[Wylug-help] Remote access to NAS storage

Tue Apr 14 18:45:55 UTC 2009

On Tue, 14 Apr 2009, Philip Wyett wrote:

> On Thu, 2009-04-09 at 19:43 +0100, Roger Greenwood wrote:
>> Hi all,
>>
>> I am looking to get a small NAS box (e.g. Netgear RND-2000, £200 with
>> 500GB disk) but I also want to access it remotely (for backup purposes).
>> Obviously this means me playing with router firewall settings, and
>> knowing my IP address. IP is essentially static as it is logged on all
>> the time (ISP Talk Talk, router smartAX 882). If it does change sometime
>> in the future I can live with it.
>>
>> Local network devices are generally allocated a static IP in the range
>> 192.168.x.x  I have read some conflicting advice regarding use of DMZ or
>> not, so am not sure about this. Any other NAS devices people have
>> experience of, or other solutions also of interest.
>>
>> Any advice before I splash the cash, or notes of caution most welcome. I
>> don't like changing firewall settings too much as I tend to break things
>> when I play around!
>>
>> By the way, I should say that network connection and speed has been
>> excellent so far (nearly 2 years now) so I don't want to switch ISP's.
>>
>
> Dump your modem/router for one with dynamic dns support. Sign up for a
> free account with DynDNS or whoever. Configure the router with that
> DynDNS service and have a constant address that your router will update
> and change IP addresses if it changes so you only ever need aim at one
> address. Configure the necessary port forwarding to the new NAS in the
> router and the jobs a good one! ;-)

There are security concerns if you open up internal ports to all and sundry 
on the internet - you will be scanned, probed etc.

So make sure you have security updates on your NAS box, or buy a NAS box 
that you can run a known distribution with security upgrades. Many NAS 
boxes can have Debian or Ubuntu installed or spcialist distros usually 
derived from Debian (mainly because they are ARM processor based). 
I'd not trust a NAS box without distro security support on the 
internet.

Generally also tighten evethydown as much as possible. Only open up exactly 
those ports you must. If you know the IP address(es) of the other end of 
the backups check if you can arrange to only accept traffic to and from 
those addresses. Consider if you can arrange to connect via SSH or a VPN 
and run the backup over that connection.

I run a VIA miniITX box as a home server, mail Web NAS DNS DHCP VPN etc 
etc, and many of the services run on this box are tied down so that only 
certain addresses can connect - the logs of the connection refusals just 
shows how much probing/scanning does go on. I run Ubuntu Server 8.04 LTS.