• Posts

  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

SpuddyUK's Achievements


Newbie (1/14)



  1. Seems to be fine now. Thanks for resolving.
  2. Same issue here. @bonienl
  3. Well I run mover, they move to array. Then it happens again, not sure what to do to test further?
  4. radarr. But my container config hasn't changed, only thing that has changed is that I added the second cache pool a few weeks ago and changed the share to cache the new pool.
  5. I'm running a LSI 9201 16i without issues here. Not QNAP though. 6.9.1
  6. I'm going to say you probably are forwarding http/https to the unraid host and that you didn't have a root password. I.E anyone on the internet could access your unraid box.
  7. Are you port forwarding anything to the unraid box? Is your root password suitably complex?
  8. Thanks for the considered response and for being open about it. Happy to take anything offline where helpful. Rate-limiting a great tool to employ as part of a wider security hardening toolkit. Unfortunately, with botnets the above will do little to prevent a brute-force of root on a specific server. All those hundreds of thousands if not millions of IoT devices that have been compromised will do their business for them from individual IP addresses. Fail2Ban suffers similarly. This is why layers are so important. Let me be clear, I am a paid customer and enthusiast of unraid. I even quite like the features this offers in principle. However, my fear is that savvy users whom require remote access have already arranged it with something like VPN, WireGuard the like. We might be sweeping the rest along here into remote access with root and "rootpassword". Additionally, I would suggest some security auditing of the code/api if you haven't already done so. Better to pay someone to find potential routes to compromise than being held over a barrel. Bug bounty could be beneficial, free license/$500/xyz for each vulnerability rated x or above. I will keep an eye on this to see how it develops. Thanks for engaging.
  9. Opinions differ but consensus is generally at least 12 characters to include all of the four categories of lower-case, upper-case, number(s) and symbol(s). Of course you can lead a horse to water but not make them drink, so there is a risk of Password01!!, so any logic around preventing those type of passwords would probably be helpful too. There are countless lists online of the 100 most used passwords that you might be able to reference and prevent being used/saved.
  10. As I see it, 2FA is not required if you directly access https://yourhash.unraid.net, only if you login via the forum.
  11. only this time it's being actively endorsed by limetech. Maybe in addition to the 2fa for gui login and fail2ban for x failed login attempts, there might be a requisite for a complex root password to even enable "my servers". p.s I am a cyber security researcher. Hello lovely treasure trove of unraid servers to have a go at. This list is only going to increase as people enable the feature and search engines crawl. https://www.shodan.io/search?query=unraid.net
  12. I think the first is a given, but more emphasis should surely be on 2FA and a fail2ban type solution before advising people to put their servers on the open internet. Just my thoughts, waiting for that first "my server has been hacked" post.
  13. So if someone port scans my WAN IP, see's the open port (not 443 btw) and hits it over and over again attempting brute force on root, what's in place to protect my server from this attack? I fear this feature is born out of convenience and that security is going to be an afterthought with potential consequential results.