× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Hardening SSH security on your ReadyNAS NV+

benawhite1
Aspirant

Hardening SSH security on your ReadyNAS NV+

First I would like to give credit to Sven Dens who originally posted this howto.
He has provided more background addressing why you would want to do this.
I am simply documenting all the steps I had to add to get working on my vanilla ReadyNAS NV+.

There are a couple things we want to accomplish in this guide.

  1. Create a new user that has access root permissions
  2. Make it impossible to login as the "root" user through SSH
  3. Change the default SSH port

  4. Ensure the following addons have been installed from the Add-ons for RAIDiator 4.1.3+ page

    • EnableRootSSH
    • APT

    Install required packages

    1. Login to your ReadyNAS as root via SSH

    2. Run the following commands
      apt-get update
      apt-get --reinstall install passwd
      apt-get install nano

    3. Now, let's create a new user with root permissions

      1. Run the following command (replace newUser with whatever name you like)
        adduser newUser

        You will only need to enter a password and confirm it; press enter for everything else to accept the defaults

      2. Give newUser root permissions

        • Open the sudoers file in the nano editor
          nano /etc/sudoers

        • add a new line at the end of the file
          newUser ALL=(ALL) ALL

        • Save and exit (press Ctrl+X, Y, Return)

      3. Test newUser login

        • Exit your SSH session by typing exit and hitting return
        • Login to your ReadyNAS as newUser via SSH
        • Notice you do not have root rights (missing the # sign after your username in the prompt)
        • Ensure you can access the root shell
          su

          You could also execute a single command as root with the following syntax
          sudo <command>


      4. Now, let's make it impossible to login as "root" through SSH and update the SSH port

        1. If you haven't already, promote your shell to root
          su

        2. Remove root user access via SSH and update the SSH port

          • Open the sshd_config file in the nano editor
            nano /etc/ssh/sshd_config

          • Change the PermitRootLogin value from yes to no
            PermitRootLogin no

          • Change the Port value from 22 to something else (tip: 8200-49151)
            Port 12345

          • Save and exit (press Ctrl+X, Y, Return)

        3. Restart the SSH daemon
          /etc/init.d/ssh restart

          I received an error after doing this, but everything runs fine

        4. You should now be able to try the following to validate everything is working as expected

          • SSH into the ReadyNAS device on port 22
            This should fail as the ReadyNAS device is no longer listening on port 22
          • SSH into the ReadyNAS device as "root" on new port 12345 (or whatever you used)
            You should be able to connect, but denied access even though you entered the correct root password
          • SSH into the ReadyNAS device as "newUser" on new port 12345 (or whatever you used)
            You should be able to connect and login with the ability to execute sudo or su commands


          Known Issues:
          Rsync over SSH will not work... it requires root login and port 22 (If I find a workaround I'll post it)

          Otherwise, enjoy 🙂
Message 1 of 2
chirpa
Luminary

Re: Hardening SSH security on your ReadyNAS NV+

Also of note is that these changes will be overwritten on firmware upgrades.
Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 4645 views
  • 0 kudos
  • 2 in conversation
Announcements