MPORTANT - Because you are installing SoftNAS on Amazon EC2, there are a number of security measures that must be undertaken to properly lock down your environment (this list is not exhaustive, so apply the most appropriate set of best practices for deploying Linux-based systems on the Internet and Amazon EC2).

 

1. Default Password - you should consider changing the default password that is set for the user softnas. By default, when the instance first boots, the password is set to the EC2 instance ID.  For example, if your instance ID is "i-202efd38", then use this as the initial password.

 

2. Apply the Latest Software Updates - we identify threats and provide fixes on a regular basis, so be sure to keep up with the latest software updates and maintenance.

 

3. Restrict EC2 Firewall source IP - You should restrict the allowed IP addresses which are allowed access to each port on SoftNAS - especially HTTPS (port 443) and HTTP (port 80).  Only allow approved administrators to access the SSH, HTTPS and HTTP ports by restricting who (which TCP/IP addresses) can access those ports.  Restrict NAS ports (e.g., CIFS, NFS, iSCSI, etc.) to only your allowed EC2 workload instances; e.g., x.x.x.x/24 or a specific range of workload instances.

 

If you are publishing storage via NFS, CIFS, iSCSI, or other protocols from SoftNAS via the Internet, it is also critical to configure encrypted, authenticated access and limit the source ports accordingly.  Also, be sure to restrict the range of allowed source IP addresses.  If your storage services are published only on an internal LAN or WAN, then apply appropriate security measures as you would for any storage server in your network environment.

 

NFS and BIND Services:

 

TCP

Port (Service)     Source       Service

111                       x.x.x.x/24       portmapper

2010                     x.x.x.x/24       rquotad

2011                     x.x.x.x/24       nlockmgr

2013                     x.x.x.x/24      mountd

2014                     x.x.x.x/24       status

2049                     x.x.x.x/24       nfs

 

UDP

Port (Service)     Source        Service

111                       x.x.x.x/24       portmapper

2010                     x.x.x.x/24       rquotad

2012                     x.x.x.x/24       nlockmgr

2013                     x.x.x.x/24       mountd

2014                     x.x.x.x/24       status

2049                     x.x.x.x/24       nfs

 

CIFS/SMB via Samba:

 

For your ease of use here are ports you need to open for two-way CIFS communication with Windows and Linux desktop systems.

 

 

Other ports:

 

 

 

iSCSI:

 

Port 3260 (TCP - for iSCSI target publishing

 

Finally, the Linux operating system on which SoftNAS runs includes iptables and the ability to configure firewall rules on Linux to provide an additional layer of inbound and out bound security, should that be desired.  And if you are serious about fully securing your SoftNAS environment, there are numerous sources for best practices on security lockdown of Linux-based systems.  Since SoftNAS runs on a standard CentOS 64 Linux-based operating system (the free verson of Red Hat Enterprise Linux), you have the entire spectrum of Linux-based security tools, add-ons and methodologies available.