Thanks Tom! As an addition I would like to point out, that the system dataset needs to be on the boot drive or it's own in order to set a passphrase encryption on pools and datasets/zvols. Ran into this yesterday.
Thanks for the explanation of 2FA. I recently messed up and was locked out. Luckily I was able to reset root password to disable it. Now I can set it up properly thanks to this video!
Excellent video! I am new to TrueNas, so I have a few noob questions. Firstly, can you access your NAS remotely (WAN) / outside your local network / over the internet? If so, how to DISABLE it? As you mentioned in your video, an excellent way to securing your NAS is by restricting the access to specific LAN IP Addresses, does it mean that no-one would be able to access the NAS on WAN / outside your local network? Secondly, an extension to the first point, how can we isolate the NAS entirely from the internet? Thirdly, please discuss about adding users with read only permissions. Last but not the least, is there any firewall settings we can enable & how to protect the NAS from DDoS / hacking attempts / ransonware.
There is an issue with TrueNAS Core where it is possible for the internal time to slip and fall behind real time, sometimes over a minute or teo for me, consequently causing issues for 2FA since the timestamps for the codes will not match the required intervals. It's been mentioned on the forums, the dev team basically just said that you had to setup cronjobs to have it reset or fix it some other way. I'm glad you mentioned changing it so that the 2FA had a greater window of acceptance because it was a real headache for me when I could figure out why inputting the exactly correct credentials over and over again kept getting rejected.
Hi Tom. I love your "How To Secure... " videos. I would like to see one on how to secure RDP. I have two RDP hosts open with PFSense and thanks to your videos, I can now see they are getting bombarded with brute force authentication requests all the time! I have tried VPNning and only connected to RDP locally but, RDP over WAN is just far simpler and less steps for a non tech savvy end user.
Hi Tommy I have a question about automatic locking of the Web Gui I was looking for articles on how to perform or change the locking of the Web Gui. The Web Gui does not lock automatically for me, is there a way to configure this.
I have a question that can hopefully make a good video subject for you as well. I have two (personal) servers set-up, one at home and one at my parents. I'd like to setup a replication task to create snapshots of the dataset where my backups are stored to the other system (thus creating an off-site backup). On both machines: SSH is turned on (only keys allowed) and set to use a port with a high number. Also DNS is available (NO-IP updated through router). Using my personal user and it's key I can SSH (Putty/FileZilla) into system 2 from the network where system 1 is located and vice versa (so both directions, each with their own respective key obviously), so the connection works. I'm struggling getting this set-up. I'd also like to use a separate user for this, not root. A video explaining this, including best practices around setting this up, would be very much appreciated! Thanks for reading :)
@@LAWRENCESYSTEMS Thanks, I've seen that one back in the day. But there you are using root with it's password to auto-create a SSH connection. Isn't that against best practice as you're using root with pass to login and don't have a specific user with limited access for the replication?
@@LAWRENCESYSTEMS ah too bad, thanks for clarifying! Do you know if replication keeps working if you disable root and password login (for SSH service) after setting this up? Since then it should use the key to connect to the other system correct? Thanks!
Loved the tutorial, thank you for this. Any chance you can do a quick ClamAV install? Seems there are tons of videos for ClamAV install in Linux but not a single one for FreeBSD or TrueNAS. There are also no written help for installation after plugin install.
I'm missing the option to bind addresses under the FTP section. The only way I've read on some forums is to create a jail and install and configure proftpd there.
Since you mentioned windows, shares and truenas together, what would you recommend as a way of truenas serving storage to a hypervisor who in turn going to feed the VM the given truenas storage? iscsi or nfs?
@@LAWRENCESYSTEMS by that way you mean iscsi or nfs? Which has the best performance? Even though iscsi is block level storage and doesn t have any extra layers that a filessytem do., it can be targeted by only one system ant not multiple.
All of us in IT will have a breach someday. Maybe it is a vendor, maybe a misconfiguration or just a hardware defect - just make sure everything is in silos. I do not wish anyone to be hacked, neither should you.
Our TrueNAS Tutorials
lawrence.technology/truenas-tutorials/
How to Configure Jail VLANs with TrueNAS
youtu.be/l6
⏱ Timestamps ⏱
00:00 Securing TrueNAS Core
00:46 Setting up MFA
02:51 TrueNAS Updates
03:25 Locking Down Admin Interface
04:49 Segmenting and Securing Services
06:12 TrueNAS SSH Settings
06:30 Jail Security Settings
08:17 TrueNAS Physical Security
09:25 Lock Console Access
10:09 Snapshots And Security
Great video once again, Tom!
Every TrueNAS user can find some value in this video! 10/10 job!
Thank you!
I like the systems that make you go through the two factor process before they let you enable it.
Yes, it's a good practice that I hope they implement.
Thanks Tom! As an addition I would like to point out, that the system dataset needs to be on the boot drive or it's own in order to set a passphrase encryption on pools and datasets/zvols. Ran into this yesterday.
are there videos/documentation on this?
If the option is available, disable TLS 1.0 and TLS 1.1 via the web interface. Those versions are no longer considered secured.
Thanks for the explanation of 2FA. I recently messed up and was locked out. Luckily I was able to reset root password to disable it. Now I can set it up properly thanks to this video!
Thanks for the hint on locking down access to services (especially SSH) to interfaces - was looking for it yesterday and missed!
Nice that they have the MFA OTP Window option. I've had some QNAP devices go out of sync after an NTP failure and then struggled to login again.
We (future people) are ready for the TrueNAS SCALE version of this video!!
