NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HowTo make your Readynas more secure [nessus/ssl]
This HowTo is based on a RND 2150 with firmware 4.1.3-T136. It should work for other Readynas devices as well.
A big thanks goes out to Chirpa for leading me the way :thumbsup:
Before you get started:
Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration.
Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.
1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys
Consider all cryptographic material generated on the remote host to be guessable.
In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.
Recommendation: Take immediate action!
Solution:
For SSL, you can generate a new key on the HTTPS page of your Readynas
For SSH, type following commands on the shell:
2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Recommendation: Although not as bad as the previous, I would change it as soon as possible
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
3) Problem: HTTPS access service supports the use of weak SSL ciphers suites. Reconfigure it to avoid use of weak
ciphers.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server connections.
Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.
Recommendation: Changing it won't hurt:)
Solution:
*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***
***Please backup proftpd.conf before making any changes ***
Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)
A big thanks goes out to Chirpa for leading me the way :thumbsup:
Before you get started:
Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration.
Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.
1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys
Consider all cryptographic material generated on the remote host to be guessable.
In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.
Recommendation: Take immediate action!
Solution:
For SSL, you can generate a new key on the HTTPS page of your Readynas
For SSH, type following commands on the shell:
# ssh-keygen -t rsa1 -f "/etc/ssh/ssh_host_key" -N ''
# ssh-keygen -t rsa -f "/etc/ssh/ssh_host_rsa_key" -N ''
# ssh-keygen -t dsa -f "/etc/ssh/ssh_host_dsa_key" -N ''
2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Recommendation: Although not as bad as the previous, I would change it as soon as possible
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo SSLProtocol all -SSLv2 >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
3) Problem: HTTPS access service supports the use of weak SSL ciphers suites. Reconfigure it to avoid use of weak
ciphers.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo 'SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL' >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server connections.
Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
Type following commands on the shell:
# echo TraceEnable off >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.
Recommendation: Changing it won't hurt:)
Solution:
*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***
***Please backup proftpd.conf before making any changes ***
Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody/nogroup" and "ftp" for normal operation and anon.
ServerName "Don't tell you are a Readynas here"*
ServerType standalone
ServerIdent on "Don't tell you are ProFTPD 1.3 here!"*
DeferWelcome on
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
UseReverseDNS off
IdentLookups off
TimesGMT off
WtmpLog off
ServerLog /var/log/proftpd.log
SystemLog /var/log/proftpd.log
TransferLog /var/log/proftpd.log
BanLog /var/log/proftpd.log
MaxLoginAttempts 1
BanEngine on
BanTable /ramfs/ftp_ban.tbl
BanOnEvent MaxLoginAttempts 5/00:10:00 00:15:00
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
DenyFilter \*.*/
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd on
# Uncomment this if you would use TLS module:
#TLSEngine on
# Uncomment this if you would use quota module:
#Quotas on
# Port 21 is the standard FTP port.
LINES HAVE BEEN REMOVED HERE TO PROTECT MYSELF.
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
AllowOverwrite on
HideFiles .*
</Directory>
15 Replies
Replies have been turned off for this discussion
- Hi, it's been almost 4 years since the first post. How much the NAS beahavior has changed since that time ?
- I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply....
Why is this so concerning to you? Presumably you have a strong password.Deb-B wrote: I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply.... - I think it is because I don't understand how networking works, beyond my own home system. My brother in law was quite adamant that broadcasting the IP was a potentially huge risk, as it leaves our home systems open to hackers. I need to learn more so I can make my own judgements! Any suggestions of web pages explaining these things to newbies would be welcome!
- It is true that your photos are being saved on your NAS. So the downloaders you send invitations to need a way to connect to the NAS to get them.
By itself this does not leave your home systems "open to hackers". Just like putting your return address on letters you mail to your friends does not open your home to burglars.
You should have good security on your home network anyway (even if you do not use photos II).
Did you forward yoh-dah's response to your brother? viewtopic.php?f=145&t=62638&p=351188#p351188 It is quite possible that he did not realize what login screen he was looking at.
If that does not address his concerns, maybe he can join the forum, and post his security concerns personally?
BTW, you should probably follow up on your security concerns thread, as that one is only about your topic.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
