IMPORTANT - Note the following to bolster the security of SoftNAS Cloud® storage solution. This list is not exhaustive, so apply the most appropriate set of best practices for deploying Linux-based systems locally or on the Internet.
Change Default Passwords
Consider changing the default password that is set for the user softnas and for root account.
Apply the Latest Software Updates
We identify threats and provide fixes on a regular basis, so be sure to keep up with the latest software updates and maintenance.
Restrict Firewall source IP
Restrict the allowed IP addresses which are allowed access to each port on SoftNAS Cloud® - especially HTTPS (port 443). Only allow approved administrators to access the SSH, HTTPS ports by restricting who (which TCP/IP addresses) can access those ports. Restrict NAS ports (e.g.,CIFS, NFS, iSCSI, etc.) to only allow EC2 workload instances; e.g.,x.x.x.x/24 or a specific range of workload instances.
When publishing storage via NFS, CIFS, iSCSI, or other protocols from SoftNAS Cloud® via the Internet, it is also critical to configure encrypted, authenticated access and limit the source ports accordingly. Also, be sure to restrict the range of allowed source IP addresses. If storage services are published only on an internal LAN or WAN, then apply appropriate security measures as for any storage server in this network environment.
NFS and BIND Services:
|
TCP Port (Service)
|
Source
|
Service
|
|
111
|
x.x.x.x/24
|
portmapper
|
|
2010
|
x.x.x.x/24
|
rquotad
|
|
2011
|
x.x.x.x/24
|
nlockmgr
|
|
2013
|
x.x.x.x/24
|
mountd
|
|
2014
|
x.x.x.x/24
|
status
|
|
2049
|
x.x.x.x/24
|
nfs
|
|
UDP Port (Service)
|
Source
|
Service
|
|
111
|
x.x.x.x/24
|
portmapper
|
|
2010
|
x.x.x.x/24
|
rquotad
|
|
2011
|
x.x.x.x/24
|
nlockmgr
|
|
2013
|
x.x.x.x/24
|
mountd
|
|
2014
|
x.x.x.x/24
|
status
|
|
2049
|
x.x.x.x/24
|
nfs
|
CIFS/SMB via Samba:
For ease of use, here are the ports to open for two-way CIFS communication with Windows and Linux desktop systems.
|
Variable
|
TCP Port #
|
Service
|
|
netbios-ns
|
137
|
NETBIOS Name Service
|
|
netbios-dgm
|
138
|
NETBIOS Datagram Service
|
|
netbios-ssn
|
139
|
NETBIOS Session Service
|
|
microsoft-ds
|
445
|
Active Directory
|
Other ports:
|
Description
|
TCP Port #
|
Note
|
|
LDAP
|
389
|
Active Directory Mode
|
|
NetBIOS
|
445
|
Post-Windows 2000 (CIFS)
|
|
SWAT
|
901
|
Not related to client communication
|
AFP/Netatalk
|
Description
|
TCP Port #
|
Note
|
|
AFP over TCP
|
548
|
AppleShare, Personal File Sharing, Apple File Service
|
|
Service Location Protocol (SLP)
|
427
|
Network Browser
|
iSCSI:
|
Description
|
TCP Port #
|
Note
|
|
iSCSI
|
3260
|
Target publishing
|
ReCaptcha
To prevent brute force password entry into our servers, the SoftNAS login screen uses ReCaptcha. This means that after 5 unsuccessful attempts to log in, Recaptcha will prompt the user to perform an additional action in order to continue attempting new passwords, preventing repeated attempts from eventually guessing the correct login.
Data at Rest Encryption
SoftNAS offers encryption for its disks, protecting data at rest. The encryption is FDE (or Full Disk Encryption) and meets AES-256 standards. Encryption is provided at the pool level, using LUKS encryption. To learn more, see
Create a Storage Pool.
Enhancement Considerations
The Linux operating system on which SoftNAS Cloud® runs includes iptables and the ability to configure firewall rules on Linux to provide an additional layer of inbound and out bound security, should that be desired. For those who are serious about fully securing a SoftNAS Cloud® environment, there are numerous sources for best practices on security lockdown of Linux-based systems. Since SoftNAS Cloud® runs on a standard CentOS 64 Linux-based operating system (the free version of Red Hat Enterprise Linux), the entire spectrum of Linux-based security tools, add-ons and methodologies are available.
Dual Factor Authentication
SoftNAS supports dual factor authentication through Google and/or Facebook login, in order to add another layer of security to your installation. By requiring not only your SoftNAS credentials to manage your instance, but also login to your Google or Facebook account, your SoftNAS instance is twice as secure. This is an optional configuration, allowing you to select the account you wish to secure SoftNAS with (Google or Facebook) or to opt out.