NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HowTo make your Readynas more secure [nessus/ssl]
This HowTo is based on a RND 2150 with firmware 4.1.3-T136. It should work for other Readynas devices as well.
A big thanks goes out to Chirpa for leading me the way :thumbsup:
Before you get started:
Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration.
Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.
1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys
Consider all cryptographic material generated on the remote host to be guessable.
In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.
Recommendation: Take immediate action!
Solution:
For SSL, you can generate a new key on the HTTPS page of your Readynas
For SSH, type following commands on the shell:
2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Recommendation: Although not as bad as the previous, I would change it as soon as possible
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
3) Problem: HTTPS access service supports the use of weak SSL ciphers suites. Reconfigure it to avoid use of weak
ciphers.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server connections.
Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.
Recommendation: Changing it won't hurt:)
Solution:
*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***
***Please backup proftpd.conf before making any changes ***
Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)
A big thanks goes out to Chirpa for leading me the way :thumbsup:
Before you get started:
Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration.
Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.
1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys
Consider all cryptographic material generated on the remote host to be guessable.
In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.
Recommendation: Take immediate action!
Solution:
For SSL, you can generate a new key on the HTTPS page of your Readynas
For SSH, type following commands on the shell:
# ssh-keygen -t rsa1 -f "/etc/ssh/ssh_host_key" -N ''
# ssh-keygen -t rsa -f "/etc/ssh/ssh_host_rsa_key" -N ''
# ssh-keygen -t dsa -f "/etc/ssh/ssh_host_dsa_key" -N ''
2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Recommendation: Although not as bad as the previous, I would change it as soon as possible
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo SSLProtocol all -SSLv2 >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
3) Problem: HTTPS access service supports the use of weak SSL ciphers suites. Reconfigure it to avoid use of weak
ciphers.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo 'SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL' >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server connections.
Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo TraceEnable off >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.
Recommendation: Changing it won't hurt:)
Solution:
*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***
***Please backup proftpd.conf before making any changes ***
Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody/nogroup" and "ftp" for normal operation and anon.
ServerName "Don't tell you are a Readynas here"*
ServerType standalone
ServerIdent on "Don't tell you are ProFTPD 1.3 here!"*
DeferWelcome on
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
UseReverseDNS off
IdentLookups off
TimesGMT off
WtmpLog off
ServerLog /var/log/proftpd.log
SystemLog /var/log/proftpd.log
TransferLog /var/log/proftpd.log
BanLog /var/log/proftpd.log
MaxLoginAttempts 1
BanEngine on
BanTable /ramfs/ftp_ban.tbl
BanOnEvent MaxLoginAttempts 5/00:10:00 00:15:00
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
DenyFilter \*.*/
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd on
# Uncomment this if you would use TLS module:
#TLSEngine on
# Uncomment this if you would use quota module:
#Quotas on
# Port 21 is the standard FTP port.
LINES HAVE BEEN REMOVED HERE TO PROTECT MYSELF.
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
AllowOverwrite on
HideFiles .*
</Directory>
15 Replies
- Please clarify: ServerName should be CHANGED to something different and ServerIdent should be off or on??
Thank you, Tom - Hi Tom.
By default, when you connect to the FTP it tells you what version it is running.
ServerIdent off
will cause your server not to identify itself when you connect. Optionally you can also do:
ServerIdent on "Your text here"
So from a security point of view, you can choose. As long as you do not reveal any security related information. Also see http://www.proftpd.org/docs/directives/ ... Ident.html
As servername I believe the standard text is Readynas or something. Same story, you can put what you like here. If hackers know it is a Readynas they could exploit known weaknesses in the FTP or in other services of the NAS. So yes, you should change it also. - Hi,
When experimenting with my ReadyNAS i noticed that when i accessed my nas from the internet that most of the plugin webpages are wideopen regarding security.
After searching I came across some pages with Apache mods.
And i saw this page about raising the encryption standards used.
How much of this is still valid anno september 2010 for a NVX Pioneer ? MichaelR64 wrote:
How much of this is still valid anno september 2010 for a NVX Pioneer ?
I too would like to know this. ^^ Though for the Duo, not Pro.
I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.
I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.
I'm concerned here!
Thanks.InTheShires wrote: MichaelR64 wrote:
How much of this is still valid anno september 2010 for a NVX Pioneer ?
I too would like to know this. ^^ Though for the Duo, not Pro.
I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.
I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.
I'm concerned here!
Thanks.
I'd also like to know if these have all been addressed.. how secure is our DUO?- I am looking at this thread - 3 months on and no assurances given. I think the conclusion is that the Duo is an open window if you leave it visible from outside you are vulnerable and so is your data, This is a pity since it means you would need to be reckless to use e.g. ReadyNAS Remote. Until these holes are addressed, best not to make it visible at all saddly - close off your firewall/router and do not allow access from the internet.
Rocket Man you would need to be reckless to use e.g. ReadyNAS Remote
ReadyNAS remote doesn't require you to open any ports - one of the primary values of the service - and so the one example you perhaps should not have thought to mention in your comment- Really? Gosh I didn't realise that. I am happy to be corrected and I apologise for my incorrect assertion that opening the firewall was necessary for ReadyNAS Remote to work. (/me runs off to test it with a closed firewall!).
Thank you for the correction.
Rocket Man. - How do I get a NETGEAR tech or admin to fix these issues on my ReadyNAS, so I don't have to install RootSSH and possibly screw it up?
- Thanks for the detailed guidelines, especially helpful for such beginners as me. I have made notice of the tips, will keep watching the thread for updates.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
