[Wylug-help] Remote access to NAS storage
Jim Jackson
jj at franjam.org.uk
Tue Apr 14 18:45:55 UTC 2009
On Tue, 14 Apr 2009, Philip Wyett wrote:
> On Thu, 2009-04-09 at 19:43 +0100, Roger Greenwood wrote:
>> Hi all,
>>
>> I am looking to get a small NAS box (e.g. Netgear RND-2000, £200 with
>> 500GB disk) but I also want to access it remotely (for backup purposes).
>> Obviously this means me playing with router firewall settings, and
>> knowing my IP address. IP is essentially static as it is logged on all
>> the time (ISP Talk Talk, router smartAX 882). If it does change sometime
>> in the future I can live with it.
>>
>> Local network devices are generally allocated a static IP in the range
>> 192.168.x.x I have read some conflicting advice regarding use of DMZ or
>> not, so am not sure about this. Any other NAS devices people have
>> experience of, or other solutions also of interest.
>>
>> Any advice before I splash the cash, or notes of caution most welcome. I
>> don't like changing firewall settings too much as I tend to break things
>> when I play around!
>>
>> By the way, I should say that network connection and speed has been
>> excellent so far (nearly 2 years now) so I don't want to switch ISP's.
>>
>
> Dump your modem/router for one with dynamic dns support. Sign up for a
> free account with DynDNS or whoever. Configure the router with that
> DynDNS service and have a constant address that your router will update
> and change IP addresses if it changes so you only ever need aim at one
> address. Configure the necessary port forwarding to the new NAS in the
> router and the jobs a good one! ;-)
There are security concerns if you open up internal ports to all and sundry
on the internet - you will be scanned, probed etc.
So make sure you have security updates on your NAS box, or buy a NAS box
that you can run a known distribution with security upgrades. Many NAS
boxes can have Debian or Ubuntu installed or spcialist distros usually
derived from Debian (mainly because they are ARM processor based).
I'd not trust a NAS box without distro security support on the
internet.
Generally also tighten evethydown as much as possible. Only open up exactly
those ports you must. If you know the IP address(es) of the other end of
the backups check if you can arrange to only accept traffic to and from
those addresses. Consider if you can arrange to connect via SSH or a VPN
and run the backup over that connection.
I run a VIA miniITX box as a home server, mail Web NAS DNS DHCP VPN etc
etc, and many of the services run on this box are tied down so that only
certain addresses can connect - the logs of the connection refusals just
shows how much probing/scanning does go on. I run Ubuntu Server 8.04 LTS.
More information about the Wylug-help
mailing list