Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Restrict the allowed IP addresses which are allowed access to each port on SoftNAS Cloud® - especially HTTPS (port 443). Only allow approved administrators to access the SSH, HTTPS ports by restricting who (which TCP/IP addresses) can access those ports. Restrict NAS ports (e.g.,CIFS, NFS, iSCSI, etc.) to only allow EC2 workload instances; e.g.,x.x.x.x/24 or a specific range of workload instances.
When publishing storage via NFS, CIFS, iSCSI, or other protocols from SoftNAS Cloud® via the Internet, it is also critical to configure encrypted, authenticated access and limit the source ports accordingly. Also, be sure to restrict the range of allowed source IP addresses. If storage services are published only on an internal LAN or WAN, then apply appropriate security measures as for any storage server in this network environment.
NFS and BIND Services:

TCP Port (Service)

Source

Service

111

x.x.x.x/24

portmapper

2010

x.x.x.x/24

rquotad

2011

x.x.x.x/24

nlockmgr

2013

x.x.x.x/24

mountd

2014

x.x.x.x/24

status

2049

x.x.x.x/24

nfs


UDP Port (Service)

Source

Service

111

x.x.x.x/24

portmapper

2010

x.x.x.x/24

rquotad

2011

x.x.x.x/24

nlockmgr

2013

x.x.x.x/24

mountd

2014

x.x.x.x/24

status

2049

x.x.x.x/24

nfs


CIFS/SMB via Samba:

For ease of use, here are the ports to open for two-way CIFS communication with Windows and Linux desktop systems.

Variable

TCP Port #

Service

netbios-ns

137

NETBIOS Name Service

netbios-dgm

138

NETBIOS Datagram Service

netbios-ssn

139

NETBIOS Session Service

microsoft-ds

445

Active Directory



Other ports:

Description

TCP Port #

Note

LDAP

389

Active Directory Mode

NetBIOS

445

Post-Windows 2000 (CIFS)

SWAT

901

Not related to client communication


AFP/Netatalk


Description

TCP Port #

Note

AFP over TCP

548

AppleShare, Personal File Sharing, Apple File Service

Service Location Protocol (SLP)

427

Network Browser


iSCSI:

Description

TCP Port #

Note

iSCSI

3260

Target publishing


ReCaptcha

To prevent brute force password entry into our servers, the SoftNAS login screen uses ReCaptcha. This means that after 5 unsuccessful attempts to log in, Recaptcha will prompt the user to perform an additional action in order to continue attempting new passwords, preventing repeated attempts from eventually guessing the correct login.
Image Modified

Data at Rest Encryption

...

SoftNAS supports dual factor authentication through Google and/or Facebook login, in order to add another layer of security to your installation. By requiring not only your SoftNAS credentials to manage your instance, but also login to your Google or Facebook account, your SoftNAS instance is twice as secure. This is an optional configuration, allowing you to select the account you wish to secure SoftNAS with (Google or Facebook) or to opt out.
Image Modified