A rant: "Don't put TrueNAS on the internet" - "Backup your NAS"

So I have a bit of a rant here, perhaps someone can calm me down or call me stupid or whatever, here we go:

“Don’t put TrueNAS on the internet”

This is oft-repeated on the forum. And I agree in a sense but I’m bothered by some implications of it. Clearly, opening it up to the internet would allow another attack-vector, and people are constantly scanning for open services with vulnerabilities.

But what I feel this ignores is that a NAS really needs to be protected against all network attacks, including the local network. What’s on the local network? Windows machines. What can happen to Windows machines? They can be infected by ransomware. What can ransomware do? It can attack the NAS (and there has been ransomware that does this). So my point is, The NAS needs to be secure. Saying over and over that TrueNAS shouldn’t be connected to the internet makes me nervous for this reason, like security isn’t being taken into consideration.

I was shocked and disappointed to learn that TrueNAS does not support a firewall and tickets on this matter have been rejected. Adding a full GUI for firewall configuration could be a major undertaking, but it seems to me that allowing ufw firewall rules added via command line to be persisted across reboots and upgrades would be very simple.

“Backup your NAS”

Now some people will say a solution to this is to backup your NAS. This may get back your data, but it ignores the fact that you could have sensitive data pilfered from your NAS if it got infected.

Also, for most home users, the NAS is the backup. It seems to me unreasonable to require a secondary backup device, which would most likely not be protected by RAID, vulnerable to bitrot/data corruption, etc.

Now I also know people say that “RAID is not backup.” But, and this may be controversial, raidz2 and snapshots get you 80% of the way to what a backup provides. Not 100% obviously, as you could be vulnerable to a house fire, an administrative mistake, or a bad upgrade that corrupts everything. But these things are all unlikely.

Anyway that’s my rant. Wondering if anyone else has these concerns, or if my concerns are misplaced, or I’m hopelessly naive, whatever.

Well I disagree with almost everything you say there.

Any particular reason? Do you disagree that a NAS should be secure?

There’s a big difference between hardening enough to survive being publicly accessible and protections against threats on the internal network.

What would a firewall on the TrueNAS system actually solve? It won’t save you from ransomware, the only internal threat you bring up, because anyone who has full control of one of your client systems also has access to any shares that client has access to. If an intruder gets access to your administrative endpoint you’re SOL either way.

Against ransomware specifically, snapshots do wonders.

The redundancy features of RAID are indeed not to be considered a backup. You’d be surprised how often an “administrative mistake” puts your data at risk. I’d wager a guess that we have a few posts about data loss problems stemming from user error every month, if not more. It also won’t save you from the mayhem a failing critical component can have on your pool. A failing PSU or RAM (especially non-ECC) can cause massive issues. And then there’s the exterior factors like fire (that you brought up) but also electrical surges, flooding or simply - cats.

Something that worries me is that too many people seem to think their singular NAS as their backup. They copy their important files to the server and then remove the local source copy on their main PC or phone to free up space for new data. The result is that the copy residing on their TN server is no longer a backup, a secondary copy of something - it’s the only copy, and when it goes that data is well and truly lost.

Now, there’s a financial aspect of this, many can’t afford to build two equally capable storage solutions, plus of course the offsite backup that is part of the 3-2-1 recommendation, but I suggest trying to at least keep more than a single copy, and to not keep them all in the same physical space like a floodable basement. Even a non-redundant external HD is something, bitrot be damned.

Honestly, and really without any malice, but your consideration to me seems just and excuse for laziness.

Technically, your primary system (or systems) is the secondary backup device. If the backup fails, you destroy the backup system, build and configure it again, and then create the backup again.

There is a window when only a single copy of data exists (on the primary system), but this is no worse than having the primary system fail and there is only a single copy (on the backup system) until the restore is done. This seems an acceptable tradeoff, say, for home use. If you need to protect against dual failure, the third system (second backup) is required.

You manage to somehow be two different contradictory persons in the same rant.

In the first half, you’re an extremely diligent and cautious person that you don’t even trust your own local network.

In the second half, you’re a lazy and nonchalant person that apparently doesn’t mind putting all their eggs in one basket and risk losing it all in one catastrophic mistake.

The million dollar question here is: Which one is the real @bubbleshadow ?

What would a firewall on the TrueNAS system actually solve?

So for example you could restrict the web interface to admin-only (by IP). This would prevent user-infected computers from exploiting potential compromises of the web server or web interface software.

In the second half, you’re a lazy and nonchalant

Nothing to do with laziness or being nonchalant, it’s about cost and reasonability. I’ve agreed that there are risks, I just view the risks as acceptable.

That’s just you cherry picking. You could easily say the same thing with the first half of your rant that the risks are acceptable. In fact, it is acceptable to most people, but you apparently.

TrueNAS supports limiting access to the web interface by IP if you so choose. There’s also the option of adding 2FA. Building a management network specifically for local admin work using VLANs could be another layer of the onion.

Neither would protect you from someone getting access to the data on a share though.

