best practice type things is having each thing in the network that it's going to be interacting with the other devices you can obviously route some things for your firewall to create different restrictions but this obviously creates some challenges where you're routing a lot of extra things through your firewall creating different rules putting a burden on a firewall trying to inspect that traffic or in the case of some of the streaming devices they expect the same subnet to be the device and where the streaming's coming from but that's just a way to configure it here to solve some of those problems now let's briefly touch on physical security we're gonna go here to storage we're gonna look at the pools when you're setting up the pools hopefully you created it with keys i highly recommend doing this that way if ever a hard drive were to go bad you can confidently remove it from the pool and because the keys are stored on the boot drive there's no key information and your information is completely encrypted on that drive so there's one level of security the next level of security is what if someone physically took your whole true nas system well this would be obviously very problematic and one of the ways you can help mitigate risk is if you have any particular data set that you've created you can go to that particular data set go to encryption options and instead of inheriting a standard key encryption you can go passphrase on this now this creates the inconvenience of every time you reboot your trunan system of having to type in a passphrase to unlock that data set but creates the security that if someone were to physically take your entire server and figure out a way to start it up and get into it and acquire those keys off the boot drive that they still wouldn't have this typed in password we do this for any of our critical stuff it as i said creates the inconvenience of rebooting means i have to also unlock those particular data sets but creates that security of well without those passwords and without putting those passwords in that data set is completely locked the next piece of physical security is going to come under system and then advanced show text console without password prompt you can uncheck this if you're familiar with the way the text console works it allows you to type in and be able to control some functions and even reset the web password right from the command prompt on the system this is one of those things that well maybe you don't want on there because you're worried a little bit more about the physical you can just check this box and it then removes that you'll have to have the root and password in order to type in interactively and hopefully you have a good password and that wouldn't be easy to do now the last component i want to talk about is snapshots i've talked about them a lot on this channel snapshots are with cfs specifically a block level snapshot instance of your data at the moment you took the snapshot they're an excellent way to protect the data they are only manageable through the command line interface via ssh or directly on the system or via the web interface that's why all the aforementioned things are so important to keep people out of those because the question comes up what if we have a window share what if we have this system tied to active directory and we have a user who clicks on something with a high level of privilege and they destroy all the files encrypt all the files do something terrible to them well snapshots roll it back but then the next question of how do you make those immutable how do we make sure no one from the windows connection gets in there and the way it works inside of truenas the windows systems do not have access to the snapshots from a read write perspective there is the option to turn on and i've done a video about this volume shadow copies emulated through shoot ass so snapshots appear like a shadow copy but unlike a shadow copy they're emulated to smb and they're actually zfs snapshots and they're all read only so technically from the windows perspective it is immutable anytime you've seen major losses from someone who had snapshots set up and maybe got ransomware or something happened to other data you'll find that they probably had access to the admin interface with a shared password to something else or somehow the threat actors or whoever had the idea to do something terrible to the system also had access to that admin interface and got onto the true nas if they only have it exposed through iscsi nfs s3 insert name of all the different methodologies for connecting data to true nas they do not have direct access to the snapshot library or snapshot file system essentially that's created with zfs where all that snapshot data lives and is controlled that is managed so as long as you keep the admin interfaces locked down and no one gets in them the encryption of all those files is still protected with snapshots because you can just revert back to the previous snapshot now how frequently and how long should you keep those snapshots is still going to be on your storage needs and what you can find reasonable based on how much storage you have how much data is have and i've leave links down below too where i dive a little bit more in depth on a snapshot topic so hopefully this gets you started and secured with truenast if you have some questions comments and concerns leave them down below if you want to have more in discus more in-depth discussion about this video head over to our forums alright and thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a sure project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.lawrencesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 57,264

Rating: undefined out of 5

Keywords: LawrenceSystems, truenas core, truenas core 12, network attached storage, truenas core setup, truenas 12, open source, freenas (software), network attached storage drive, network attached storage for home, truenas core plugins, truenas security, freenas security

Id: psVNn-JVT9Q

Channel Id: undefined

Length: 13min 43sec (823 seconds)

Published: Mon Jan 03 2022