I have two Truenas machines at different sites on different networks.
I replicate files in both directions between the two servers. I.e both have local shares, which are then replicated to the remote NAS.
One site has a PFSense firewall, and the other has an edgerouter. Both sites have a static external IP.
In the past I had a wireguard tunnel between the two sites on VMs behind the firewalls which worked ok, but it was a bit of a pain to set up and eventually died when I changed from xcp-ng to Truenas SCALE as my hypervisor, and I cant really be bothered setting it up again.
So I have done it differently now, and I was wanting to know if what I have done is reasonably secure, or am I asking for trouble?
I have opened up port 80 and 22 on each firewall to Truenas, however rather than leaving the Source Address box empty like I normally do, I have set the source IP to be the WAN Address of the remote site. So in theory, the ports are not open to the internet.
I’m pretty sure I have done this correctly at each site, and it seems to be working as expected as I cant access either port from any other IP.
So, is this a secure solution, or are there other attack vectors that I haven’t considered?
Note, I think I should be able to close port 80 at both ends now that the replication is working over ssh. Is this a good idea, or not really necessary?
I guess you could say, the more layers of encryption, the better. Meaning: Would your setup be more secure if you added the VPN again? Yes. Is it still secure enough how it’s setup right now? Most definitely. SSH is comparable to TLS in terms of security/encryption and, given that you use a strong cipher, is plenty sufficient.
Allowing access only from a specific IP address is a good idea if it works for you. Additionally or alternatively, using a port different from 22 for SSH is an often used method to reduce the attack surface.
Concerning port 80: If you’ve used this for it’s intended purpose, meaning unencrypted HTTP traffic (in this case I assume for the TrueNAS web interface), you should stop doing that immediately. Transport encryption for HTTP is a must. My rule of thumb for internet-accessible servers is that port 80 should only ever be used to forward a client to port 443. If you need to access the web interface and don’t want to invest the time to setup Let’s Encrypt, you could use an SSH tunnel, since you have already setup SSH (see the
-L option of the OpenSSH client).
Opening ports is typically considered bad ITSEC policy and exposes you NAS to potential threats.
Consider a site to site VPN.
Thanks for the reply
Thats what I was thinking.
I’ve closed port 80 now. It was just used for the initial handshake.
I already use HAProxy reverse proxy and lets encrypt certs to have all my other internet facing services secure, however I dont think this would work for ssh replication, hence why I’m forwarding the port.
The idea was that; because I’m blocking the port to all addresses expect the address of the remote site (which I trust), I am not really opening up to any external attacks.
I just want to know if my thoughts are accurate, or is it possible for a hacker to bypass my firewall rules?
Specifically, there is an attack called IP spoofing which I know little about in terms of how easy or hard it is to pull off. So, theoretically, an attacker could still be able to access the SSH port of your TrueNAS server. But then they would still need to get past the SSH authentication. SSH is an extremely secure and reliable protocol.
Sure, a VPN would make your setup more secure because in addition to breaching the SSH server, first the VPN server has to be breached. But look at a service like Github for example. They expose an SSH server on the default port, otherwise their service would be unusable. They are apparently not having any issues with that. Same goes for self-hosted Gitlab servers. Or just about any VPS you can rent.