Having a firewall at the entry point to your network seems like a no-brainer. As does running up-to-date antivirus, browser and OS software on any client that also accesses an external network. Next step would be to look into using some form of IDS.

Administrator access by a specific client (IP). In a home setting.
Rather than the (single!) user logging to shares from the Finder/Explorer with its user name to shares, and logging as ‘admin’ through his browser—all from the same client.
Wow!

I’m so confused I’ve lost my verbs.

I’m going to speak from the perspective of a home user who uses TrueNAS primarily as a NAS server for backups and secondarily as a media server.

That’s correct. You do NOT want to expose your entire TrueNAS server to the Internet, only the services that you want to be exposed, and even those services should be contained within a virtual machine or a Docker container (they used to be called Jails in TrueNAS core for a reason) to limit your data exposure. While Plex media services has a method to provide external access to the media files, both Kavita (ebooks) and AudioBookShelf (AudioBooks) only support http connections, so I use Nginx Reverse Proxy to allow external access to my media while I’m away from my home network.

Yes, you should keep a secondary backup of your data either on a external drive or off-site. For several critical directories including my backups, I store them on Backblaze which is less that $5 per month for me. However, for my media libraries and some non-critical areas, I have them backed up to an external hard drive and stored in a safe. I also have snapshots created for several directories so that I can easily roll back to a earlier version.

Sure. And what would that do to protect against infected Windows clients?

Edit: I mean, if you thought that was valuable, nothing’s really stopping you from putting together a script (though ufw doesn’t come with the base install–you’d need to use iptables instead) and invoking it on boot as a post-init command. But I still don’t see how that would help in the scenario you mention.

The solution to ransomware is to setup snapshots.

No.

Problem 1: A NAS needs to be accessible. Therefore clients on the network have to have access of some kind. A firewall won’t stop a compromised client from encrypting files it has access to. So a firewall is of very limited use (note I didn’t say of no use)

Problem 2: RAID & Snapshots are not, and can never be a backup. Not 80% (your figure), its zero %

Putting a NAS appliance on the internet violates established industry best practices. For example: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-209.pdf

I agree with where you are coming from @bubbleshadow!

In my opinion, people are sometimes fast to dismiss something by parroting phrases without explaining the implications behind them.

“Don’t put TrueNAS on the internet”

“Always use Wireguard”

“Use Tailscale instead of Wireguard, because with Tailscale you don’t have to open up scary ports”

What also is often missing, is how important or meaningful these recommendations are.
I would say that the chances of an infected Windows client deleting all my files is a million times higher than my TrueNAS webGUI having a zero day. (Of course this also depends on how sane your defaults and config is. If I just use admin and 1234 as password, that risk evaluation of course changes). Sure you should still not open up your webGUI to WAN!

You basically gave yourself the right answer.
Limit access to the webGUI by IP, use 2FA and Snapshots.
Done! Malicious Windows PCs are no longer a concern.

Again, I see where you are coming from. It unreasonable to backup 50TB of ISOs to Backblaze. It is not unreasonable however to backup 1TB of precious photos and user data to Backblaze plus a rsync destination (old NAS or TrueNAS system) that boots up once every week.

On point 1: Never connect a NAS to the Internet - it is just bad practice and there is never a need to do so. You can use jails or virtualization to present what you want to the Internet without ever having to expose the NAS directly. Just don’t do it. If you do “need” to access your NAS from afar, stand up your own VPN.

On point 2: RAID is NOT a backup. I will say it again - RAID is NOT a backup. Yes, 3-2-1 is a rough pill to swallow if you are backing up your media collection. But it is not a difficult thing to do to ensure your irreplaceable data cannot be lost. After 30 years of hoarding data, and yes I still have my Grade 10 science report from 1993, I have amassed less than 500GB of data - including all the bloated photos since smart phones were invented. For a VERY reasonable fee, you can use iCloud, Tresorit, DropBox etc. to ensure that your critical files follow 3-2-1. As for media backups, I choose to run 2 pools and leverage RSYNC and snapshots. I cannot begin to tell you how many times this strategy has saved me HOURS or DAYS of re-work. Yes, it has a cost - but if you think RAID is a bakup, I would invite you to look through the forums and read alllllll of the tear filled posts of people losing everything because they:

• Phat fingered a rm -r * command somewhere
• Had a RAIDZ1 lose 2 disks
• Accidentally detached a volume and deleted their files
• Modified a pool improperly and lost redundancy and had a failure
• Corrupted data due to power failure or non-ECC RAM failure
• the list goes on and on and on and on…

No one in enterprise IT considers their SAN/NAS as a backup. You should not do so at home either.

Your choice, but you will likely be jumping off these cliffs alone.

Cheers,

But isn’t RAID a “Redundant Array of Independent Disks”… says the guy who has a RAIDZ2 configuration, and had one hard drive fail while a new drive was being resilvered as part of a eight drive 5 TB to 8 TB upgrade in 2021?

Shrug… the cost of restoring my backups from BackBlaze is still much cheaper than losing irreplacable photos.