Leaderboard

Popular Content

Showing content with the highest reputation on 03/27/21 in all areas

  1. ....und "timeout" steht auf dem Stick im Verzeichnis "syslinux" in der "syslinux.cfg" Datei...der dort eingestellte Wert sind 1/10tel Sekunden
    4 points
  2. Was man auch noch umsetzen könnte wäre ein "Knock Knock" Prinzip. Und zwar habe ich bei einer meiner Websites eine Firewall realisiert die zb die Datei /firewall/11.22.33.44.txt erstellt, wenn ein Besucher mit der IP 11.22.33.44 eine Datei aufruft, die er nicht aufrufen darf. In der .htaccess prüfe ich dann einfach ob die Datei existiert und ein User mit der gesperrten IP bekommt dann ein Captcha präsentiert. Das Prinzip könnte man auch leicht umdrehen. Also alle IPs bis auf den Aufruf von nextcloud.example.com/secretfilename.php sind verboten und wenn diese aufgerufen wird, landet die aufrufende IP in einer Whitelist. Nach x Tagen lässt man diese automatisch wieder löschen. Außerdem kann man durch die secretfilename.php auch eine E-Mail senden lassen. Dann weiß man direkt, wenn die Datei jemand aufgerufen hat. Wenn daran Interesse besteht, kann ich das gerne mal in einer Anleitung verfassen.
    2 points
  3. Hello Unraid Community! It has come to our attention that in recent days, we've seen a significant uptick in the amount of Unraid server's being compromised due to poor security practices. The purpose of this post is to help our community verify their server's are secure and provide helpful best-practices recommendations to ensuring your system doesn't become another statistic. Please review the below recommendations on your server(s) to ensure they are safe. Set a strong root password Similar to many routers, Unraid systems do not have a password set by default. This is to ensure you can quickly and easily access the management console immediately after initial installation. However, this doesn't mean you shouldn't set one. Doing this is simple. Just navigate to the Users tab and click on root. Now set a password. From then on, you will be required to authenticate anytime you attempt to login to the webGui. In addition, there is a plugin available in Community Apps called Dynamix Password Validator. This plugin will provide guidance on how strong of a password you're creating based on complexity rules (how many capital vs. lowercase letters, numbers, symbols, and overall password length are used to judge this). Consider installing this for extra guidance on password strength. Review port mappings on your router Forwarding ports to your server is required for specific services that you want to be Internet-accessible such as Plex, FTP servers, game servers, VoIP servers, etc. But forwarding the wrong ports can expose your server to significant security risk. Here are just a few ports you should be extra careful with when forwarding: Port 80: Used to access the webGui without SSL (unless you've rebound access to another port on the Management Access settings page). DO NOT forward port 80. Forwarding this port by default will allow you to access the webGui remotely, but without SSL securing the connection, devices in between your browser and the server could "sniff" the packets to see what you're doing. If you want to make the webGui remotely accessible, install the Unraid.net plugin to enable My Servers on your system, which can provide a secure remote access solution that utilizes SSL to ensure your connection is fully encrypted. Port 443: Used to access the webGui with SSL. This is only better than port 80 if you have a root password set. If no root password is set and you forward this port, unauthorized users can connect to your webGui and have full access to your server. In addition, if you forward this port without using the Unraid.net plugin and My Servers, attempts to connect to the webGui through a browser will present a security warning due to the lack of an SSL certificate. Consider making life easier for yourself and utilize Unraid.net with My Servers to enable simple, safe, and secure remote access to your Unraid systems. NOTE: When setting up Remote Access in My Servers, we highly recommend you choose a random port over 1000 rather than using the default of 443. Port 445: Used for SMB (shares). If you forward this port to your server, any public shares can be connected to by any user over the internet. Generally speaking, it is never advisable to expose SMB shares directly over the internet. If you need the ability to access your shares remotely, we suggest utilizing a Wireguard VPN to create a secure tunnel between your device and the server. In addition, if the flash device itself is exported using SMB and this port is forwarded, its contents can easily be deleted and your paid key could easily be stolen. Just don't do this. Port 111/2049: Used for NFS (shares). While NFS is disabled by default, if you are making use of this protocol, just make sure you aren't forwarding these ports through your router. Similar to SMB, just utilize Wireguard to create a secure tunnel from