Security


IMPORTANT - Note the following to bolster the security of SoftNAS Cloud® storage solution. This list is not exhaustive, so apply the most appropriate set of best practices for deploying Linux-based systems locally or on the Internet.

Change Default Passwords

Consider changing the default password that is set for the user softnas and for root account.

Apply the Latest Software Updates

We identify threats and provide fixes on a regular basis, so be sure to keep up with the latest software updates and maintenance.

Restrict Firewall source IP

Restrict the allowed IP addresses which are allowed access to each port on SoftNAS Cloud® - especially HTTPS (port 443). Only allow approved administrators to access the SSH, HTTPS ports by restricting who (which TCP/IP addresses) can access those ports. Restrict NAS ports (e.g.,CIFS, NFS, iSCSI, etc.) to only allow EC2 workload instances; e.g.,x.x.x.x/24 or a specific range of workload instances.
When publishing storage via NFS, CIFS, iSCSI, or other protocols from SoftNAS Cloud® via the Internet, it is also critical to configure encrypted, authenticated access and limit the source ports accordingly. Also, be sure to restrict the range of allowed source IP addresses. If storage services are published only on an internal LAN or WAN, then apply appropriate security measures as for any storage server in this network environment.
NFS and BIND Services:

TCP Port (Service)

Source

Service

111

x.x.x.x/24

portmapper

2010

x.x.x.x/24

rquotad

2011

x.x.x.x/24

nlockmgr

2013

x.x.x.x/24

mountd

2014

x.x.x.x/24

status

2049

x.x.x.x/24

nfs


UDP Port (Service)

Source

Service

111

x.x.x.x/24

portmapper

2010

x.x.x.x/24

rquotad

2011

x.x.x.x/24

nlockmgr

2013

x.x.x.x/24

mountd

2014

x.x.x.x/24

status

2049

x.x.x.x/24

nfs


CIFS/SMB via Samba:

For ease of use, here are the ports to open for two-way CIFS communication with Windows and Linux desktop systems.

Variable

TCP Port #

Service

netbios-ns

137

NETBIOS Name Service

netbios-dgm

138

NETBIOS Datagram Service

netbios-ssn

139

NETBIOS Session Service

microsoft-ds

445

Active Directory



Other ports:

Description

TCP Port #

Note

LDAP

389

Active Directory Mode

NetBIOS

445

Post-Windows 2000 (CIFS)

SWAT

901

Not related to client communication


AFP/Netatalk


Description

TCP Port #

Note

AFP over TCP

548

AppleShare, Personal File Sharing, Apple File Service

Service Location Protocol (SLP)

427

Network Browser


iSCSI:

Description

TCP Port #

Note

iSCSI

3260

Target publishing


ReCaptcha

To prevent brute force password entry into our servers, the SoftNAS login screen uses ReCaptcha. This means that after 5 unsuccessful attempts to log in, Recaptcha will prompt the user to perform an additional action in order to continue attempting new passwords, preventing repeated attempts from eventually guessing the correct login.

Data at Rest Encryption

SoftNAS offers encryption for its disks, protecting data at rest. The encryption is FDE (or Full Disk Encryption) and meets AES-256 standards. Encryption is provided at the pool level, using LUKS encryption. To learn more, see Create a Storage Pool.

Enhancement Considerations

The Linux operating system on which SoftNAS Cloud® runs includes iptables and the ability to configure firewall rules on Linux to provide an additional layer of inbound and out bound security, should that be desired. For those who are serious about fully securing a SoftNAS Cloud® environment, there are numerous sources for best practices on security lockdown of Linux-based systems. Since SoftNAS Cloud® runs on a standard CentOS 64 Linux-based operating system (the free version of Red Hat Enterprise Linux), the entire spectrum of Linux-based security tools, add-ons and methodologies are available.

Dual Factor Authentication

SoftNAS supports dual factor authentication through Google and/or Facebook login, in order to add another layer of security to your installation. By requiring not only your SoftNAS credentials to manage your instance, but also login to your Google or Facebook account, your SoftNAS instance is twice as secure. This is an optional configuration, allowing you to select the account you wish to secure SoftNAS with (Google or Facebook) or to opt out.