1

I have a NAS containing media and user files encrypted on disk. I will be running FreeNAS 9.x as my operation system, OwnCloud and SABnzbd "in jail". OwnCloud will use SSL, of course. I also have a HTPC (Home theater PC‎) on my network, that runs MediaPortal and will be accessible from the Internet using AMPdroid.

I would like to have everything accessible from the Internet, but in a secure way.

What am I required to do, besides using SSL on OwnCloud?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
mrNAS
  • 11
  • 1

1 Answers1

1
  1. Keep all software updated. That includes your OSes and Owncloud. If there's a security update for any of the software, install it.
  2. Run everything behind a NAT device, such as a router, and open only necessary ports on the router. You'll have to check the relevant documentation for what ports need to be forwarded, ie. opened on the NAT device. As an additional precaution, if the services allow you to specify ports to run them on, change them from the defaults to prevent automated scripts from attempting to hack your servers from the Internet.
  3. Set strong passwords for all logins to the devices. That means no password reuse and having adequately unpredictable and long passwords. There are good guidelines on the web on how to set good passwords.
  4. If possible, restrict access to all these to the local network only, and use a VPN such as OpenVPN to connect to the network hosting all these servers. That way, you only need to forward the OpenVPN port on your router and you'll be able to connect to these services only after connecting to the VPN.
  5. Do a check on the settings of the server software, and lock down. Disable unnecessary settings such as UPnP.
  6. Enable access logging on the servers and check them regularly for signs of intrusion.
Nasrus
  • 1,250
  • 12
  • 13
  • On 2nd point,...open only necessary ports but If we have to open port like 443 then also somewhere hack the system using this port, why and how? Is it possible to hack the system using 80/443/22 etc, If follow the all above point ? -On my mind this question always make tarball:-| – Nullpointer Jun 01 '16 at 12:37
  • @RaviG. not sure what you mean, but yes it is possible to hack a service through any port as long as it is open and has a known exploitable vulnerability....hence point 1. Also, the point of opening only necessary ports on the router is a fail-safe, in case you may have other services running on your machine that you do not want outsider access and probing to but you need access to on the local LAN/the host firewall cannot block them etc... – Nasrus Jan 20 '17 at 07:17