any remote devices that need to connect to the server over NFS. Port 22/23: Used by Telnet and SSH for console access. Especially dangerous for users that don't have a root password set. Similar to SMB, we don't recommend forwarding these ports at all, but rather, suggest users leverage a Wireguard VPN connection for the purposes of connecting using either of these protocols. Ports in the 57xx range: These ports are generally used by VMs for VNC access. While you can forward these ports to enable VNC access remotely for your VMs, the better and easier way to do this is through installing the Unraid.net plugin and enabling My Servers. This ensures that those connections are secure via SSL and does not require individual ports to be forwarded for each VM. Generally speaking, you really shouldn't need to forward many ports to your server. If you see a forwarding rule you don't understand, consider removing it, see if anyone complains, and if so, you can always put it back. Never ever ever put your server in the DMZ No matter how locked down you think you have your server, it is never advisable to place it in the DMZ on your network. By doing so, you are essentially forwarding every port on your public IP address to your server directly, allowing all locally accessible services to be remotely accessible as well. Regardless of how "locked down" you think you actually have the server, placing it in the DMZ exposes it to unnecessary risks. Never ever do this. Consider setting shares to private with users and passwords The convenience of password-less share access is pretty great. We know that and its why we don't require you to set passwords for your shares. However, there is a security risk posed to your data when you do this, even if you don't forward any ports to your server and have a strong root password. If another device on your network such as a PC, Mac, phone, tablet, IoT device, etc. were to have its security breached, it could be used to make a local connection to your server's shares. By default, shares are set to be publicly readable/writeable, which means those rogue devices can be used to steal, delete, or encrypt the data within them. In addition, malicious users could also use this method to put data on your server that you don't want. It is for these reasons that if you are going to create public shares, we highly recommend setting access to read-only. Only authorized users with a strong password should be able to write data to your shares. Don't expose the Flash share, and if you do, make it private The flash device itself can be exposed over SMB. This is convenient if you need to make advanced changes to your system such as modifying the go file in the config directory. However, the flash device itself contains the files needed to boot Unraid as well as your configuration data (disk assignments, shares, etc). Exposing this share publicly can be extremely dangerous, so we advise against doing so unless you absolutely have to, and when you do, it is advised to do so privately, requiring a username and password to see and modify the contents. Keep your server up-to-date Regardless of what other measures you take, keeping your server current with the latest release(s) is vital to ensuring security. There are constant security notices (CVEs) published for the various components used in Unraid OS. We here at Lime Technology do our best to ensure all vulnerabilities are addressed in a timely manner with software updates. However, these updates are useless to you if you don't apply them in a timely manner as well. Keeping your OS up-to-date is easy. Just navigate to Tools > Update OS to check for and apply any updates. You can configure notifications to prompt you when a new update is available from the Settings > Notifications page. More Best Practices Recommendations Set up and use WireGuard, OpenVPN or nginxProxyManager for secure remote access to your Shares. For WireGuard set up, see this handy getting started guide. Set up 2FA on your Unraid Forum Account. Set up a Remote Syslog Server. Install the Fix Common Problems plugin. Installing this plugin will alert you to multiple failed login attempts and much, much more. Change your modem password to something other than the default. Consider installing ClamAV. In addition to all of the above recommendations, we've asked SpaceInvaderOne to work up a video with even more detailed best-practices related to Unraid security. We'll post a link as soon as the video is up to check out what other things you can do to improve your system security. It is of vital importance that all users review these recommendations on their systems as soon as possible to ensure that you are doing all that is necessary to protect your data. We at Lime Technology are committed to keeping Unraid a safe and secure platform for all of your personal digital content, but we can only go so far in this effort. It is ultimately up to you the user to ensure your network and the devices on it are adhering to security best-practices.
