• Posts

  • Joined

  • Last visited

Everything posted by jameson_uk

  1. Are you asking whether it is more secure to expose your docker containers to the internet or use a reverse proxy in a VM? There isn't really a simple answer as it comes down to how secure your containers are and how things are configured. WIth a lot of containers not being configured for TLS, opening unnecessary ports and potentially running older web servers with unpatched vulnerabilities I have my services setup via a proxy server (which is actually running as a docker container itself rather than a VM). The flip side of this is that there is a single point of access so if a vulnerability was found and exploited the hackers would most likely have access to whatever is behind the proxy; that said it is probably more likely that the proxy will get patched regularly. I have my proxy server and the containers it sits in from inside their own docker network. This in theory means that any exploit would be limited to only those services rather than exposing the whole of my network and other sensitive data / devices. It is all about risk. The safest / most secure way of doing things it not to connect anything to the internet but that isn't exactly helpful. I would always assume being hacked is a possibility (even though you should follow best practice and do things like regularly patch, don't reuse passwords, turn off things that aren't used....) and then consider what happens if you did get hacked.
  2. So when you run netstat -nplt what does it say for port 22? Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on (ie. all interfaces). As for nginx the same goes, I see tcp 0 0 x.x.x.x:80* LISTEN 9182/nginx: master tcp6 0 0 :::80 :::* LISTEN 9182/nginx: master So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6. I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on so I don't see why this wouldn't have worked from a second NIC.
  3. In the vain hope that someone might actually look into these issues.... So doing some digging and noticed that BIND_MGT does work for ipv4 but I can see that nginx is listening on ports 80/443 on all ipv6 interfaces. So the setting only appears to be working for ipv4.
  4. Bumping this again and I also noticed that a port was open for rpc.statd My understanding is that both rpcbind and rpc.statd are only needed if you are using NFS so I would have thought it would be better to disable both when NFS is disabled
  5. Seems there are a few changes around access defaults in 6.10 so just bumping this. Particularly with the new cloud functions I would certainly only want to allow SSH on my local network
  6. OK I have started playing around with this and BIND_MGT="yes" Seems to do the trick for the web interface. For Samba I added the following lines to [global] section in the SMB config via the UI bind interfaces only = yes interfaces = lo eth0 and that seems to work. SSH however is still listening on my second IP. I have added a VLAN interface in the network setting and assigned a static IP there. Now the only things I can see running on this VLAN IP are SSH and rpcbind (which is a separate question...) and the Docker mappings I have setup Is the above incorrect that BIND_MGT does not limit SSH or is this a bug?
  7. I have in the past had OpenVPN setup to access my LAN remotely and that worked OK but I have been looking at using WireGuard but I can't quite figure out the best way to set this up. My network is setup across three VLANs with some of the docker containers running on Unraid assigned macvlan addresses on the different VLANs. I want to have some fine grain control over what can be accessed over the VPN but I am not sure where the routing takes place in this setup. I have tried various settings and I am able to access the Unraid server frontend but I can't seem to figure out to access things and lock this down to specific IP / ports. In reality I mainly want to give access to some servers on VLAN 2 but the Unraid box doesn't actually have an address on this VLAN (the docler containers are running as macvlan as I only have one NIC) but it would be nice if I was also able to access some boxes on VLAN 1 Currently this is setup as "Remote Access to LAN" and I have setup a static route for the VPN network to the Unraid server IP and this gives me access to everything on one VLAN but I can't seem to get anything else to work. Anyone got anything similar working?
  8. That seems to suggest that deleting users will disable it but I don't have my FTP users configured but there is definitely a process listening on port 21. I will follow the link about killing it for good tomorrow
  9. Another check that noticed that port 111 was open for rpcbind. AIUI this is only necessary if you are using NFS so if NFS is not enabled should this process be running at all?
