Pointers for creating a secure NAS system

I hope I’ve put this in the correct category, if not I apologize.

I’ve been interested in both building and configuring my own NAS that i could use to allow myself and my SO to back up family photos and videos, as well as store and maybe even edit documents remotely. I want to do this partly as a personal learning project, partly as a convenience and cost saving and partly so i still own my own data and it isnt used to sell to data brokers or train AI etc. I’m also contemplating as part of the setup having the ability to allow playback of said media, a photo gallery and maybe even audio playback (thinking jellyfin might be beat for this).

I’d consider my SO to be the average jo with tech literacy and myself somewhat tech literate (a little above your average Joe on the street, but significantly less than essentially anyone working in IT). Despite the lack of full understanding i do know when it comes to anything internet connected just how easy it can be to misconfigure things and weaken security.
I’ve been listening to a lot of links with friends, firewalls don’t stop dragons, surveillance report and darknet diaries, amongst other things and it seems easy for even professionals to get it wrong, so the likelihood of me making a mistake feels almost like it’s a guarantee.
So on that can anyone give me some general pointers, or good to know info, point me to good reading/video material, or just give me any information on what would be good to look up to ensure that when i set it up that I’m maximising my security? I’m more after what should i be looking to research rather than ‘can you tell me how to set up a NAS’ as i want to learn not just be told.
I know enough to not use “Admin” “Admin” for my username and password and to generally encrypt where possible, not keep it on the same network as IOT devices etc, but when it comes to firewalls, opening and closing ports, general settings and so on I’m at a level where i don’t know what i don’t know, so I’m hoping for someone might be able to point me in the direction i need to be going.

Thanks in advance :smiley:

TLDR: I want to config a NAS with security as the top priority, what should i be looking into to ensure i config the NAS correctly and maximise security?

1 Like

Look into VPN (I use wireguard with my own VPS infrastructure) first and when you have decided on what VPN you use you can choose your software and hardware (pre-built vs. DIY)

Also, have you tried installing Debian in a VM on your laptop/desktop? If not, do that and try to connect with SSH into that VM

Have fun

4 Likes

Vpn means you have a other ip adress. and that your data is encrypted if its going through that tunnel.

Its not realy a security feature. If the security is flawed. They still can enter on the start of the tunnel.

1 Like

Most hacks are no hacks. Just realy bad opsec. Paswords from the huge databases that are being leaked.

Make sure no ssh to wan
if posible separete network. but then you need a pfsense box.
If not needed keep everything in your wan. With a vpn you can open a tunnel towards this. But basicly you are making a opening then. If nobody can get to your data externaly you are safest.

i use a webserver on a other computer to share things with the internet. But if seperated that from my storage.

My advise would be a well updated nas or linux server. And open as litle as posible doors to the outside

3 Likes

Can anyone add a story about getting remote access with TailScale? I’ve not looked into it (I’m not convinced I need remote access to my home network) but it might help set up the external tunnel and to have an organisation monitor for attempted unauthorised access.

K3n.

Start with the backup locally part, not internet accessible. Find the software that does what you want. There is a surprising amount of choice out there.

Then look into VPN. You don’t want your documents internet accessible. Tailscale is probably the easiest at this point.

3 Likes

I’ve not tried that, I’m using ubuntu on a day to day, but I’ve not done a lot with it outside of the day to day, but I’m currently looking to try and expand my experience with it, but I’ll look into this thanks :smiley:

I’ll be honest, I’m familiar with the term SSH, but not sure what it is, so I’ll have a look into that.
Sorry can you clarify the webserver to share things but keeping it separate from storage.
Yeah I’m hoping to keep as little open to the outside as possible, but fundamentally I don’t actually know what is open to the outside typically or how to look which is where I’m primarily struggling.

1 Like

So some of what I’m wanting to do is be able to back up from phones (predominantly) as well as a few other devices without having to physically go to the computer and upload etc. I have been warey about doing this via software as it is adding additional trust, so what I’d been thinking up to now was setting it up somewhat like a drop box scenario. Just fire up a web page from the phone and dump the files for upload to the NAS or something, I’ve not researched into the viability of this and worked out any pros and cons yet, but it seemed reasonable to me (noting my lack or experience).
I do currently back up offline to a HDD and I need to improve this method for 3-2-1 data protection, which is some of where this is to come in.
I’ve heard people mention about using tailscale with a NAS and I’ve definately got it on my list of research topics, but I wasn’t sure at this point if it was best practice based for my needs or not so I didn’t want to just go in and assume at this stage that, that is just what I need to do.