    1 point
  4. 配置 i3-10100 + B460M AORUS PRO + i350 t4 ,unraid版本6.9 pcie acs override设置为downstream的情况下,i350的4个网口依然在同一个IOMMU group下,不能分配给多个虚拟机使用。 目前蓝冰血魄大佬的最新版IOMMU分组补丁还没出,不清楚打了补丁是否有用。6.8.1/2版本的补丁是有效的,既然可以在软件层面解决问题,官方是否可以直接解决。 请问还有没有其他的解决方案。 ------------------------------------------------------ 补充一下,6.9.1系统下使用蓝冰血魄大佬的“unRAIDServer-6.9.1-iommu分组”补丁,可以将非CPU直出插槽的i350四个网口分组。
    1 point
  5. "Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices. Zabbix is Open Source and comes at no cost." (https://www.zabbix.com) I'm using Zabbix to monitor my machines and VMs and stuff. I also wanted to monitor my UnRAID server using it. To do this, you need to have the zabbix_agent installed and running. To do this, I've written a plugin. It includes the zabbix_agent (statically linked binary directly from https://www.zabbix.com/download_agents), the stuff needed to have it run on boot as well as a few scripts to get information from UnRAID. I'm using the plugin myself and have installed, updated and uninstalled it lots of time and everything seems to work just fine. But since this is my first plugin, I'd be happy to have one or two other users who know what they're doing and risking have a look at it first. Please only continue on if you know what you're doing! The source code and stuff can be found at https://git.schle.nz/fabian/unraid-zabbix_agent. The Plugin file for installation in UnRAID is https://git.schle.nz/fabian/unraid-zabbix_agent/raw/branch/main/zabbix_agent.plg For easy integration into your Zabbix service, a template file is available at https://git.schle.nz/fabian/unraid-zabbix_agent/raw/branch/main/zabbix_template.xml Thanks. ;-)
    1 point
  6. Hello Unraid Community! Today we're excited to give you a sneak peak at something we've been working on for quite some time. A new feature we like to call My Servers. "My Servers" is designed to extend the value of your investment in Unraid by enabling you to more easily connect, share, monitor, and access your systems. For the initial beta launch, we are focusing on the following key features: Secure Remote Access Whether you need to add a share, container, or virtual machine, do it all from the webGui from anywhere and at any time using using HTTPS. Best of all, all SSL certificates are verified by Let's Encrypt, so no browser security warnings. Online Flash Backup When your Unraid configuration changes, the new settings on the flash drive will automatically be backed up to Unraid.net, enabling easy recovery in the event of a device failure. Never self-manage/host your flash backups again! Real-time Monitoring Get quick real-time info on the status of your servers such as storage, container, and VM usage. And not just for one server, but all the servers in your Unraid fleet! License Management Download any registration key linked to your account. Upgrade keys to higher editions. In addition, Trial keys are now downloaded automatically. Simply sign-in! Installing For the full details on how to install and configure, check out the wiki.
    1 point
  7. Do you have HW passedthrough a VM ? A graphic card for example ? It is quite possible that the ID attributed on your previous system corresponds now to another HW element, maybe your NIC. If so, ensure that VMs are not starting automatically, unbind the component(s) and restart Unraid.
    1 point
  8. Vielleicht die ganze Zeit die Pfeiltaste nach unten drücken? Dann wird doch der Timer deaktiviert oder nicht?
    1 point
  9. Sagen wirs mal so: Ich hab grundlegende Hardware- und auch Netzwerkkenntnisse, das ist aber nicht mein Broterwerb sondern nur ein Hobby. Ich habs mir mal wieder einfacher vorgestellt als es ist. Das mit dem TP-Link probiere ich aus Interesse mal aus, aber wegen Bonding jetzt die Hardware wechseln - eher nicht. Dann lieber ne 10Gbit NIC mit SFP+ Steckplatz und ein DAC Kabel und andere Platten als die WD Reds die bei mir Ärger zu machen scheinen. Ich dachte ich übersehe hier was, einige machen das z.B. mit der Synology und Unifi Hardware - Dort schaut das Netzwerk Setup aber anders aus. Lebenswichtig ist das bisher erstmal nicht. Mal schauen was der Forscherdrang zu Tage fördert. Zukünftig bleib ich bei den Unifi APs, die hier sehr gut funktionieren und beim Switching steig ich bei Defekten auf was anderes um.
    1 point
  10. Oh, wow. That just goes to show how much of a newb I am. lol I had no idea I could run the video for Unraid on the same GPU as my transcoding GPU. GT710 has been removed. Unraid video out and Plex transcoding confirmed working on just the P2200. Will report back in a few days if it hasn't happened by then.
