Discuss how to protect OMV NAS avoid any cyberattacks

1. offizieller Beitrag

    It depends on what services you wanna expose to the internet and how much would it worth it for a hacker to get in. Is it just like Nextcloud or ssh as well? Is it ‚just‘ some personal data or are there top secret federal documents saved on it?


    In general. You should always disable UPnP in your router to prevent any port openings you did not intend. Only open single ports when you really know why you need to.


    Nextcloud behind a swag proxy is already pretty save. It comes with pre-configured fail2ban and other protective stuff. I have never seen someone trying to get in. What I see are regular scans of WordPress or phpmyadmin setups and queries trying to make php execute code.


    If you wanna expose ssh as well, use another port for it and forbid password authentication. Public key auth only. You could also setup a honeypot on default port. There are some projects out there. Just google it.


    Those things are minimum. If you want more than that you could think about making your services accessible via vpn only.

    • Offizieller Beitrag

    Well by default it's pretty secure as everything only runs locally and isn't publicly accessible. Where you start getting insecure is when you start opening firewall ports without paying attention ( or not knowing) what you are doing or doing other things to publicly expose your server.


    Only real way to give a good answer to this is to discuss what services you're using, and how you're using them.

    • Offizieller Beitrag

    Interestingly enough, I got into a discussion on reddit on that matter because of the recent deadbolt attack (again) on Synology's. I've felt for a long time what I believe the problem is with those devices, along with a few others.. in a couple posts here...


    https://www.reddit.com/r/OpenM…vs_omv/intcg04/?context=3

    • Offizieller Beitrag

    By the way, here's the thread I mentioned in the reddit post if you're curious..


    Thema
    Ransomware attack: 0XXX virus
    The problem:
    My NAS server was attacked last week by 0XXX ransomware virus asking for a reward for my encrypted files.
    My files were not very important and I still have physical copies of them on devices that are not connected to the network.
    I also find it interesting to understand how the attack could be carried out, including knowing how to improve security without losing connectivity.

    Important settings:
    • The infected folder in question had SMB/CFIS enabled.
    • The server can be accessed remotely if
    DingoFur


    I mean, I hate using the word stupid.. but there were a lot of things there that are just like.. WTF were you thinking? As was pointed out, since his SMB port was open and guest access enabled.. he can't even be sure it was one of his client machines that was infected that caused the whole mess.

    Zitat von KM0201

    By the way, here's the thread I mentioned in the reddit post if you're curious..


    Thema
    Ransomware attack: 0XXX virus
    The problem:
    My NAS server was attacked last week by 0XXX ransomware virus asking for a reward for my encrypted files.
    My files were not very important and I still have physical copies of them on devices that are not connected to the network.
    I also find it interesting to understand how the attack could be carried out, including knowing how to improve security without losing connectivity.

    Important settings:
    • The infected folder in question had SMB/CFIS enabled.
    • The server can be accessed remotely if
    DingoFur


    I mean, I hate using the word stupid.. but there were a lot of things there that are just like.. WTF were you thinking? As was pointed out, since his SMB port was open and guest access enabled.. he can't even be sure it was one of his client machines that was infected that caused the whole mess.

    Hi KM0201,


    Many thanks for the post share.

    The thread is very useful to me.

    Since, I'm thinking the measures how to share files with others over my LAN on OMV.

    Such as FTP / FTPS / SFTP or others.

    However, I also need to consider the security issues.

    • Offizieller Beitrag

    I mean, if it's just over LAN... just use SMB.. you don't really need to do anything special. If you're looking to share over "WAN" (off your network).. that's where you need to start thinking.


    I personally hate FTP/SFTP... if you just have a few files to share.. you could easily set up nextcloud, reverse proxy it through a free or cheap domain, and share them from your nextcloud instance with share links (sort of like sharing something from Google Drive).


    If you absolutely must have the ability to share everything (which I'm not a fan of)... you could use cloudcmd or filebrowser, reverse proxy those through a cheap/free domain... then you could just give people you want to allow access access to cloudcmd.


    I would think more about "what" you want to share. Do you want to share movies? You could set up a free Emby/Jellyfin server, reverse proxy, and let folks watch your collection. Music? Navidrome, Airsonic, etc... reverse proxy... you get the idea. Pictures? Nextcloud, Immich, Photoshow, Piwigo...


    Then there's things like Wireguard, VPN, etc.


    As with almost all things Linux, there's like 87 ways to slice a pie. Some will use a cheap plastic knife... some will break out a plasma cutter.. :). Most are probably somewhere in between.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden