izarkhin

Never mind! Turns out I needed to open port 80 for the challenge to work. All fine now.

HI guys, My certificate fails to renew. I have a free DuckDNS account that worked just fine before. I verified that the account is valid and has the correct IP address. What could be the problem? The config and the log files are attached. Thanks! [removed].duckdns.org.conf letsencrypt.log

That's exactly why I asked about subdomains I watched it, but he uses his own domain there.

Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?

Yes, I get that. Going forward I will not forward SSH port and only use SSH over VPN (which I already have set up on my router). I only mentioned Plex as an example. There are other dockers that I share, such as calibre, and I also run a WordPress site, so I will need to forward at least port 443. I guess my real question was: "Short of fully locking my server down behind VPN, what is the most secure way for allowing extended audience to access content on my server"? I thought letsecrypt/nginx was secure enough. Is it not?

I tried that. Nothing seemed to help, SSH requests kept coming even after I stopped all dockers, until I changed IP and rebooted.

Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc.

OK, I stopped all dockers, disabled port forwarding, removed Win10 VM and changed IP address. SSH attempts seem to have stopped. However, I would like to eventually be able to access at least some dockers via reverse proxy. My understanding is that, unless I forward SSH port or a docker contains malware, it should be relatively safe with letsecrypt/nginx, right? Now that Win10 VM is out of the picture, how do I proceed with figuring out which docker contains malware?

I haven't booted my Win VM at least 2 years, so I don't think that's it. Here is my list of dockers: binhex-delugevpn binhex-sabnzbdvpn cadvisor calibre-web DokuWiki duckdns Grafana HandBrake hydra Influxdb Krusader letsencrypt MakeMKV-RDP mariadb medusa organizr organizrv2 phpmyadmin plex telegraf radarr

Thanks! I read up on it some. Do I understand it correctly that the idea is that you set up wireguard, then forward its port and use it as the tunnel to access nginx/letsenctypt, so you can keep accessing your dockers via reverse proxy? What is the advantage compared to setting up regular VPN on my router? Sorry, I'm new to this. There are quite a few guides on setting up wireguard but nobody tells you how to use it afterwards.

it's not really helpful. what security measures?

Thanks for looking into this. I updated to 6.8.2 (was 6.8.0 before) and attached the diagnostics. Oh, and one more thing: the provider said that suspicious traffic originated from port 55612. tower-diagnostics-20200212-0825.zip

Hi guys! I really hope someone can help me here. I received an email from my Internet provider stating that they detected malware traffic coming from my WAN IP. It prompted me to check my router logs and I see a lot of traffic going from my unRAID IP address to all kinds of weird sites. Unfortunately, my Advanced Tomato router only gives me timestamp, originating IP and domain accessed. What can I do to identify the source of the problem? Are there any tools for selective traffic monitoring that provide more info? Thanks!

How did you fix it exactly? I'm having the same issue. Update: issue fixed. Thank you for pointing to CTF being the root cause! I've been fiddling with my router settings for almost 3 weeks now

NAT Loopback is set to "All" and NAT Target - to "MASQUERADE" (as they have been before), so I don't think that's it. Here is an abbreviated output of the "iptables -n -L -v -t nat" command: Chain PREROUTING (policy ACCEPT 5731 packets, 389K bytes) pkts bytes target prot opt in out source destination 92 5686 WANPREROUTING all -- * * 0.0.0.0/0 [public IP] Chain POSTROUTING (policy ACCEPT 26 packets, 1620 bytes) pkts bytes target prot opt in out source destination 5110 330K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0 Chain WANPREROUTING (1 references) pkts bytes target prot opt in out source destination 1 44 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:[Advanced Tomato IP] 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:[unRAID IP]:[letsencrypt HTTPS PORT] 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:[unRAID IP]:[letsencrypt HTTP PORT] My understanding is that, according to this, all outbound requests for my duckdns subdomain from LAN should be pre-routed to [public IP] and then post-routed back to letsencrypt. Am I wrong?