    1 point
  11. ...das liegt nicht an der unRaid version. Bond und Bridge an eth0 ist richtig, eth0+eth1 in den bond....Modus 802.3ad....dann sollten alle Links hochkommen, auch im Switch. Ob Du über den Bond dann mehr als 1Gbps transportieren kannst hängt vom Algorithmus im Bond ab. In meinem obigen Versuch mit iperf3 ist der Bond im Switch auf "Layer2+3" gestellt...sonst läuft pro Client-Mac immer nur in Link. So wie es aussieht, kann man das im unifi aber nicht einstellen...im TP-Link kann ich es nicht sagen....vermute aber auch nicht so granular. Im Mikrotik (CRS-Switch mit RouterOS) gibt es im 802.3ad die Varianten "Layer2, Layer2+3 oder Layer3+4")...in RouterOS ist halt ein "echter" Linux-Kernel drin. Ein CSS-Switch von Mikrotik hat nur "passiv, aktiv oder statisch"....mit denen habe ich auch noch kein LACP/LAG/Bond probiert.
    1 point
  12. Can you try to pull the GT710 from the server if you only use it for video output? Because you can actually use the P2000 for video out and Plex at the same time and it will also save power. I can't imagine that's the problem but you can at least try it. Please report back.
    1 point
  13. Thank you so much. The log stopped generating that warning after applying the script. Really appreciate your help.
    1 point
  14. Geyser and Floodgate plugins require forwarding 19132 both UDP and TCP since Bedrock uses both (at least it seemed to for me...no mention of it on the FAQ page for GeyserMC). Also, if you use dynamic dns service like duckdns for your address, sometimes these don't work. I had mine initially reject connection but after a few minutes it started working.
    1 point
  15. Du hast nix falsch gemacht, kann es sein das dein monitor evtl zu langsam is? Sprich wenn er die refresh rate vom BIOS screen ändert? Das timeout ist standardmäßig auf 5sek eingestellt. Du kannst aber auch wenn du im Main tab bist in Unraid auf die Blaue schrift bei Flash klickst kannst du wenn du ein wenig weiter runter scrollst mit den radio buttons aussuchen wie du Unraid booten willst und dann ganz unten mit Apply speichern. Danach ein restart und du solltest im gewünschten modus sein.
    1 point
  16. Nix Nvidia, nur Intel iGPU: https://wiki.archlinux.org/index.php/Intel_GVT-g Nvidia ist mit Lizenzen verbunden, die aktuell wohl nur Red Hat etc besitzt. Bei Unraid nicht möglich. Daher hoffte ich, dass es vielleicht mit AMD geht.
    1 point
  17. Also die Original Ultrastar lohnt sich auf jeden Fall als Parität: Elements nach ca 15 Stunden: Ultrastar nach ca 15 Stunden: Und das wohlgemerkt trotz des Smart-Check Tricks, der ja die Elements schneller macht.
    1 point
  18. You need to replace X with correct letter, and since it's an NVMe device it would be: btrfs check /dev/nvme1n1p1
    1 point
  19. You have to replace 'X' with the correct letter for the drive as shown in the unPaid GUI.
    1 point
  20. UDMA CRC Fehler sind Fehler die durch die physische Verbindung verursacht werden. Also Kabel, Buchse etc. Der Zähler wird aber auch nicht zurückgesetzt. Also im Auge behalten ob es mehr Fehler werden. Falls ja Kabel und/oder Port mal wechseln und dann wieder beobachten.
    1 point
  21. Danke. Das kannte ich noch nicht. So ein grünes A+ beruhigt dann doch einigermaßen.
    1 point
  22. Die Treiber lädt er deswegen das der Stromverbrauch der Karte runter geht soweit ich weiß und er wird speziell mal den persistence mode aktivieren in Unraid schätze ich oder (sorry hab mir das Video nicht angesehen, fehlt momentan ein bisschen die Zeit, Familie geht vor)? EDIT: Aber sobald der die VM anschaltet ist die GPU von Unraid weg. Momentan nur mit meinem GVT-g Plugin (ist noch nicht released und noch ein wenig buggy - nicht falsch verstehen es ist vollständig funktionsfähig nur muss die vGPU entfernt und wieder neu hinzugefügt werden) möglich und auf Intel Platform aber es funktioniert.
