Putting the management interface on a VPN helps a lot for security and port scanning. Everything else is sound though and keeping it updated is a key task. Get FN Scale to email you when updates are pending. Good summary. Thanks for sharing.
@myhometvaccount93652 ай бұрын
wow, some of the defaults are just crazy, thanks for that info Tom, invaluable
@gilgameshxgАй бұрын
Great videos over the years! Thanks a lot!
@thegorn2 ай бұрын
How to lock yourself out of your system, with these simple tricks 😂
@LAWRENCESYSTEMS2 ай бұрын
Yup, this will for sure happen!
@Hadw1n2 ай бұрын
Solid had to search for this when I set up mine. Now I have it all in one great video.
@devonlee58152 ай бұрын
Something I do that I think increases security is that I have a separate username/password combos for SMB shares on my computers and the admin interface (both not the default “admin” account. That way if a system on SMB gets compromised, those credentials cannot do anything I can’t recover from with a snapshot.
@romayojr2 ай бұрын
the last tip. i feel attacked 😂
@klausfrederiksen76312 ай бұрын
Haw about using a physical 2FA thing like Yubikey, or take a further step into using Passkey ?
@TheChadXperience9092 ай бұрын
Just FYI... On the subject of SMB authentication using usernames. You do not need a domain controller. It also works with a local account. Just use the same username on the share as you log into Windows with. I haven't tested with Linux.
@imzsoul2 ай бұрын
Yes ,same on Linux.
@ColbyPerry2 ай бұрын
What are your thoughts about creating additional virtual NIC interfaces for other VLANs to expose services that way versus having 1 interface and managing network access through services like firewalls between VLANs and subnets?
@massimilianopalizzi652326 күн бұрын
If I bind SMB to a different ip address to the one I use for the web interface, I cannot access the smb share over a vpn (configured on the firewall router) anymore because there is no way to setup a specific gateway for the second ip address right?
@xgod9782 ай бұрын
is using VLAN recommended in truenas? I'm kinda new in using truenas
@till5142o2 ай бұрын
It's recommended in general
@johnfr238912 күн бұрын
How do you implement a firewall and antivirus solution for TrueNas?
@LAWRENCESYSTEMS11 күн бұрын
Your firewall is separate and AV should be run on the endpoints connecting to TrueNAS.
@truckerallikatukАй бұрын
Can I do 2fa with any device that isn't a phone? Such as a Yubikey?
@LAWRENCESYSTEMSАй бұрын
They just offer TOTP and technically you can use that with more than just a phone.
@chrisparkin49892 ай бұрын
Don’t forget if you have physical access with a keyboard you can just jump into a previous boot environment and bypass a lot of this.
@visheshgupta9100Ай бұрын
Are there any snapshield (45drives) alternatives to protect the NAS from ransomware attacks? Or an anti-virus that scans the entire NAS periodically for any kind of malware?
@LAWRENCESYSTEMSАй бұрын
Not that I am aware of and scanning a NAS for a virus is not really effective here in 2024
@visheshgupta9100Ай бұрын
@@LAWRENCESYSTEMS Not really sure what you mean, are you suggesting that anti-virus softwares are obsolete in 2024 and aren't effective in detecting a malware?
@LAWRENCESYSTEMSАй бұрын
@@visheshgupta9100 It's not effective on a NAS, end point detection should be setup on systems that connect to the NAS.
@visheshgupta9100Ай бұрын
@@LAWRENCESYSTEMS Got it! Thanks for the input. Speaking of malware, have you ever come across any instance where a malware corrupted the TrueNAS OS? And does giving TrueNAS Internet access for the purpose of updates & alerts compromise the security of the NAS in any way? Last but not the least, you talked about having a different network switch for managing TrueNAS, can you point me to a resource / video that describes this in detail. Much appreciate your time and your contribution to the community. I have been a long time subscriber to your channel, and love your videos. Kudos and keep up the great work!
@LAWRENCESYSTEMSАй бұрын
@@visheshgupta9100 I don't know of any attacks specific to TrueNAS and this video is the one to follow for hardening TrueNAS Scale.
@ELIKESBIKES2 ай бұрын
where do I get that shirt?
@LAWRENCESYSTEMS2 ай бұрын
Shop.lawrenceaystems.com
@Raymond.Jansen2 ай бұрын
Don't bite my head off, I'm genuinely interested why use Truenas instead of for instance Synology or Qnap?
