Hey you get off of my cloud

I have a Network-attached storage (NAS) disk that I use for music files, backups and so on. It’s basically a Linux computer with two mirrored 4TB disks. It can also work as a private cloud, à la Dropbox. In the interests of security, I secured it with 2 factor authentication (2FA), as I discussed in an earlier blog. To be precise, I created a new admin account, disabled admin rights on ordinary users and disabled the old admin account. Or so I thought.

In fact, what I had done was make the web access more secure from inside my home network, while leaving the external access exactly the same. The only useful feature I had enabled was tracking of any attempts to break into the system.

The first point that I had overlooked, in my enthusiasm, was that web access to the system admin account is only possible from the local network, because external access is blocked by the router. The second point I had missed was that although I had disabled the web admin access, it was still possible to get in via a command line interface. And that’s exactly the way remote hacking software tries to get in, not by a web interface. What I had done was bolt the living room door, while leaving the front door open. It’s not quite that bad as I had a strong password on the admin (root) account. Moreover, I had set the system to permanently block any IP address from which there were 3 failed login attempts in 10 minutes. But it wasn’t too clever.

The logs revealed (after decoding the IP addresses) that the attempted break-ins were all coming from one country. Yup! China. I don’t take this personally. These break-in attempts are run by automatic systems, trying random addresses, followed by common username/password combinations. This is probably how most corporate break-ins occur. However, the fact that two or three attempts are made a day and are all coming from China is disturbing.

Given that my security attempts were not particularly effective, what could I do? First, 2FA from within the home network is a bit pointless (as long as my wi-fi is secure) and annoying. So I turned that off. Second, I have changed the login method. Being able to log in using ssh is incredibly useful. It’s possible to use the sftp protocol to move files and it’s possible to do things that the web interface makes difficult. But that means allowing root access in some way.

The solution is actually straightforward, albeit slightly tricky to get working. Instead of using passwords, ssh access is now only allowed with public/private keys. Anything that wants to connect to my NAS now has to generate a public/private key pair and to pass the public key to the NAS. Apart from setting up the ssh configuration on the NAS, the tricky bit is generating keys on, say, Android devices and passing the key to the NAS via a third, trusted computer. Now, any attempt to log in without a key is immediately rejected.

It is possible to put another level of security on top of this, by using certificates. I’m not yet sure I need that.