jameson_uk

Members
  • Posts

    61
  • Joined

  • Last visited

Converted

  • Gender
    Undisclosed

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

jameson_uk's Achievements

Rookie

Rookie (2/14)

2

Reputation

  1. Are you asking whether it is more secure to expose your docker containers to the internet or use a reverse proxy in a VM? There isn't really a simple answer as it comes down to how secure your containers are and how things are configured. WIth a lot of containers not being configured for TLS, opening unnecessary ports and potentially running older web servers with unpatched vulnerabilities I have my services setup via a proxy server (which is actually running as a docker container itself rather than a VM). The flip side of this is that there is a single point of access so if a vulnerability was found and exploited the hackers would most likely have access to whatever is behind the proxy; that said it is probably more likely that the proxy will get patched regularly. I have my proxy server and the containers it sits in from inside their own docker network. This in theory means that any exploit would be limited to only those services rather than exposing the whole of my network and other sensitive data / devices. It is all about risk. The safest / most secure way of doing things it not to connect anything to the internet but that isn't exactly helpful. I would always assume being hacked is a possibility (even though you should follow best practice and do things like regularly patch, don't reuse passwords, turn off things that aren't used....) and then consider what happens if you did get hacked.
  2. So when you run netstat -nplt what does it say for port 22? Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on 0.0.0.0:22 (ie. all interfaces). As for nginx the same goes, I see tcp 0 0 x.x.x.x:80 0.0.0.0:* LISTEN 9182/nginx: master tcp6 0 0 :::80 :::* LISTEN 9182/nginx: master So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6. I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on 0.0.0.0:22 so I don't see why this wouldn't have worked from a second NIC.
  3. In the vain hope that someone might actually look into these issues.... So doing some digging and noticed that BIND_MGT does work for ipv4 but I can see that nginx is listening on ports 80/443 on all ipv6 interfaces. So the setting only appears to be working for ipv4.
  4. Bumping this again and I also noticed that a port was open for rpc.statd My understanding is that both rpcbind and rpc.statd are only needed if you are using NFS so I would have thought it would be better to disable both when NFS is disabled
  5. Seems there are a few changes around access defaults in 6.10 so just bumping this. Particularly with the new cloud functions I would certainly only want to allow SSH on my local network
  6. OK I have started playing around with this and BIND_MGT="yes" Seems to do the trick for the web interface. For Samba I added the following lines to [global] section in the SMB config via the UI bind interfaces only = yes interfaces = lo eth0 and that seems to work. SSH however is still listening on my second IP. I have added a VLAN interface in the network setting and assigned a static IP there. Now the only things I can see running on this VLAN IP are SSH and rpcbind (which is a separate question...) and the Docker mappings I have setup Is the above incorrect that BIND_MGT does not limit SSH or is this a bug?
  7. I have in the past had OpenVPN setup to access my LAN remotely and that worked OK but I have been looking at using WireGuard but I can't quite figure out the best way to set this up. My network is setup across three VLANs with some of the docker containers running on Unraid assigned macvlan addresses on the different VLANs. I want to have some fine grain control over what can be accessed over the VPN but I am not sure where the routing takes place in this setup. I have tried various settings and I am able to access the Unraid server frontend but I can't seem to figure out to access things and lock this down to specific IP / ports. In reality I mainly want to give access to some servers on VLAN 2 but the Unraid box doesn't actually have an address on this VLAN (the docler containers are running as macvlan as I only have one NIC) but it would be nice if I was also able to access some boxes on VLAN 1 Currently this is setup as "Remote Access to LAN" and I have setup a static route for the VPN network to the Unraid server IP and this gives me access to everything on one VLAN but I can't seem to get anything else to work. Anyone got anything similar working?
  8. That seems to suggest that deleting users will disable it but I don't have my FTP users configured but there is definitely a process listening on port 21. I will follow the link about killing it for good tomorrow
  9. Another check that noticed that port 111 was open for rpcbind. AIUI this is only necessary if you are using NFS so if NFS is not enabled should this process be running at all?
  10. I happened to notice that port 21 was open on my Unraid box even though I have never enabled ftp and it was definitely disabled previously. Now I can go in and disable the FTP server but as soon as I restart the box the ftp server starts again. The only thing I can find in syslog that is ftp related is ool www[15093]: /usr/local/emhttp/plugins/dynamix/scripts/ftpusers '0' '' which looking at the script suggests that 0 means disable ftp.
  11. This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone). Are there any other Android clients that only open with biometric authentication?
  12. I have disabled NetBIOS in the config and that seems OK but I notice that Samba is listening on 139. I have added smb ports = 445 into the smb-extras.conf which does work and stops smbd listening on 139 Should this entry be added when you disable netbios via the GUI?
  13. Is there anyway of adding any form of authentication (beyond the shared keys)
  14. Is there anyway to add additional authentication in WireGuard? I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone. I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN. It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step