@CoreyPL2 ай бұрын
I think it boils down to few key aspects: 1. Synology and QNAP are proprietary hardware platforms with proprietary OSes installed. On higher models Synology also requires or at least suggest in the DSM for you to use their brand of drives, RAM, extension cards etc. 2. You are more limited in terms of hardware upgrades on Synology and QNAP than with TrueNAS, that is running a standard Linux kernel (SCALE) or FreeBSD kernel (CORE). 3. Kernels in Synology and QNAP are usually pretty outdated and heavily modified with backported code and custom code. It is a very difficult process to ensure compatibility with new kernel for all the devices and software packages, so those companies stay on legacy backbone a lot longer than anybody else. 4. Data integrity above all - ZFS on TrueNAS is one of the most if not the most data integrity oriented filesystem in that class of devices (if setup properly on a proper hardware). QNAP have ZFS offering with their QuTS hero flavor for some time and Synology uses BTRFS, which is nice, but at least for now less mature than ZFS. 5. Security. With the ease of using DSM or QTS and appstores on them, adding another app is just a click of a button. This also introduces a security risk, because as a normal user you have almost no control over what configuration changes were just made to your system. With TrueNAS you have more configuration flexibility, but you can still endanger your NAS by installing whatever and not setting it up correctly. I think there is a use market for both TrueNAS and ready-to-work devices like Synology and QNAP. I've certainly used all of them. If I need a NAS for a small business that wants to minimize purchase and service costs, then it will probably be Synology just for the ease of use, speed to implement and overall lower price for 2-4 bay offerings. If I need stellar data integrity with the configuration expandability, then it will be TrueNAS. Backup solution for endpoints and servers? Active Backup for Business on Synology is hard to beat with unlimited licenses for the cost of the device alone. Like I said - I use both, and choice just depends heavily on the case-by-case use.
@Raymond.Jansen2 ай бұрын
@@CoreyPL Thank you very much for your answer! I really didn't know all of this.
@jackthatmonkey89942 ай бұрын
I'm on the interesting crossroad of deciding storage setup. Current RJ45 transfer speeds are so good, that the SSD's I'll probably end up using have equal or less write speed than the cables can feed them data. Did you ever have a conversation with a client where this factoid was relevant? 😂
@BenState2 ай бұрын
The 5000MB/sec write speed on some SSDs will easily saturate 10Gbe RJ45.
@CoreyPL2 ай бұрын
Unless you are using 25GbE or 100GbE there is not an immediate worry that your array of SSDs will be slower than your network capabilities. Unless you count file system overhead, possible missconfiguration of the array, other components not being able to keep up, lack of RAM, lack of fast enough cashing etc. I'm interested in your use case and what specific worries you have - if you are able, please share some more info.
@xandrios2 ай бұрын
This still leaves SSH/console root access available which is a big no-no in any corporate environment.
@peterpain66252 ай бұрын
Freenas Scale is Debian based so it has no place in a corporate environment anyways. Great distribution to learn though. Have yet to see one Debian "production" server with less than a couple of gigabytes in /usr/local ;)
@LAWRENCESYSTEMS2 ай бұрын
No key for root means it can not log in.
@LAWRENCESYSTEMS2 ай бұрын
We use TrueNAS is lots of corporate environments, one of our clients is on the Fortune 500 list and has petabytes of TrueNAS storage.
@BenState2 ай бұрын
@@peterpain6625 what?
@xandrios2 ай бұрын
@@LAWRENCESYSTEMS Thanks. I may be mistaken, though don't many of the core functionalities still rely on root SSH access - like for instance replication? Either through the root account directly, or another account which then must have passwordless sudo permissions (Which is basically the same as having straight root access).
@Random-ch9my2 ай бұрын
1 day after this video iX systems releases Core's latest update, damn.
@LAWRENCESYSTEMS2 ай бұрын
No new feature updates, read their release notes "TrueNAS 13.3-RELEASE is intended solely for community users looking for incremental fixes specific to FreeBSD 13.3, Jails, Bhyve, OpenZFS, and Samba"
@Random-ch9my2 ай бұрын
@LAWRENCESYSTEMS yes, however they also mention that the jails and VMs haven't been tested... This really looks like an April fools'