    1 point
  23. Hey team, I'm getting ready to push another lot of changes to the staging branch. I have been busy developing a new plugin system for Unmanic over the past 2 weeks. I chose not to merge the current staging changes into the master branch as there was identified some additional issues with conversion tasks and cache files not being delete. I am hoping that the changes that I push to the staging branch tonight fix those. But as always, if you update tomorrow and are still having issues, let me know and I will dive deeper. I have begun writing some documentation on using Unamnic. You can find this here: https://docs.unmanic.app/ I want to give a shout out to @Cpt. Chaz as he has been putting some decent effort into making great video guides on setting up Unraid and he has made some great ones on Unmanic to date. He has provided me with some sweet updated graphics for Unmanic logos and he is taking it upon himself to create some more in-depth guides on using the application. Check out is first Unmanic video tutorial here: With more to follow. Cheers guys.
    1 point
  24. Logs are spammed with these: Mar 26 08:19:40 Bender kernel: DMAR: [DMA Read] Request device [00:02.0] PASID ffffffff fault addr 0 [fault reason 06] PTE Read access is not set Mar 26 08:19:40 Bender kernel: DMAR: DRHD: handling fault status reg 2 Mar 26 08:19:40 Bender kernel: DMAR: [DMA Read] Request device [00:02.0] PASID ffffffff fault addr 0 [fault reason 06] PTE Read access is not set Mar 26 08:19:40 Bender kernel: DMAR: DRHD: handling fault status reg 2 Mar 26 08:19:40 Bender kernel: DMAR: [DMA Read] Request device [00:02.0] PASID ffffffff fault addr 0 [fault reason 06] PTE Read access is not set Mar 26 08:19:40 Bender kernel: DMAR: DRHD: handling fault status reg 2 Can't see anything else, please reboot and post new diags after array start.
    1 point
  25. Glad to see you had success with that and I'm (even more) glad you referenced that comment, just keep in mind there's a less extreme approach with much less risk if you just want to delete the dangling images: docker image prune Will just delete the dangling images, and docker image prune -a Will delete all dangling and currently unused images. vs. $ docker system prune --all --volumes WARNING! This will remove: - all stopped containers - all networks not used by at least one container - all volumes not used by at least one container - all images without at least one container associated to them - all build cache You could even safely set docker image prune as a User Script to run daily/weekly if it's a really regular issue for you. #!/bin/bash # Clear all dangling images # https://docs.docker.com/engine/reference/commandline/image_prune/ echo "About to forcefully remove the following dangling images:" docker image ls dangling=true echo "" echo "(don't!) blame lnxd if something goes wrong" echo "" docker image prune -f # Uncomment to also delete unused images #docker image prune -f -a echo "Done!"
    1 point
  26. This worked perfect. Up and running and configuring. Thank you.
    1 point
  27. Thanks for your reply. Only step 3 worked. Tried a different browser (chrome and firefox) and clearing cache, no luck. Any other ideas?