1 Like

I use tailscale and it works great for my needs. It kind of acts like a point to point connection. So I installed tailscale on my server and then start it. Then I installed it on my laptop and when its launched on my laptop I can access some of the features on my media server by going to the new ip address it set on the website. I have only used it to connect back to my jellyfin server when I am out of my house so I am not sure how it works connecting to network folders but it was a pretty easy setup.

2 Likes

I’ll definitely consider this and look at how to set up and if it can be used for both jellyfin and network folders then.

Remember to layer security. You already know no single security measure is 100%, but putting enough of them up turns elementary hacking attempts into laparoscopic surgery.

It’s like

but less specific to preserving the mere existence of archive data.

4 Likes

If you want to take control of your data be prepared to do things differently. Mobile phones as sold are data gathering devices for the industry paid for by consumers.
If you do not want to participate in this, but still need to use mobile phones you have some work ahead of you. E.g. don’t store passwords, mail, calendar, etc. data in the cloud. The cloud is just someone else’s computer.
Don’t use phones to open/store important documents. Shift from using your phone as primary location for your family photos to some self-hosted location.

Finding technology that allows you to do this with limited effort and reasonable convenience is more of a journey, not a destination.

E.g. I use bitwarden to keep all my passwords safe (not the browser, not a MSFT OS/cloud, not an Apple OS/cloud, not a Google OS/cloud, etc. I host my own calendar and address book server (CalDav, CardDav technology), I pay for email hosting, because it provides more control than free email accounts from whatever cloud provider, I use Immich, because its mobile app has the ability to automatically download all new images from my phone to my local storage whenever it connects to my home wifi.
I currently use the VPN capability of my home router (OpenVPN, etc.) allowing me to connect to home resources when I’m on the road - my devices are not connected all the time, but only when I need it - a single click is sufficient to enable it.
Some services I choose to expose as an online web service (I host a website) but this requires monitoring and reacting daily to the latest attacks that go on 24/7 from every corner of the internet.

All of this is user friendly enough that my kids have been using it since they entered elementary school, even my wife does :slight_smile:

3 Likes

That sounds like where I’m aiming to be to be fair. I mean I’m currently using very little in the cloud where it can be avoided, i’m moving more to private and/or open source services where feasable, running Linux on my computers and alternative android OS’s on my phone.
It’s just trying to find something that isn’t so inconvenient that my SO won’t use it whioe also being in a position where they could accidentally compromise the security/privacy of the system. It was hard enough just to get them off chrome and also start using a well regarded password manager haha

3 Likes

Welcome to Level1Techs, your privacy anonymous.

Here, you’ll find lots of like-minded people that struggle with the same challenges you’re facing :slight_smile:

3 Likes

Being someone who would consider themselves at least as cynical as Ryan (if not more than) I find trusting anything very difficult and that is one of the main reasons I decided to come here rather than the likes of reddit. Im very lacking in technical understanding at this time and want to learn more, particularly as i learned more about the importance of data privacy in the past few years. I’m slowly taking steps to regain control, but its not what i’d consider simple, especially as very few people around me in my life seem to value or understand privacy. It makes me feel like a conapiricy theorist sometimes.
But having been watching level1techs for a little while it seemed that here would be significantly less unhinged, with people who are very much more enthusiastic and informed and I also suspect that proportionality this forum is filled with more computer technical experts than almost anywhere on the web.

1 Like

you’d be real surprised…

As a pro, we have to be perfect 100% of the time and bad guys just have to get lucky once.
That’s before factoring in 0 days and backdoors, so if you wants security then plan on regular updates.

