How can I make my server more secure?

AleXSR

Hello everyone,

so, I am trying to think of ways to make my NSA325v2 servers more secure.

I was thinking of using FTP and disabling Samba, NFS, all other file sharing methods.

Now I was wondering, if I could make the whole system even more secure by formatting my drives with NTFS or ext4 myself. If I am not mistaken, the NAS will not recognize those drives without me mounting them as JBOD. So the system should not be able to access them on a WebUI level. So it will not be able to grant access to anything through the built-in functions.

But since it is a Linux based system, on a system level, the drives should be mounted, correct? Or at least manually mountable. And then I could run VSFTP as a service.

Would this be possible? Or will this fail for a specific reason?

Curious to hear what your thoughts are on this and whether you can think of a different/better approach

Best regards

Alex

Mijzelf

I'm not sure if the 325 can mount ext4, and mounting ntfs will have a performance impact. Further it is possible that the firmware will 'dive on' a disk as soon as you have mounted it. I've seen that when I manually mounted some disk, it became auto shared. (And hard to unmount). Not always, and I don't know what triggered the firmware.

When you want to basically ditch all firmware stuff, why wouldn't you install an alternative OS like OpenWRT , Debian or Arch? In that case you don't have to struggle with unwanted features. Just don't install them.

AleXSR

I was not even aware that OpenWRT was available for my NAS. Can I flash back to stock firmware/OS if it turns out to be a poor decision?

Mijzelf

Can I flash back to stock firmware/OS

Theoretically yes. But of course ZyXEL doesn't give any support for that. It should be enough to put back the original u-boot and it's environment, upload the right uImage over tftp, and boot the box with a firmware upgrade usb stick inserted. OpenWrt replaces u-boot, and I don't know if that still can boot the old ZyXEL kernel, so if you want to be able to go back, at least backup the bootloader and it's environment.