Do you have a tutorial on starting with TrueNAS ? or can you point me to one. I am bored, so i might as well learn something new
Excellent video! I am new to TrueNas, so I have a few noob questions. Firstly, can you access your NAS remotely (WAN) / outside your local network / over the internet? If so, how to DISABLE it? As you mentioned in your video, an excellent way to securing your NAS is by restricting the access to specific LAN IP Addresses, does it mean that no-one would be able to access the NAS on WAN / outside your local network? Secondly, an extension to the first point, how can we isolate the NAS entirely from the internet? Thirdly, please discuss about adding users with read only permissions. Last but not the least, is there any firewall settings we can enable & how to protect the NAS from DDoS / hacking attempts / ransonware.
Another question about Services, all I need is a simple media storage server. So can I turn off all the services except SMB?
Thank you Lawrence for such important information much appreciated
There is an issue with TrueNAS Core where it is possible for the internal time to slip and fall behind real time, sometimes over a minute or teo for me, consequently causing issues for 2FA since the timestamps for the codes will not match the required intervals. It's been mentioned on the forums, the dev team basically just said that you had to setup cronjobs to have it reset or fix it some other way. I'm glad you mentioned changing it so that the 2FA had a greater window of acceptance because it was a real headache for me when I could figure out why inputting the exactly correct credentials over and over again kept getting rejected.
Hi Tom. I love your "How To Secure... " videos. I would like to see one on how to secure RDP. I have two RDP hosts open with PFSense and thanks to your videos, I can now see they are getting bombarded with brute force authentication requests all the time! I have tried VPNning and only connected to RDP locally but, RDP over WAN is just far simpler and less steps for a non tech savvy end user.
VPN+RDP is one way and another is ruclips.net/video/ZShna7v77xc/видео.html
Thank you for this great video. Any idea if TrueNAS supports hardware 2FA like Yubikey?
Do a video on how to secure TrueNAS Scale, please.
Hi Tommy
I have a question about automatic locking of the Web Gui
I was looking for articles on how to perform or change the locking of the Web Gui.
The Web Gui does not lock automatically for me, is there a way to configure this.
I have a question that can hopefully make a good video subject for you as well.
I have two (personal) servers set-up, one at home and one at my parents. I'd like to setup a replication task to create snapshots of the dataset where my backups are stored to the other system (thus creating an off-site backup).
On both machines: SSH is turned on (only keys allowed) and set to use a port with a high number. Also DNS is available (NO-IP updated through router).
Using my personal user and it's key I can SSH (Putty/FileZilla) into system 2 from the network where system 1 is located and vice versa (so both directions, each with their own respective key obviously), so the connection works.
I'm struggling getting this set-up. I'd also like to use a separate user for this, not root.
A video explaining this, including best practices around setting this up, would be very much appreciated!
Thanks for reading :)
I have a video on ZFS replication here ruclips.net/video/XOm9aLqb0x4/видео.html
@@LAWRENCESYSTEMS Thanks, I've seen that one back in the day. But there you are using root with it's password to auto-create a SSH connection.
Isn't that against best practice as you're using root with pass to login and don't have a specific user with limited access for the replication?
@@MarkvanVaals I don't think it can done via the UI, but from the command line with some configuration.
@@LAWRENCESYSTEMS ah too bad, thanks for clarifying! Do you know if replication keeps working if you disable root and password login (for SSH service) after setting this up? Since then it should use the key to connect to the other system correct? Thanks!
Loved the tutorial, thank you for this. Any chance you can do a quick ClamAV install? Seems there are tons of videos for ClamAV install in Linux but not a single one for FreeBSD or TrueNAS. There are also no written help for installation after plugin install.
Not likely as I don't use it or plan to.
I'm missing the option to bind addresses under the FTP section. The only way I've read on some forums is to create a jail and install and configure proftpd there.
What's the proper procedure to lock VMs to a VLAN. For jails I got it working but I struggle with the VMs.
I don't know, I never use VM's in TrueNAS
0:50 holy shit, I had NO CLUE that was supported.
Great video Tom!! Can you make a video how to backup office 365 bussines account with truenas?
I don't know if any way to do that.
@@LAWRENCESYSTEMS I saw that there is an option το add office 365 credentials at cloud credentials.but after that there are complex settings.
When segmenting network VLANs, would I need a managed switch?
Yes
@@LAWRENCESYSTEMS just as I thought. Thanks!
Since you mentioned windows, shares and truenas together, what would you recommend as a way of truenas serving storage to a hypervisor who in turn going to feed the VM the given truenas storage? iscsi or nfs?
Lots of people use it that way, works fine.
@@LAWRENCESYSTEMS by that way you mean iscsi or nfs? Which has the best performance? Even though iscsi is block level storage and doesn t have any extra layers that a filessytem do., it can be targeted by only one system ant not multiple.
@@ierosgr I personally use nfs for this.
@@nevoyu ....due to a particular reason over iscsi?
ruclips.net/video/2HfckwJOy7A/видео.html
Hi, How to turnoff firewall on truenas?
It's technically off by default
Beautiful. It's simple tutorials like this that make me feel like a real life IT guy (for my own home) LOL
meh, need to creat CA/CERT for https to work lad.
Your explanation is very difficutl to follow, how do I bind IP adress to samba? What does it mean? How do I add another adress there?
He tell us to setup 2FA... but then doesn't show us how to setup 2FA 😶
Guess I'll have to Google that...
If this guy gets hacked with all this I will be laughing till the day I die
Nothing is hack proof, not even me.
All of us in IT will have a breach someday. Maybe it is a vendor, maybe a misconfiguration or just a hardware defect - just make sure everything is in silos.
I do not wish anyone to be hacked, neither should you.
How can you wish that on someone who is constantly helping and giving out to the community? Smh
@@TylerB_777 I don’t remember saying I wish for him to be hacked
Strange comment. I’d probably offer to help in the recovery, but that’s just me.