If you want a secure NAS, start with a secure network.
Setup a PFSense box and lock down the WAN at the firewall.
Close any and all unused ports.
Institute geoip blocklists and range blacklists to isolate you from the known bad actors

Remove legacy machines that are EOL from the network - no matter how secure your shit is, it won’t matter if your Windows XP machine has NAS and WAN access…

Yes and no, encryption of the wire is always welcome, but local disk encryption is to mitigate a local physical threat.

It has also been used by bad actors to encrypt entire servers in seconds by exfillng the keys/certs.

I do infosec and engineering professionally:

It’s a lifestlye.

You cannot grant apps full disk access on your cell phone while having the home financial directory on the NAS mapped as well.

Even if it is so convenient to upload pictures and scans of receipts directly from your phone, then comment on TikTok challenges with the same device.

It’s a huge fuck up.

3 Likes

that’s a start

the general consensus of neckbeards is Fedora for fast / bleeding edge
Debian for stable
Arch or Gentoo when you’ve come too far and cannot turn back

Other distros have their place, but you’ll need to setup TrueNAS Scale on a secondary machine before rolling anything out into prod.

1 weekend with a testing machine is worth 1 year of reading online.

bold as fuck and hard to get right, I’d recommend a NAS and mapping the drive to the device. Then put the phone on a self hosted VPN.

Beware your search results will always be targeted to your home’s geo location.

1 Like

Bro, that’s what Mullvad and other VPN Service Providers (VSPs) are doing. What dns2utf8 mentioned is the original purpose of a VPN: virtual private network. That means you’re connecting from the internet to your own infrastructure at home. This is literally how corporate VPNs work too and for good reasons (security).

You could have a split tunnel wireguard configuration, to only connect to your NAS through the internet to only access your files, instead of doing a full route redirect (0.0.0.0/0 in the wg.conf), which will allow you to browse the internet from whatever location you’re at and not show up as “home” when you’re browsing (it’s good if you have data caps at home). Most people though don’t need to worry about that.

SSH to WAN is good in certain conditions:
  • your ssh server is always updated
  • it’s hardened against brute-force attacks (ip burst connection limit, although this is kinda getting worked around by large botnets that try to connect in a distributed fashion from different IPs)
  • you obfuscate your port (i.e. don’t port forward it as port 22 on WAN, that’s the most tested port by port-scanners, set it to some weird high number - that won’t ensure you any real security, but at least you won’t be attacked by all the bots on the internet)
  • you don’t use password authentication at all (that doesn’t mean you’re safe either, if there’s a vulnerability in sshd, someone can still get in, like it could’ve happened during the xz vulnerability)
  • your ssh server is just a jumpbox and it’s “dmz-ed” from your main network and it also has no access to inside your network, besides as a jumpbox - also no root or sudo privileges at all to the user that’s allowed to be logged in, which you need to log in with a ssh key
  • ideally, if you don’t need a ssh jumpbox, don’t host it on the WAN at all, but there are very few cases where it makes sense, like if you’re going to be away from home for extended periods (months)

Or just a router box, not necessarily running pfsense (obvious bias against it here).

If you don’t need want to access your pictures and video library away from home, then you don’t need a home VPN.

Synthing on LAN should be enough, although you might want to look into other software (idk, nextcloud? - I’m reluctant to recommend it).

3 Likes

Ssh is remote console for linux. I’m going to be lazy and let wikipedia explain

I have the webserver anyway because of music. So that is an opening in my Network. But if the goal is security. I wouldn’t do it. And forget i said it.

I get that. I also understand that is the usecase for a vpn. And if you do that in a company seting people have contracts. And in that case its actual protection of the data send trough the tunnel. In case of a home nas. Do u realy need that. The idea of a VPN is opening a door. aldo its secured. Its even more secury not having the door at all.

Yeah that was what i thought. @like_in_star_trek read the list what he said about ssh he is right.

Yeah but with pfsense box people will look in that direction and also see the forks. But yeah what i ment to say. You need a more advanced router box that can do more then the avarge isp suplied.

I think i gave lazy answers.

For security i use a domain controller. A windows server, on a old low powered machine. This means my samba on my linux machine is not doing the Paswords. I don’t think you want to go that deep in to it.

Why not install linux on machine. And start it. Ubuntu big user base, Fedora got red had behind it. But both distro’s are easy to start with

1 Like