  10. I happened to notice that port 21 was open on my Unraid box even though I have never enabled ftp and it was definitely disabled previously. Now I can go in and disable the FTP server but as soon as I restart the box the ftp server starts again. The only thing I can find in syslog that is ftp related is ool www[15093]: /usr/local/emhttp/plugins/dynamix/scripts/ftpusers '0' '' which looking at the script suggests that 0 means disable ftp.
  11. This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone). Are there any other Android clients that only open with biometric authentication?
  12. I have disabled NetBIOS in the config and that seems OK but I notice that Samba is listening on 139. I have added smb ports = 445 into the smb-extras.conf which does work and stops smbd listening on 139 Should this entry be added when you disable netbios via the GUI?
  13. Is there anyway of adding any form of authentication (beyond the shared keys)
  14. Is there anyway to add additional authentication in WireGuard? I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone. I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN. It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step
  15. always eth0? What about Samba / Docker? I don't actually have the second NIC yet to test but I am hoping I would be able to have management and samba on one nic and docker on both.
  16. Just to be clear, you mean exposed in image rather than mapped right?
  17. Is there a proper way of changing the listen address for SSH and unraid front end in a way that will stick? It looks like /etc/ssh/sshd_config has listenaddress commented out so will default to and /etc/nginx/conf.d/emhttp-servers.conf had listen *:80 default_server; listen [::]:80 default_server; Looks like Samba doesn't have anything configured again so I believe will bind to all interfaces. So as it stands everything is listening on every interface I can change each of the config files but these won't survive a restart. Is there a way of achieving this?
  18. I had a play around with a few of my containers and see the EXPOSE in the Dockerfile controls which ports show up here. I would have thought it would be far more useful to see what ports are actually in use (I guess the main point of the "show docker allocations" is to avoid conflicts which would be dependant on showing the ports actually mapped not the ones advertised but I can live with that (It is just a bit annoying that you cannot see the IP or ports for these without going into the config. So the WebUI thing (which is nothing to do with Docker) doesn't work on anything other than the default bridge network? I am failing to see why this would be a limitation (from a technical viewpoint) as it is only IP / port which should still be able to resolve?
  19. It is not a worry just a slight annoyance. There is now a port exposed as I added this via unraid but this is being picked up from the image not unraid? (hence it is possible to add ports in Unraid and they won't appear in the GUI?) The bridge isn't an issue (see the top one, that has details). What about the Web UI though, that has to be unraid specific and I have updated the template to include a web UI address but this doesn't appear in the menu for the container.
  20. I am struggling to work out why some info isn't showing up for some of my containers. eg. some containers are not showing any port mappings even though they are in use and working eg. looking at this container (I know it is stopped) shows the port mappings however this container doesn't show anything even though I do have port mappings defined (it is showing the volume mappings though) I have also attempted to add the missing Web UI for this container but whilst it is showing and included in the user template /boot/config/plugins/dockerMan/templates-user it doesn't show up as an option. I have recreated the container from the template and restarted docker but this doesn't seem to stick. Neither the port mapping nor the web UI menu item show up. What do I need to do to get this to work?
  21. My understanding is that I could create a custom docker network (outside of VLAN1 or 10) and have both containers in this network. Only one would have any ports accessible but being on the same network it would be able to access to other container. The difference to running this on Macvlan is that currently everything on VLAN 10 can see and access this container that I essentially want to hide. Or at least that is what I think I can do.....
  22. I guess the question was whether it is possible to to have an IP allocated on VLAN 10 but force Web UI, Samba, SSH.... to only listen on VLAN 1
  23. I wanted to run in bridge mode so I can group a couple of containers together on the same network so I could essentially run one as a child of the other without it being accessible from anywhere else
  24. No, with no address assigned I cannot access Unraid from VLAN10 but if I setup a container to run in bridge mode it is only accessible via the Unraid IP on VLAN 1. I want to have docker containers accessible on VLAN 10 (but running in bridge mode) but not Unraid. (I have reworded original post a little as it didn't quite make senes....)