![]() ![]() Ich betreibe ein Nextcloud-Jail (NC Version 20.0.6) auf einem TrueNAS System (FreeBSD 192.168.2.205) mit Apache Webserver. ![]() (Linkzerstückelung musste wegen der Beschränkung für neue Mitglieder sein). I don't really have the time or inclination to figure out how to make it compatible with whatever FreeNAS is currently doing for jails.TrueNAS Nextcloud hinter einem Reverse Proxy - Konfigurationsprobleme □□ Deutsch (german) Unfortunately it is designed to run on a FreeBSD platform that's built to interoperate with it. The sadder bit is that I actually do have such a stack available, designed to create a professional web hosting environment that can run jailed. I consider this to be a bit of a tragedy, as you can make the environment much more hostile to intruders. This is somewhat harder for a proper full webhosting environment, and quite frankly is probably beyond the skill set of most hobbyist/enthusiast users. For things like BIND or Sendmail, this is actually pretty easy to do, and I consider it the gold standard for services that are exposed to the Internet. It's a harder road, the road not usually traveled by enthusiasts, and that's building a jail environment that is jailed *without* the base FreeBSD system image. I was one of the earliest users of phk's jails and there is another design strategy available. Your A+ SSL score does *NOTHING* to protect you against that. The typical security of a hobbyist or enthusiast home network isn't particularly secure, so the biggest risk, in my professional opinion as someone who's been doing this for decades, is that someone compromises your web site and gets in to your FreeNAS jail, at which point the threat possibilities multiply. If you can break into the FreeNAS jail and get a shell, you've got live access to the platform and might be able to break out of the jail or at least access the local network using the tools in the FreeBSD base distribution in the jail. Can you subvert a web connection to get a shell? Can you get your scripting language of choice to do something bad and get you a shell?Īll of the contributed FreeNAS jail environments I've seen are based off a base FreeBSD install, which means that /bin/sh is available, which is - for lack of a better term - stupid. A lot of the add-on doohickeys for web servers tend to be written in PHP. The threat model is whether or not you can break into the environment. ![]() To be sure it's good to protect that, but thinking that an A+ means you're all good is not true. That only affects the protection of your login details to get into your web server, and the data that's served up. My blog, which includes some stuff about how I use FreeNASĨ0 redirecting to 443 is a *good* thing as long as nothing of consequence is offered on 80. Ubuntu VMs running Onlyoffice, Crashplan, Mattermost, Pi-hole and some things via Docker Unbound 1.8.3 replaced with Pi-hole 5.11.4 running in a VM NGINX reverse proxy 1.16.1_11 with Certbot 0.38.0_1 replaced with NGINX Proxy Manager 2.9.18 running on Hass.io Pi Nextcloud 25.0.1 (PHP 8.0.25) with Onlyoffice (via VM) ![]() Home Assistant 0.106.6 Hass.io now running on a Raspberry Pi 4 I recently signed up for a Ethical Hacking course on Udemy as I wanted to learn some of the skills so I can try and find out just how easy or difficult it might be for someone :DĢx120GB Crucial BX500 SSD (Mirror) for bootĨx8TB WD80E(Z/M)AZ (RAIDZ2) (1 RMA'ed after 12 months)Ģx1TB Samsung 860 EVO SSD (Mirror) running the following jails and VMs:Ĭalibre 4.7.0 and replaced with Calibre-Web 0.6.19 running in a Docker container I'm sure if someone really wanted to break in, they probably could, but hopefully I've done enough to make it difficult enough that they might find an easier target. Over time I've hardened the NGINX config so everything can only be connected via SSL and achieves a A+ score on SSLlabs. When I decided to expose a few other services, I set-up a NGINX reverse-proxy in a jail and started to use Letsencrypt/certbot to generate each of the SSL certificates. I also added 2FA when than became an option in ownCloud. I also added in Fail2ban protection blocking IP addresses for 10 minutes after 3 failed attempts. I then added a self-created SSL certificate and when that started being rejected by some browsers move to using a cheap one from Comodo. For a short time at the beginning I was simply forwarding a port on my router to the jail. I've been running ownCloud in a FreeNAS jail for a good few years now, and over time have gradually increased the security as I understood more about things. As soon as you expose anything to the internet, you have to accept and assess the risk. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |