NETGEAR ReadyNAS

[Jeroen1000]

This HowTo is based on a RND 2150 with firmware 4.1.3-T136. It should work for other Readynas devices as well.
A big thanks goes out to Chirpa for leading me the way

Before you get started:

Take a backup of httpd.conf and proftpd.conf before you make any changes to its configuration.
Make sure you have SSH access to your Nas. I believe that reinstalling the firmware will undo any changes made by this HowTo.


1) Problem: The remote SSH host keys are weak. please see: http://wiki.debian.org/SSLkeys
Consider all cryptographic material generated on the remote host to be guessable.
In particuliar, all SSH, SSL and OpenVPN key material should be re-generated: Regenerate SSH and SSL keys.

Recommendation: Take immediate action!

Solution:
For SSL, you can generate a new key on the HTTPS page of your Readynas

For SSH, type following commands on the shell:

Code: Select all

# ssh-keygen -t rsa1 -f "/etc/ssh/ssh_host_key" -N ''
# ssh-keygen -t rsa -f "/etc/ssh/ssh_host_rsa_key" -N ''
# ssh-keygen -t dsa -f "/etc/ssh/ssh_host_dsa_key" -N ''


2) Problem: HTTPS access service encrypts traffic using a protocol with known weaknesses (being SSL 2.0). Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

Recommendation: Although not as bad as the previous, I would change it as soon as possible

Solution:

*** Please backup httpd.conf before making any changes ***

Type following commands on the shell:

Code: Select all

# echo SSLProtocol all -SSLv2 >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf


3) Problem: HTTPS access service supports the use of weak SSL ciphers suites. Reconfigure it to avoid use of weak
ciphers.

Recommendation: Changing it won't hurt:)

Solution:

*** Please backup httpd.conf before making any changes ***

Type following commands on the shell:

Code: Select all

# echo 'SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL' >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf


4) Problem:The remote webserver (HTTPS or HTTP) supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server connections.
Servers supporting the TRACE method are subject to cross-site scripting attacks and various other browser hacks.

Recommendation: Changing it won't hurt:)

Solution:

*** Please backup httpd.conf before making any changes ***

Type following commands on the shell:

Code: Select all

# echo TraceEnable off >> /etc/frontview/apache/httpd.conf
# killall apache-ssl
# /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf


5) Problem: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Basically, you are giving away the FTP version number and that the FTP service is on a Readynas. If someone finds a weakness in the FTP server that the Readynas is running, it would not be wise to help hackers by telling you are running this particular version.

Recommendation: Changing it won't hurt:)

Solution:

*** This is not a way to secure your Nas! If there is a bug in an application, it must be corrected. In the meantime actions like this may save you from more harm***

***Please backup proftpd.conf before making any changes ***

Edit proftpd.conf to reflect the config below. Change or add the lines with a * (remove the * though)

Code: Select all

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody/nogroup" and "ftp" for normal operation and anon.
ServerName     "Don't tell you are a Readynas here"*
ServerType                      standalone
ServerIdent                     on "Don't tell you are ProFTPD 1.3 here!"*
DeferWelcome                    on

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on
AllowOverwrite                  on
UseReverseDNS                   off
IdentLookups                    off
TimesGMT                        off
WtmpLog                         off
ServerLog                       /var/log/proftpd.log
SystemLog                       /var/log/proftpd.log
TransferLog                     /var/log/proftpd.log
BanLog                          /var/log/proftpd.log
MaxLoginAttempts                1
BanEngine                       on
BanTable                        /ramfs/ftp_ban.tbl
BanOnEvent                      MaxLoginAttempts 5/00:10:00 00:15:00

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayChdir               .message

DenyFilter                      \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd                on

# Uncomment this if you would use TLS module:
#TLSEngine                      on

# Uncomment this if you would use quota module:
#Quotas                         on

# Port 21 is the standard FTP port.

LINES HAVE BEEN REMOVED HERE TO PROTECT MYSELF.

