This HowTo is based on a RND 2150 with firmware 4.1.3-T136. It should work for other Readynas devices as well. A big thanks goes out to Chirpa for leading me the way :thumbsup:
Before you get started:
Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration. Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.
1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.
2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Recommendation: Although not as bad as the previous, I would change it as soon as possible
Solution:
*** Please backup httpd.conf before making any changes ***
4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.
Recommendation: Changing it won't hurt:)
Solution:
*** Please backup httpd.conf before making any changes ***
5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.
Recommendation: Changing it won't hurt:)
Solution:
*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***
***Please backup proftpd.conf before making any changes ***
Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)
# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody/nogroup" and "ftp" for normal operation and anon. ServerName "Don't tell you are a Readynas here"* ServerType standalone ServerIdent on "Don't tell you are ProFTPD 1.3 here!"* DeferWelcome on
MultilineRFC2228 on DefaultServer on ShowSymlinks on AllowOverwrite on UseReverseDNS off IdentLookups off TimesGMT off WtmpLog off ServerLog /var/log/proftpd.log SystemLog /var/log/proftpd.log TransferLog /var/log/proftpd.log BanLog /var/log/proftpd.log MaxLoginAttempts 1 BanEngine on BanTable /ramfs/ftp_ban.tbl BanOnEvent MaxLoginAttempts 5/00:10:00 00:15:00
# Uncomment this if you are using NIS or LDAP to retrieve passwords: PersistentPasswd on
# Uncomment this if you would use TLS module: #TLSEngine on
# Uncomment this if you would use quota module: #Quotas on
# Port 21 is the standard FTP port.
LINES HAVE BEEN REMOVED HERE TO PROTECT MYSELF.
# To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30
# Set the user and group that the server normally runs at. User nobody Group nogroup
# Normally, we want files to be overwriteable. <Directory /*> # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022
As servername I believe the standard text is Readynas or something. Same story, you can put what you like here. If hackers know it is a Readynas they could exploit known weaknesses in the FTP or in other services of the NAS. So yes, you should change it also.
When experimenting with my ReadyNAS i noticed that when i accessed my nas from the internet that most of the plugin webpages are wideopen regarding security. After searching I came across some pages with Apache mods.
And i saw this page about raising the encryption standards used.
How much of this is still valid anno september 2010 for a NVX Pioneer ?
How much of this is still valid anno september 2010 for a NVX Pioneer ?
I too would like to know this. ^^ Though for the Duo, not Pro.
I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.
I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.
How much of this is still valid anno september 2010 for a NVX Pioneer ?
I too would like to know this. ^^ Though for the Duo, not Pro.
I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.
I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.
I'm concerned here!
Thanks.
I'd also like to know if these have all been addressed.. how secure is our DUO?
Re: HowTo make your Readynas more secure [nessus/ssl]
I am looking at this thread - 3 months on and no assurances given. I think the conclusion is that the Duo is an open window if you leave it visible from outside you are vulnerable and so is your data, This is a pity since it means you would need to be reckless to use e.g. ReadyNAS Remote. Until these holes are addressed, best not to make it visible at all saddly - close off your firewall/router and do not allow access from the internet.
Re: HowTo make your Readynas more secure [nessus/ssl]
you would need to be reckless to use e.g. ReadyNAS Remote
ReadyNAS remote doesn't require you to open any ports - one of the primary values of the service - and so the one example you perhaps should not have thought to mention in your comment
Re: HowTo make your Readynas more secure [nessus/ssl]
Really? Gosh I didn't realise that. I am happy to be corrected and I apologise for my incorrect assertion that opening the firewall was necessary for ReadyNAS Remote to work. (/me runs off to test it with a closed firewall!). Thank you for the correction.
Re: HowTo make your Readynas more secure [nessus/ssl]
Thanks for the detailed guidelines, especially helpful for such beginners as me. I have made notice of the tips, will keep watching the thread for updates.
Re: HowTo make your Readynas more secure [nessus/ssl]
I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply....
Re: HowTo make your Readynas more secure [nessus/ssl]
Deb-B wrote:
I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply....
Why is this so concerning to you? Presumably you have a strong password.
Re: HowTo make your Readynas more secure [nessus/ssl]
I think it is because I don't understand how networking works, beyond my own home system. My brother in law was quite adamant that broadcasting the IP was a potentially huge risk, as it leaves our home systems open to hackers. I need to learn more so I can make my own judgements! Any suggestions of web pages explaining these things to newbies would be welcome!
Re: HowTo make your Readynas more secure [nessus/ssl]
It is true that your photos are being saved on your NAS. So the downloaders you send invitations to need a way to connect to the NAS to get them.
By itself this does not leave your home systems "open to hackers". Just like putting your return address on letters you mail to your friends does not open your home to burglars.
You should have good security on your home network anyway (even if you do not use photos II).
Did you forward yoh-dah's response to your brother? viewtopic.php?f=145&t=62638&p=351188#p351188 It is quite possible that he did not realize what login screen he was looking at.
If that does not address his concerns, maybe he can join the forum, and post his security concerns personally?
BTW, you should probably follow up on your security concerns thread, as that one is only about your topic.