    1 point
  28. Danke für den Tip, werde ich mir bei Gelegenheit mal ansehen Unabhängig davon wollte ich mich nochmal bei allen bedanken, die fleißig mit Rat und Tat zur Seite standen. Leider war die letzten beiden Woche etwas wichtiges dazwischen gekommen. Als update / Fazit: Mittlerweile läuft das was soll pihole + unbound plex (funktioniert, auch wenn ich's noch nciht wirklich genutzt habe -> deswegen auch noch kein plex pass, aktuell nicht die hohe prio) nextcloud + reverse proxy (sehr zufrieden damit) ts3 (haben ist besser als brauchen ) Die Performance ist um welten besser als bei der alten zuvor, kann mich also nicht beschweren. Nächste Woche muss ich mich noch um den neuen Switch kümmern, damit ich die 10 Gbps Karten + SSDs auch ausnutzen kann. Für alle die noch unentschlossen sind und über den Beitrag stolpern eine kurze Auflistung der verbauten Teile: 16GB Sandisk Cruzer Fit USB2.0 Intel Core i3 9100 Gigabyte C246-WU4 (das C246M war nicht verfügbar als ich bestellt habe) Kingston Server Premier DDR4 DIMM Seagate Ironwolf Pro HDDs Samsung 980 Pro M.2 SSDs Asus XG-C100C 10G Netzwerkkarte SilverStone SST-FS303B Wechselrahmen (hätte eigentlich auch den 5x 3,5" in 3x 5,25" Slots nehmen können. Später ist man immer schlauer) Nextcloud habe ich bewusst auch ein eigenes Prefer-Cache Share gelegt, da ich für die Familie noch Zugänge eingerichtet habe und so die HDDs beinahe ständig schlafen können. Vermutlich tausche ich irgenwdann noch die Gehäuselüfter- aber auch mit den aktuell vorhanden braucht alles ca. 30-32 Watt im normalen Betrieb. Da die SSds erst etwas später kamen und weder Nextcloud noch Plex liefen war der Verbrauch noch bei ca. 27 Watt. Sobald ich natürlich ein Array-Share nutze geht der Verbrauch etwas in die Höhe, je Disc um knapp 4 Watt. Kommt allerdings nicht oft vor. Bisher bin ich auf jeden Fall zufrieden. Meine gedanklichen ToDos sind noch Snapshots und ggfs. in Kombination mit Nextcloud Virenscanner / ClamAV. Mal sehen.
    1 point
  29. A few suggestions if I may, from my experiences in the Cloud Infrastructure World; First, Reviewing Docker Folder Mappings (and to some extent VM Shares). Do all you Docker Containers need read and write access to non appdata folders? If it does, is the scope of the directories restricted to what is needed, or have you given it full read/write to /mnt/user or /mnt/user0 ? For example I need Sonnarr and Radarr to have write access to my TV and Movie Share, so they are restricted to just that, they don't need access to my Personal Photos, or Documents etc. Whereas for Plex, since I don't use the Media Deletion Feature, I dont need Plex, to do anything to those Folders, just read the content. So it has Read Only Permissions in the Docker Config. Additionally, I only have a few containers that need read/write access to the whole server (/mnt/user) and so these are configured to do so, but since they are more "Administration" containers, I keep them off until I need them, most start up in less than 30 seconds. That way, if for whatever reason a container was compromised, the risk is reduced in most cases. Shares on my VM's are kept to only the required directories and mounted as Read Only in the VM. For Docker Containers that use VNC or VMs, set a secure password for the VNC component too, to prevent something on the Network from using it without access (great if you don't have VLAN's etc). This may be "overkill" for some users, but have a look at the Nessus or OpenVAS Containers, and run regular Vulnerability Scans against your Devices / Local Network. I use the Nessus one and (IMO) its the easier of the two to setup, the Essentials (Free) version is limited to 15 IPs, so I scan my unRAID Server, VMs, and a couple of other physical devices and it has SMTP configured so once a week sends me an email with a summary of any issues found, they are categorized by importance as well. I don't think many people do this, but don't use the GUI mode of unRAID as a day to day browser, outside of Setup and Troubleshooting (IMO) it should not be used. Firefox, release updates quite frequently and sometimes they are for CVE's that depending on what sites you visit *could* leave you unprotected. On the "Keeping your Server Up-to-Date" part, while updating the unRAID OS is important, don't forget to update your Docker Containers and Plugins, I use the CA Auto Update for them, and set them to update daily, overnight. Some of the Apps, could be patched for Security Issues, and so keeping the up-to-date is quite useful. Also, one that I often find myself forgetting is the NerdPack Components, I have a few bits installed (Python3, iotop, etc), AFAIK these need to be updated manually. Keeping these Up-to-Date as well is important, as these are more likely to have Security Issues that could be exploited, depending on what you run. Also on the Updates, note, if you have VM's and they are running 24/7 keep these up-to-date too and try and get them as Hardened as possible, these