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nogroup

# Normally, we want files to be overwriteable.
<Directory /*>
  # Umask 022 is a good standard umask to prevent new files and dirs
  # (second parm) from being group and world writable.
  Umask                         022  022

  AllowOverwrite                on
  HideFiles                     .*
</Directory>



[tlyczko]

Please clarify: ServerName should be CHANGED to something different and ServerIdent should be off or on??

Thank you, Tom

[Jeroen1000]

Hi Tom.

By default, when you connect to the FTP it tells you what version it is running.

Code: Select all

ServerIdent         off


will cause your server not to identify itself when you connect. Optionally you can also do:

Code: Select all

ServerIdent         on "Your text here"


So from a security point of view, you can choose. As long as you do not reveal any security related information. Also see http://www.proftpd.org/docs/directives/ ... Ident.html

As servername I believe the standard text is Readynas or something. Same story, you can put what you like here. If hackers know it is a Readynas they could exploit known weaknesses in the FTP or in other services of the NAS. So yes, you should change it also.

[MichaelR64]

Hi,

When experimenting with my ReadyNAS i noticed that when i accessed my nas from the internet that most of the plugin webpages are wideopen regarding security.
After searching I came across some pages with Apache mods.

And i saw this page about raising the encryption standards used.

How much of this is still valid anno september 2010 for a NVX Pioneer ?

[InTheShires]

How much of this is still valid anno september 2010 for a NVX Pioneer ?

I too would like to know this. ^^ Though for the Duo, not Pro.

I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.

I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.

I'm concerned here!

Thanks.

[ukez]

How much of this is still valid anno september 2010 for a NVX Pioneer ?

I too would like to know this. ^^ Though for the Duo, not Pro.

I'm concerned my Duo isn't as secure as perhaps it should be, and I really want to address this.

I'm using NASMonitor and nTop to keep an eye on things, and nTop worries me sometimes with some large data transfer figures. (8gb today) I've only had the laptop on today, and 2ndCopy would not have chucked 8gb over the WiFi today, with me knowing, and showing it.

I'm concerned here!

Thanks.

I'd also like to know if these have all been addressed.. how secure is our DUO?

[Rocket Man]

I am looking at this thread - 3 months on and no assurances given. I think the conclusion is that the Duo is an open window if you leave it visible from outside you are vulnerable and so is your data, This is a pity since it means you would need to be reckless to use e.g. ReadyNAS Remote. Until these holes are addressed, best not to make it visible at all saddly - close off your firewall/router and do not allow access from the internet.

Rocket Man

[sphardy]

you would need to be reckless to use e.g. ReadyNAS Remote

ReadyNAS remote doesn't require you to open any ports - one of the primary values of the service - and so the one example you perhaps should not have thought to mention in your comment

[Rocket Man]

Really? Gosh I didn't realise that. I am happy to be corrected and I apologise for my incorrect assertion that opening the firewall was necessary for ReadyNAS Remote to work. (/me runs off to test it with a closed firewall!).
Thank you for the correction.

Rocket Man.

[cinskeep]

How do I get a NETGEAR tech or admin to fix these issues on my ReadyNAS, so I don't have to install RootSSH and possibly screw it up?

[kHarrison]

Thanks for the detailed guidelines, especially helpful for such beginners as me. I have made notice of the tips, will keep watching the thread for updates.

[tiranor]

Hi, it's been almost 4 years since the first post. How much the NAS beahavior has changed since that time ?

[Deb-B]

I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply....

[StephenB]

I am still concerned regarding the Duo v2, with Photos II especially, which appears to be port forwarding our IP address to everyone we send an invitation to... My brother in law was able to use this address to access the login page for the NAS. Sounds nasty.... he advised me not to use Photos 2 and to turn off port forwarding and uPnP, which I have done. I am rather disappointed, as being able to share and host my own photos was a feature I was quite looking forward to using! I have asked about this in the Photos II thread, but have had no reply....

Why is this so concerning to you? Presumably you have a strong password.

[Deb-B]

I think it is because I don't understand how networking works, beyond my own home system. My brother in law was quite adamant that broadcasting the IP was a potentially huge risk, as it leaves our home systems open to hackers. I need to learn more so I can make my own judgements! Any suggestions of web pages explaining these things to newbies would be welcome!