Putting the management interface on a VPN helps a lot for security and port scanning. Everything else is sound though and keeping it updated is a key task. Get FN Scale to email you when updates are pending. Good summary. Thanks for sharing.
Something I do that I think increases security is that I have a separate username/password combos for SMB shares on my computers and the admin interface (both not the default “admin” account. That way if a system on SMB gets compromised, those credentials cannot do anything I can’t recover from with a snapshot.
Just FYI... On the subject of SMB authentication using usernames. You do not need a domain controller. It also works with a local account. Just use the same username on the share as you log into Windows with. I haven't tested with Linux.
What are your thoughts about creating additional virtual NIC interfaces for other VLANs to expose services that way versus having 1 interface and managing network access through services like firewalls between VLANs and subnets?
If I bind SMB to a different ip address to the one I use for the web interface, I cannot access the smb share over a vpn (configured on the firewall router) anymore because there is no way to setup a specific gateway for the second ip address right?
Are there any snapshield (45drives) alternatives to protect the NAS from ransomware attacks? Or an anti-virus that scans the entire NAS periodically for any kind of malware?
@@LAWRENCESYSTEMS Not really sure what you mean, are you suggesting that anti-virus softwares are obsolete in 2024 and aren't effective in detecting a malware?
@@LAWRENCESYSTEMS Got it! Thanks for the input. Speaking of malware, have you ever come across any instance where a malware corrupted the TrueNAS OS? And does giving TrueNAS Internet access for the purpose of updates & alerts compromise the security of the NAS in any way? Last but not the least, you talked about having a different network switch for managing TrueNAS, can you point me to a resource / video that describes this in detail. Much appreciate your time and your contribution to the community. I have been a long time subscriber to your channel, and love your videos. Kudos and keep up the great work!
@@LAWRENCESYSTEMS On your last point you started by saying "it may seem a little bit ovious ..." and I though to my self ... "he will talk about passwors". I still beleve you should. Epecialy when you use the same password for GUI web interface as well as command line access -> for web you can have passwod manager to fill the long password for you, but in command line you have to type it ... that is why you make short password. This could be one of reasons why you should also touch the password story. 🤗 Still love your videos. Keep with the good work.
Freenas Scale is Debian based so it has no place in a corporate environment anyways. Great distribution to learn though. Have yet to see one Debian "production" server with less than a couple of gigabytes in /usr/local ;)
@@LAWRENCESYSTEMS Thanks. I may be mistaken, though don't many of the core functionalities still rely on root SSH access - like for instance replication? Either through the root account directly, or another account which then must have passwordless sudo permissions (Which is basically the same as having straight root access).
I think it boils down to few key aspects: 1. Synology and QNAP are proprietary hardware platforms with proprietary OSes installed. On higher models Synology also requires or at least suggest in the DSM for you to use their brand of drives, RAM, extension cards etc. 2. You are more limited in terms of hardware upgrades on Synology and QNAP than with TrueNAS, that is running a standard Linux kernel (SCALE) or FreeBSD kernel (CORE). 3. Kernels in Synology and QNAP are usually pretty outdated and heavily modified with backported code and custom code. It is a very difficult process to ensure compatibility with new kernel for all the devices and software packages, so those companies stay on legacy backbone a lot longer than anybody else. 4. Data integrity above all - ZFS on TrueNAS is one of the most if not the most data integrity oriented filesystem in that class of devices (if setup properly on a proper hardware). QNAP have ZFS offering with their QuTS hero flavor for some time and Synology uses BTRFS, which is nice, but at least for now less mature than ZFS. 5. Security. With the ease of using DSM or QTS and appstores on them, adding another app is just a click of a button. This also introduces a security risk, because as a normal user you have almost no control over what configuration changes were just made to your system. With TrueNAS you have more configuration flexibility, but you can still endanger your NAS by installing whatever and not setting it up correctly. I think there is a use market for both TrueNAS and ready-to-work devices like Synology and QNAP. I've certainly used all of them. If I need a NAS for a small business that wants to minimize purchase and service costs, then it will probably be Synology just for the ease of use, speed to implement and overall lower price for 2-4 bay offerings. If I need stellar data integrity with the configuration expandability, then it will be TrueNAS. Backup solution for endpoints and servers? Active Backup for Business on Synology is hard to beat with unlimited licenses for the cost of the device alone. Like I said - I use both, and choice just depends heavily on the case-by-case use.