can often be used as a way into your server/network. For Linux Debian/Ubuntu Servers, you can look at Unattended Upgrades, similar alternatives are available for other Distros. For Windows you can configure Updates to Install Automatically and Reboot as needed. Hardening the OS as well, is something I would also recommend, for most common Linux Distros and Windows, there are lots of guides useful online, DigitalOcean is a great source for Linux stuff I have found. If something is not available as a Docker Container or Plugin, don't try and run it directly on the unRAID Server OS itself (unless, its for something physical, e.g. Drivers, or Sensors etc), use a VM (with a Hardened Configuration), keeping only the bare minimum running directly on unRAID, helps to reduce your attack surface. Also, while strictly not part of Security, but it goes Hand in Hand, make sure you have a good Backup Strategy and that all your (important/essential) Data is backed up, sometimes stuff happens and no matter how much you try, new exploits come out, or things get missed and the worst can happen. Having a good backup strategy can help you recover from that, the 321 Backup method is the most common one I see used. If something does happen and you need to restore, where possible, before you start the restore, try and identify what happened, once you have identified the issue, if needed you can restore from Backups to a point in time, where there was no (known) issue, and start from there, making sure you fix whatever the issue was first in your restored server. I have seen a few cases (at work) where peoples Servers have been compromised (typically with Ransomware), they restore from backups, but don't fix the issue (typically a Weak Password for an Admin account, and RDP exposed to the Internet) and within a few hours of restoring, they are compromised again. Other ideas about using SSH Keys, Disabling Telnet/FTP etc, are all good ones, and definitely something to do, and something I would love to see done by default in future releases. EDIT: One other thing I forgot to mention was, setup Notifications for your unRAID server, not all of them will be for Security, but some of the apps like the Fix Common Problems, can alert you for security related issues and you can get notified of potential issues quicker than it may take you to find/discover them yourselves.
    1 point
  30. I apparently forgot to respond. Thanks JorgeB. I deleted the duplicate file and everything is fine.
    1 point
  31. Hey WireGuard users! Big thanks to @bonienl, yesterday we released a huge update to the WireGuard plugin designed to detect and prevent as many configuration problems as we could. If you are having any problems, please update the plugin, then make a small change to your tunnel and hit Apply, this will trigger all of the new validation rules. Some issues have to be fixed before the changes will save, for others you'll want to enable Advanced mode and read the helpful remarks in the right column. Also, if you are having trouble accessing dockers with custom IPs or other devices on your network, be sure to revisit the quickstart guide: https://forums.unraid.net/topic/84226-wireguard-quickstart/ The section on complex networks was completely rewritten to describe how certain settings conflict with each other. 2021.03.25b This version resolves the tunnel not restarting if changes were saved while connected through the tunnel incorrect AllowedIPs setting for some peer configs iptables not being updated after a reboot This version adds many safety guards to prevent invalid configurations validation that the local endpoint url actually resolves to the external WAN IP notification on specifically which peer configs were modified when changes were saved, so the user knows to update those clients
    1 point
  32. So, will das ganze hier nicht unbeendet stehenlassen. Habe Gigabyte angeschrieben und nachdem ich versucht habe dem Support das Leben zu erklären und eine Fehlerbeschreibung für Doofe mit mehreren Nachfragen verfasst habe ist jetzt ein endgültiges Ergebnis da ! Der Support stellt fest das es einen Fehler gibt und Dieser wird natürlich behoben. Das "Bios Team" hat umgehend das "Manual Team" informiert, damit das Manual geändert wird. JUHU, Problem gelöst. Was dann das sharing des PCIe1 mit dem PCIe4 von X16 / X0 zu X8 / X8 noch mit PCIE Bifurcation Support zu tun hat erschließt sich meinem schlichten Gemüt leider nicht. Wo doch diese Funktion ausdrücklich beworben wird. ICH BIN TOTAL ANGEFRESSEN 🤬 Das Gigabyte C246M WU4 ist ohne Frage ein gutes MB, ABER Bifurcation Support ist nicht ! Gruß Torsten
    1 point
  33. Wobei MM/Saturn ja jetzt anscheinend den Spieß umdreht und seit ein paar Tagen/Wochen selber mitzieht. Kann nur im Sinne der Kunden sein
    1 point
  34. Plus a VPN solution, like WireGuard has build-in protection to keep intruders out. Though nothing is perfect, at least it is a whole lot harder than a password only defense.
