Jim Slotz

Hey guys, Yesterday I started to get notifications saying the CA wasn't trusted anymore and I could no longer use SSL locally with a self signed cert. I thought that odd. Went to settings and turn off SSH (don't need it) and SSL/TLS to no. Hit apply. Turned back on and now it's being redirected to XXXXXX.unraid.net It says it's going to keep the DNS updated and all this stuff. I think this is a terrible idea. Maybe I'm totally paranoid / ignorant on how the security works, but creating a dyns type of thing (even if it resolves locally), seems like a risk. In the modern world, everything gets hacked and say unraid web servers do. What if a hacker was able to get the logs and then could parse the logs for updated dns entries that are sent every 10 mins with the IP they came from. They now have a list of targets. The hacker would have a list of "live" targets to hit and make it worth the time spent to portscan each one. Many people are using all kinds of plugins and I'm sure not securing it very well. Most people may have opened up ports to gain access to stuff remotely with no idea how to secure or even know how to secure. 6.10, from what I've been told, is geared towards helping users be more secure by enforcing root passwords and such. There is a recent post saying that these servers are being targeted. Now, you've just created a dataset / goldmine for hackers. You've made your servers a target for hackers and also possible competitors. They would know how many machines you have in the wild. And you've also put your users at risk if this information were to ever get stolen. If I were a hacker, I'd target you guys because if I could get a list this would help me in the following ways. 1. I've boiled down billions of ips to mere thousands that I can run a script / attack vectors on targeting a specific vulnerability / software. Even if it's not unraid. Maybe it's apache or anything else that's running? 2. Each of these IPs have a confirmed server within 10 mins so even if they don't respond, you keep them on a list and keep attacking them 3. These servers typically stay up 24x7 so if compromised, I can use them for botting / attacking other targets internal and external 4. They run linux and are great to be able to do whatever they would want. Linux is crazy powerful. 5. Ransomware attacks data. People who use your software obviously don't want to lose it because of the nature of the software. This implies value to the user, which is a payday for hackers. Many of your users aren't power users and I'm sure haven't put protection / offline backups in their data strategy. 6. home routers have flaws / vulnerabilities. Most of the time this doesn't matter because even if they gain access, what can they do with it? Usually there is a windows machine behind it? Pretty securish?. But, if I knew there was a nice juicy linux box that holding treasure that other people are protecting, this makes it much more valuable. This would give a hacking team motive to spend the extra time to keep digging. Here is what I would ask. 1. Let me use SSL on my lan with a self signed cert. 2. Let me turn off the automatic DNS updates / dial home. Let me do it manually. I think, but I'm not sure, that the reason for doing this is to give people a legit signed ssl certificate that browsers would be okay with. It actually seems quite noble. Very clever. But I just want to make sure we are safe is all. Most people don't secure the unraid and probably don't know much about security. The one thing that helps keep them safe is "IP anonymity". If I want to attack unraid servers, I have to aim blindly in scanning billions of IPs. Even if I hit one, most routers won't respond to the ping, which is another huge security advantage. It takes time to portscan and no response is the same as being offline, so most botnets will only attack live IPS that respond. However, if I had a list of confirmed IPs, both advantages are gone and the drop in the ocean becomes a drop in a pale. Hacker gold. I hope I explained this right. I joined the forum just to say this and to thank you guys for all you do!