No new feature updates, read their release notes "TrueNAS 13.3-RELEASE is intended solely for community users looking for incremental fixes specific to FreeBSD 13.3, Jails, Bhyve, OpenZFS, and Samba"
I'm on the interesting crossroad of deciding storage setup. Current RJ45 transfer speeds are so good, that the SSD's I'll probably end up using have equal or less write speed than the cables can feed them data. Did you ever have a conversation with a client where this factoid was relevant? 😂
Unless you are using 25GbE or 100GbE there is not an immediate worry that your array of SSDs will be slower than your network capabilities. Unless you count file system overhead, possible missconfiguration of the array, other components not being able to keep up, lack of RAM, lack of fast enough cashing etc. I'm interested in your use case and what specific worries you have - if you are able, please share some more info.
Putting the management interface on a VPN helps a lot for security and port scanning. Everything else is sound though and keeping it updated is a key task. Get FN Scale to email you when updates are pending.
Good summary. Thanks for sharing.
How to lock yourself out of your system, with these simple tricks 😂
Yup, this will for sure happen!
wow, some of the defaults are just crazy, thanks for that info Tom, invaluable
Great videos over the years! Thanks a lot!
Solid had to search for this when I set up mine. Now I have it all in one great video.
Something I do that I think increases security is that I have a separate username/password combos for SMB shares on my computers and the admin interface (both not the default “admin” account. That way if a system on SMB gets compromised, those credentials cannot do anything I can’t recover from with a snapshot.
Haw about using a physical 2FA thing like Yubikey, or take a further step into using Passkey ?
the last tip. i feel attacked 😂
Just FYI... On the subject of SMB authentication using usernames. You do not need a domain controller. It also works with a local account. Just use the same username on the share as you log into Windows with. I haven't tested with Linux.
Yes ,same on Linux.
What are your thoughts about creating additional virtual NIC interfaces for other VLANs to expose services that way versus having 1 interface and managing network access through services like firewalls between VLANs and subnets?
If I bind SMB to a different ip address to the one I use for the web interface, I cannot access the smb share over a vpn (configured on the firewall router) anymore because there is no way to setup a specific gateway for the second ip address right?
is using VLAN recommended in truenas? I'm kinda new in using truenas
It's recommended in general
How do you implement a firewall and antivirus solution for TrueNas?
Your firewall is separate and AV should be run on the endpoints connecting to TrueNAS.
Can I do 2fa with any device that isn't a phone? Such as a Yubikey?
They just offer TOTP and technically you can use that with more than just a phone.
Are there any snapshield (45drives) alternatives to protect the NAS from ransomware attacks? Or an anti-virus that scans the entire NAS periodically for any kind of malware?
Not that I am aware of and scanning a NAS for a virus is not really effective here in 2024
@@LAWRENCESYSTEMS Not really sure what you mean, are you suggesting that anti-virus softwares are obsolete in 2024 and aren't effective in detecting a malware?
@@visheshgupta9100 It's not effective on a NAS, end point detection should be setup on systems that connect to the NAS.
@@LAWRENCESYSTEMS Got it! Thanks for the input. Speaking of malware, have you ever come across any instance where a malware corrupted the TrueNAS OS? And does giving TrueNAS Internet access for the purpose of updates & alerts compromise the security of the NAS in any way? Last but not the least, you talked about having a different network switch for managing TrueNAS, can you point me to a resource / video that describes this in detail. Much appreciate your time and your contribution to the community. I have been a long time subscriber to your channel, and love your videos. Kudos and keep up the great work!
@@visheshgupta9100 I don't know of any attacks specific to TrueNAS and this video is the one to follow for hardening TrueNAS Scale.
Don’t forget if you have physical access with a keyboard you can just jump into a previous boot environment and bypass a lot of this.
didn't you forget to mention a very strong management password? 😮
I hope that one is obvious, but yes, you should use a strong password everywhere.