    1 point
  35. Zusätzlich zu den vorher genannten Punkten würde ich folgendes noch empfehlen: - Regelmäßig den Nextcloud Scan machen https://scan.nextcloud.com/ - Fehler/Warnungen in der Adminübersicht von Nextcloud beheben - Regelmäßig Updates durchführen
    1 point
  36. i completely understand!, having said that unless unraid decide to punt out a new version soon that happens to include the very latest runc (i will be in contact with Tom and jonp regards this) then the above fix will be required for any future images i produce, which is not great i know.
    1 point
  37. The only way to reach content remotely on my server is via the emby docker. I set it up using cloudflare as a go to as in the guide below https://blog.awelswynol.co.uk/2018-01-setting-up-cloudflare-with-emby/ Is this a good setup security wise? I have a password for my emby admin login, will update it to make it stronger as well.
    1 point
  38. I am having issues with the latest Docker image and i cannot access the application, if i look in the log file located at '/config/supervisord.log' then i see the following message:- '/usr/lib/jvm/java-8-openjdk/jre' is not a valid Java environment path Q. What does it mean and how can i fix it? A. See Q10 from the following link for the solution:- https://github.com/binhex/documentation/blob/master/docker/faq/general.md EDIT - unRAID 6.9.2 has just been released, this includes the latest version of Docker, which in turn includes the latest version of runc, so if you are seeing the message above then the simplest solution is to upgrade to v6.9.2
    1 point
  39. Why havent you moved yet to hosting docker in a folder on zfs instead of hosting a docker image on top of zfs ? I moved to it last week and works fine and dont have to worrie about a docker.img file anymore. Its also more transparent as you can just browse the content of all images etc etc.
    1 point
  40. Wo wir gerade beim Thema sind: https://www.mydealz.de/deals/western-digital-wd-black-sn750-1tb-high-performance-nvme-interne-ssd-3470mbs-3d-nand-tlc-m2-pcie-30-x4-1774711
    1 point
  41. Eco Mode is in Advanced / Overclocking Settings. You can configure the TDP etc. manually or just enable the Eco Mode - which is a good compromise between performance & wattage I think. How did you configure your memory resp. which setting did you change to reach 3200mhz? I also noticed there is no USB 2.0 port, however a USB 2.0 stick as boot media works well. Dont use a USB 3.0 stick. Thats gonna fail 99% after a few days. I experienced that a few times at the beginning and you dont need to go through that
    1 point
  42. When is there going to be an automatic procedure for this? Like a "prepare drive for removal" button, a "prepare drive for decommissioning" button and then also a "securely erase decommissioned drive" button. Is there a feature request that is already being worked on? At this point it could alert you that you have useful data on the "decommissioning" drive and do this for you... (and by doing this for you, I mean moving the data to free space on the array for you, maintaining data safety)
    1 point
  43. Update: I re-installed the mariadb docker without password and then I managed to login with root account (no password) - then manually changed the password mysql -u root -p mysql> use mysql; mysql> update user set password=PASSWORD("NEWPASSWORD") where User='root'; mysql> flush privileges; mysql> quit and I managed to login again with new password (both from docker instance and remotely from my windows machine) - Then I restarted the mariadb docker and then I can see it cannot start properly and in a endless loop [cont-init.d] 10-adduser: executing... usermod: no changes ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 30_config: executing... [cont-init.d] 30_config: exited 0. [cont-init.d] 40-initialise-db: executing... [cont-init.d] 40-initialise-db: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. 170906 08:38:30 mysqld_safe Logging to syslog. 170906 08:38:30 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:34 mysqld_safe Logging to syslog. 170906 08:38:34 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:37 mysqld_safe Logging to syslog. 170906 08:38:37 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:40 mysqld_safe Logging to syslog. 170906 08:38:40 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:44 mysqld_safe Logging to syslog. 170906 08:38:44 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:47 mysqld_safe Logging to syslog. 170906 08:38:47 mysqld_safe Starting mysqld daemon with databases from /config/databases 170906 08:38:50 mysqld_safe Logging to syslog. Also not from the docker instance itself root@2262d249c970:/# mysql -u root -p Enter password: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'
    1 point
  44. Run from a shell (SSH, etc): virsh undefine --nvram "name of VM"
    1 point