-
Posts
466 -
Joined
-
Days Won
1
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by ezhik
-
-
58 minutes ago, Mogo said:
So saarg's comment about hardware issues got me thinking. I took the Quadro P2200 video card out of the system, now the system boots. Does that mean I need to revert back to 6.8.0 to use the graphics card? It was working before with the video card in the system prior to this update.
I have Quadro P2000. 6.8.1 boots fine.
-
Just a note from a community member, if you like what you use - donate. Donations keep the developers well intoxicated, sorry - hydrated, to keep the updates coming.
-
1
-
-
5 hours ago, CHBMB said:
v6.8.1 being uploaded.
Thank you. Donated $10 for your beer! Keep up the good work! It is greatly appreciated.
Cheers! -
@CHBMB - keep up the good work champ.
-
1 Thing I like the most abount unRAID:
- Dual Parity and uneven drive support
1 Thing I'd like to see added to unRAID in 2020:
- Multiple array support
-
11 hours ago, matt_aggz said:
After much trial and error I was able to downgrade to P16 and Trim is working. Thanks ezhik you saved me many headaches!
Happy to see my research is helping the community!
Cheers mate!
-
In either case, follow this guy, he has best tutorials in town:
-
10 hours ago, CSIG1001 said:
Is binhex new version better
binhex uses archlinux as the base image. not sure if it is newer or not.
-
10 hours ago, CSIG1001 said:
Cant i just use crusader with a gui?
You sure can. These are different solutions however, duplicati allows you to perform remote (cloud) backups over API, encrypted and on schedule.
-
1 hour ago, CSIG1001 said:
my second plan is to copy over the data 64tb to the unraid array and then store the 8 hdds in my closet inside a special case. however once my array goes over 100tb i will most likely have to rely on the array and 2 parity disks to save me since I will have no way to keep a second backup.. I guess i could invest in Tape solutions or waiting until 2023 when we have 25tb drives available. Just around the corner. We are supposed to have 100tb by 2026
Look into duplicati and jottacloud. You can get unlimited storage for about $99/yr.
Make sure you backup duplicati db to ensure you can restore the encrypted backups.
-
Hardware wise, you'd want to make sure you use an HBA that is fully compatible with unRAID. General recommendation is to go with LSI 9211-8i or 9211-16i (or similar series using the same chipset).
Migrating a large sum of data can be time consuming and I would advise (at the beginning) not to use the cache drive(s) for the initial share(s) setup as and go directly "through" using 'reconstruct write' for md_write_method.
Depending on what interface you will be using for the data transfer (usb2 vs usb3.x vs sata2/sata3), you might be better off using network to transfer it such as scp or rsync.
I generally use rsync to do the transfers, this allows to pick-up interrupted transfers and/or only transfer files that have changed.
Cheers.
-
48 minutes ago, CSIG1001 said:
sure thing I will do that next time I get patronizing answers to my questions .
Remember that it works both ways. Be respectful asking questions as well.
-
I'd have to vouch for keeping it as is. You get a lifetime license (as of now), which means you get upgrades to MAJOR versions free of charge.
Now if you want to change that and get a discounted price PER VERSION, I'd advise to think again.
For now, this is the BEST deal you can get.
Cheers.
-
49 minutes ago, JasonJoel said:
Sorry to dredge up an old thread... But I saw my trim was failing on my 9207-8i card. Downgraded to firmware 16, and trim works correctly now.
Thank you for the tip.
Good stuff, glad this is useful. Cheers!
-
1
-
-
I got a lot of respect for "Spaceinvader One". At least buy him a beer.
-
1
-
-
I've never seen anything like that before. A wtf might be appropriate, pardon my french.
-
13 hours ago, jonathanm said:
The official position on this (not mine) is that since real updates do get applied, there is not an urgent issue. They say it's cosmetic only, alerting to updates that aren't there.
Container needs an update? Check, update applied.
Container doesn't need an update? Check, update not applied.
Indication of a needed update that doesn't actually exist, so it does not get applied is not an urgent issue, as all updates are still done as needed.
No argument here. Cosmetics/Convenience category. Low severity.
-
This should fall under a maintenance release as this impacts core functionality.
-
Would be nice to see this properly fixed in 6.7.3 rather than hacking up a solution.
-
1
-
-
18 minutes ago, BRiT said:
To put things into a more realistic perspective ... If people have physical access to my server, I'm more concerned about being kidnapped, shot, or killed than my data drives being taken.
I guess the concern here is in case of a really targeted attack where somebody exploits for example an externally accessible web-based docker and gets a reverse shell on a server as root and then gets access to the passphrase to decrypt master keys for disks. But even then in order to actually use it - they would need to either have physical access or leverage IPMI or iLo to actually reboot the system and boot to an ISO and access the drives for data exfiltration. We are talking about some next-level espionage right here.
So this type of scenario would be really targeted.
Personally, if somebody steals my drive and manages to decrypt it - they would definitely return it back to me with an apology note after seeing my nudes.
It all depends on what you are protecting. There is always the right tool for the job. In this case, for somebody who is security paranoid, this may not be it.
May be a standard linux raid6 (mdadm) with encrypted lvm would be a better fit then. All comes down to security vs convenience. The more functionality you add, the more security you trade.