@@LAWRENCESYSTEMS On your last point you started by saying "it may seem a little bit ovious ..." and I though to my self ... "he will talk about passwors". I still beleve you should. Epecialy when you use the same password for GUI web interface as well as command line access -> for web you can have passwod manager to fill the long password for you, but in command line you have to type it ... that is why you make short password. This could be one of reasons why you should also touch the password story. 🤗 Still love your videos. Keep with the good work.
where do I get that shirt?
Shop.lawrenceaystems.com
This still leaves SSH/console root access available which is a big no-no in any corporate environment.
Freenas Scale is Debian based so it has no place in a corporate environment anyways. Great distribution to learn though. Have yet to see one Debian "production" server with less than a couple of gigabytes in /usr/local ;)
No key for root means it can not log in.
We use TrueNAS is lots of corporate environments, one of our clients is on the Fortune 500 list and has petabytes of TrueNAS storage.
@@peterpain6625 what?
@@LAWRENCESYSTEMS Thanks. I may be mistaken, though don't many of the core functionalities still rely on root SSH access - like for instance replication? Either through the root account directly, or another account which then must have passwordless sudo permissions (Which is basically the same as having straight root access).
Don't bite my head off, I'm genuinely interested why use Truenas instead of for instance Synology or Qnap?
I think it boils down to few key aspects:
1. Synology and QNAP are proprietary hardware platforms with proprietary OSes installed. On higher models Synology also requires or at least suggest in the DSM for you to use their brand of drives, RAM, extension cards etc.
2. You are more limited in terms of hardware upgrades on Synology and QNAP than with TrueNAS, that is running a standard Linux kernel (SCALE) or FreeBSD kernel (CORE).
3. Kernels in Synology and QNAP are usually pretty outdated and heavily modified with backported code and custom code. It is a very difficult process to ensure compatibility with new kernel for all the devices and software packages, so those companies stay on legacy backbone a lot longer than anybody else.
4. Data integrity above all - ZFS on TrueNAS is one of the most if not the most data integrity oriented filesystem in that class of devices (if setup properly on a proper hardware). QNAP have ZFS offering with their QuTS hero flavor for some time and Synology uses BTRFS, which is nice, but at least for now less mature than ZFS.
5. Security. With the ease of using DSM or QTS and appstores on them, adding another app is just a click of a button. This also introduces a security risk, because as a normal user you have almost no control over what configuration changes were just made to your system. With TrueNAS you have more configuration flexibility, but you can still endanger your NAS by installing whatever and not setting it up correctly.
I think there is a use market for both TrueNAS and ready-to-work devices like Synology and QNAP. I've certainly used all of them. If I need a NAS for a small business that wants to minimize purchase and service costs, then it will probably be Synology just for the ease of use, speed to implement and overall lower price for 2-4 bay offerings. If I need stellar data integrity with the configuration expandability, then it will be TrueNAS. Backup solution for endpoints and servers? Active Backup for Business on Synology is hard to beat with unlimited licenses for the cost of the device alone.
Like I said - I use both, and choice just depends heavily on the case-by-case use.
@@CoreyPL Thank you very much for your answer! I really didn't know all of this.
1 day after this video iX systems releases Core's latest update, damn.
No new feature updates, read their release notes "TrueNAS 13.3-RELEASE is intended solely for community users looking for incremental fixes specific to FreeBSD 13.3, Jails, Bhyve, OpenZFS, and Samba"
@LAWRENCESYSTEMS yes, however they also mention that the jails and VMs haven't been tested... This really looks like an April fools'
I'm on the interesting crossroad of deciding storage setup. Current RJ45 transfer speeds are so good, that the SSD's I'll probably end up using have equal or less write speed than the cables can feed them data. Did you ever have a conversation with a client where this factoid was relevant? 😂
The 5000MB/sec write speed on some SSDs will easily saturate 10Gbe RJ45.
Unless you are using 25GbE or 100GbE there is not an immediate worry that your array of SSDs will be slower than your network capabilities. Unless you count file system overhead, possible missconfiguration of the array, other components not being able to keep up, lack of RAM, lack of fast enough cashing etc.
I'm interested in your use case and what specific worries you have - if you are able, please share some more info.