How secure is my current setup of OpenMediaVault

  • Hi all,


    First of all I would like to thank Volker and all other folks here in OMV for a very fine piece of software that you've got here. I've been running mine for several months already without any hitch.


    I've almost migrated all my and my family's digital files in our OMV powered NAS but a thought nagged me about how safe it is. News about cryptolockers and ransomwares popping out everywhere has left me worrying about how vulnerable my system from it.


    My current setup is as follows:


    1. NAS --> Wifi and LAN Router --> Modem router --> Internet (No port forward whatsoever. I basically have double NAT)
    2. Transmission is running all the time;
    3. NAS can email about system resources, power outages, and system updates;
    4. I have a very limited plugins enabled i.e. eXtplorer, ZFS, Snapraid and Transmission;
    5. OMV updates is only set to download. It doesn't auto install.
    6. I ran a port scan using this, http://www.whatsmyip.org/port-scanner/ and no ports are open.


    Given my circumstances above, can I please have your opinion on what are the possible attack vectors that may affect my system.


    Is it possible that by running Transmission my system will be compromised? I have read somewhere of a Transmission update for Macs containing malwares.


    What are the chances of my system being compromised should I update my system only after every month or so?


    Any suggestions on how I can harden my system against any possible attack or something?


    Note: Of course, I also have offline backups for my important and irreplaceable files. :)


    Thanks in advance.


    Regards,


    Takur

    • Offizieller Beitrag

    Your system sounds safe but I don't know much about vulnerabilities on transmission. Maybe use transmission in a docker instead??


    As for crypto/ransom viruses, they can hit your file shares if the system they are introduced on has permissions to the shares. I do daily rsnapshots to a drive that isn't shared. If you just use a daily rsync and you don't catch the crypto right away, it may corrupt your sync. rsnapshot keeps multiple copies (hourly, daily, weekly, monthly, and yearly). It doesn't use much more space unless lots of files are changing all the time (getting hit with a crypto virus would change a lot of files).

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Alrighty, time to learn about dockers then. I have heard about them but never really bothered to use it.


    As for my shares, we have at least two accounts at home. One for Read/Write tasks and the other for Read Only tasks. We don't make our PCs "remember" the Read Write account. It's just used for copying files into the NAS then back to Read Only afterwards.


    Thanks a lot. I really appreciate all your efforts here.

  • Your system architecture is what a large amout of people these days have when using a NAS. Asuming you told us everything thats relevant, I guess its between avarage to weakly secured. Some guesses and suggestions:

    • You don't mention much about your firewall, so i guess its has its defaults settings which is often avarage at best, mine defaulted to 'low' :S.
    • Think about security in layers:

      • Modem, check the settings, i have hotspots disabled, etc. - >
      • router, enable firewall basically shut everything down and open what you really need. ->
      • wifi -> use the best encryption available and good passwords.

        • don't give passwords to others, use guest accounts (change when you did once)
        • openwrt for example permits weakening you signal to reduce to radius to reach it
      • Connected devices, including omv

        • enable firewall on every device, why: so many devices are maintained so short, android phones, mediaboxes, voipboxes, music systems, etc. These devices are often easily to hack (old kernels, no security updates. But they are already behind your main firewall not much keeping them from doing more damage.
        • Actually not checked omv on security, I asume its more save then most distro's... but going to check it this weekend.
      • backups, cryptolockers

        • you only use two accounts. add a third one with exclusive rights to you backup device if you keep pushing your backups to an external device. You want as much distance between backups and the rest of your system.
        • I would prefer a other system to pull backups, this gives the best security but might be overkill.

          • eg. I use an raspberry pi in my parents their home to pull backups. this way its more secure and more proof against fire, homeinvasions, whateve
      • containers and virtualisation

        • not really my thing, I use both, understand the architecture, but certainly not an expert in them. A few collegues and friends specialiced in security and/or architecture explained a lot of stuff about it to me. The short version is that virtualisation gives slightly more security then containers like docker. If you need to choose, docker is more to the metal, so I would go for that... no system is 100% secure.



    This is what came to my mind first. I would suggest to googling 30min on the internet for securing debian server gives a lot more information and enables you to decide what is relevant. But remember securing is only adding layers to slow people down, I don't believe its posible to reach 100% security anywhere. so go for the 80/20 rule. In less then 20% of the time you reach 80% of the benefits, the other 20% get harder and more work every step... just ignore those and make sure you have a good backup.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!