-
1
-
1
-
1
-
-
47 minutes ago, BennTech said:
This is what LimeTech representatives SHOULD do when an Unraid customer reports a security flaw:
- Acknowledge the customer's concern.
- Acknowledge the security flaw.
- Describe the steps being taken to correct the issue.
- Thank the customer for reporting the flaw so LimeTech can continue to improve and secure their product.
Alright, you get the point. You found something that was raised before in the encryption discussions, but you raised it loud. However, I do say 'thank you' for reporting this.
47 minutes ago, BennTech said:I am offended by the way LimeTech and everyone else in this thread other than Xaero has repeatedly dismissed all my concerns, and I feel I'm owed an apology in addition to a thank you for pointing out this security flaw. I'm not so naive as to think that anyone, especially from LimeTech, is going that. Instead, I'll just have to settle for them fixing the issue (sort of), which is at least an acknowledgement that saving a plaintext password to a file is insecure even though they never actually admit it.
I agree, you both provided decent solutions, but do note that even salted password hashes have to be securely computed using proper sources of random data and the salt cannot be user-controlled input, something that cannot be easily guessed and derived. We all know about rainbow tables and how to generate them based on common and re-used usernames.
47 minutes ago, BennTech said:BTW, yes, I actually do run pfSense with Snort--I've been using it for 14 years since v0.9.8 when it forked off m0n0wall. No, I don't run Qubes--my work/clients require Windows, but I do run a Kali VM to perform basic PenTesting at my clients. Yes, I do know about LiME to grab passwords from memory and had started to include it in a previous response but removed it because what's the point in all that if I can't even convince any of the devs that saving a plaintext password to a file is bad.
That's great! Check out opnsense and suricata
Also for Qubes, you can run Windows VM and AppVM (Seamless Apps). Check it out, if Snowden uses it, so can you - I've been running it for awhile as well! Tinfoil hats!
47 minutes ago, BennTech said:And to all the LimeTech devs, even though you never said thank you, you're welcome. Assuming you implement the changes described by limetech above, you and all your users will soon enjoy a better and more secure Unraid thanks to me bringing this security flaw to your attention.
Now this part man, why so arrogant, you are better than this - you are a professional. Ping them directly and workout a fix, you can be part of the solution. You can even test it first!
-
1
-
Oof, this got blown out of proportion.
First of all, thanks to @limetech for even introducing encryption support, this helps us ensure our data cannot be recovered (whenever the RMA'd drives get re-purposed) and continuing to support and enhance its functionality.
@BennTech Let's be mature about this. Your feedback is of course appreciated, but it needs to be constructive. I see that you have some knowledge in the infosec world and that's great, but please, don't be so condescending on the devs.
I am sure you are not sitting behind a pfsense with IDS and IPS configured (such as suricata, snort or even sophos utm) and you are not writing your own snort custom rules either. Your laptop is not running Qubes OS with segregated domains for your personal emails, social media and work related access. You are not using FIDO2/U2F for MFA nor are you using GnuPG for secure communication. And if you are, hats off to you good sir.
Regarding LUKS, I am sure you have seen this: https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811 (Nothing is bulletproof)Additionally before bashing on devs, they do take security very seriously. Just look at the security sub-forum.
Security is a shared responsibility and you are the one who is also responsible for ensuring your system is configured in a secure way as well as your environment. Yes, your environment as well.
If we are talking about security practices then there are many security controls you can implement:
- Disable services you do not need, you don't have to run any dockers, just use storage
- Don't expose unraid or its services externally
- Implement fail2ban to prevent bruteforces
- Run your vulnerability assessments and manage it (OpenVAS/Nessus)
- Rotate your passwords every 30 days
- Randomly generate your passwords with at least 24 characters
- Use VLANs to segregate network traffic
- Don't use lower versions of SMB
- Don't use NFSv3
- Lock down physical access to the server
- Install Video Cameras
- Review access logs
- Disable IPMI if you are running supermicro
- Disable hyperthreading if you are running intel chips
- Don't use unecrnypted connections (http), instead use nginx as a reverse proxy for encrypting all traffic (certs required)
- Setup centralized logging using rsyslog to splunk or elasticsearch (ELK)
- Setup appropriate auditing accessing the filesystem and triggers
- And many others
If you work in infosec then you should know about risk assessments and risk management as well as how convenience and security comes clashing when you need to implement BCP (Business Continuity Planning) once your BIA (Business Impact Analysis) is done.
You've raised a valid point that convenience in this case should be optional and @limetech agreed to address it in the follow-up release.
But are you that paranoid that you don't trust the way you setup your internal network, do you not have enough traffic filtering setup to spot a data extraction operation through an ICMP or a DNS tunnel? Judging by your comments, you are a pro at this
In either case, let's improve things. Everybody can be a critic, remember that.
And remember, if somebody wants to pwn you - they will, there is always a way.
-
1
-
-
If I don't get one, can I buy a few? I have 3 unRAID servers.
-
[Plugin] Linuxserver.io - Unraid Nvidia
in Plugin Support
Posted
Also tested. Works fine on my end with P2000. Much appreciated.