ezhik

Members
  • Posts

    466
  • Joined

  • Days Won

    1

Everything posted by ezhik

  1. Hardware wise, you'd want to make sure you use an HBA that is fully compatible with unRAID. General recommendation is to go with LSI 9211-8i or 9211-16i (or similar series using the same chipset). Migrating a large sum of data can be time consuming and I would advise (at the beginning) not to use the cache drive(s) for the initial share(s) setup as and go directly "through" using 'reconstruct write' for md_write_method. Depending on what interface you will be using for the data transfer (usb2 vs usb3.x vs sata2/sata3), you might be better off using network to transfer it such as scp or rsync. I generally use rsync to do the transfers, this allows to pick-up interrupted transfers and/or only transfer files that have changed. Cheers.
  2. Remember that it works both ways. Be respectful asking questions as well.
  3. I'd have to vouch for keeping it as is. You get a lifetime license (as of now), which means you get upgrades to MAJOR versions free of charge. Now if you want to change that and get a discounted price PER VERSION, I'd advise to think again. For now, this is the BEST deal you can get. Cheers.
  4. I got a lot of respect for "Spaceinvader One". At least buy him a beer.
  5. I've never seen anything like that before. A wtf might be appropriate, pardon my french.
  6. No argument here. Cosmetics/Convenience category. Low severity.
  7. This should fall under a maintenance release as this impacts core functionality.
  8. Would be nice to see this properly fixed in 6.7.3 rather than hacking up a solution.
  9. I guess the concern here is in case of a really targeted attack where somebody exploits for example an externally accessible web-based docker and gets a reverse shell on a server as root and then gets access to the passphrase to decrypt master keys for disks. But even then in order to actually use it - they would need to either have physical access or leverage IPMI or iLo to actually reboot the system and boot to an ISO and access the drives for data exfiltration. We are talking about some next-level espionage right here. So this type of scenario would be really targeted. Personally, if somebody steals my drive and manages to decrypt it - they would definitely return it back to me with an apology note after seeing my nudes. It all depends on what you are protecting. There is always the right tool for the job. In this case, for somebody who is security paranoid, this may not be it. May be a standard linux raid6 (mdadm) with encrypted lvm would be a better fit then. All comes down to security vs convenience. The more functionality you add, the more security you trade.
  10. Alright, you get the point. You found something that was raised before in the encryption discussions, but you raised it loud. However, I do say 'thank you' for reporting this. I agree, you both provided decent solutions, but do note that even salted password hashes have to be securely computed using proper sources of random data and the salt cannot be user-controlled input, something that cannot be easily guessed and derived. We all know about rainbow tables and how to generate them based on common and re-used usernames. That's great! Check out opnsense and suricata Also for Qubes, you can run Windows VM and AppVM (Seamless Apps). Check it out, if Snowden uses it, so can you - I've been running it for awhile as well! Tinfoil hats! Now this part man, why so arrogant, you are better than this - you are a professional. Ping them directly and workout a fix, you can be part of the solution. You can even test it first!
  11. Oof, this got blown out of proportion. First of all, thanks to @limetech for even introducing encryption support, this helps us ensure our data cannot be recovered (whenever the RMA'd drives get re-purposed) and continuing to support and enhance its functionality. @BennTech Let's be mature about this. Your feedback is of course appreciated, but it needs to be constructive. I see that you have some knowledge in the infosec world and that's great, but please, don't be so condescending on the devs. I am sure you are not sitting behind a pfsense with IDS and IPS configured (such as suricata, snort or even sophos utm) and you are not writing your own snort custom rules either. Your laptop is not running Qubes OS with segregated domains for your personal emails, social media and work related access. You are not using FIDO2/U2F for MFA nor are you using GnuPG for secure communication. And if you are, hats off to you good sir. Regarding LUKS, I am sure you have seen this: https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811 (Nothing is bulletproof) Additionally before bashing on devs, they do take security very seriously. Just look at the security sub-forum. Security is a shared responsibility and you are the one who is also responsible for ensuring your system is configured in a secure way as well as your environment. Yes, your environment as well. If we are talking about security practices then there are many security controls you can implement: - Disable services you do not need, you don't have to run any dockers, just use storage - Don't expose unraid or its services externally - Implement fail2ban to prevent bruteforces - Run your vulnerability assessments and manage it (OpenVAS/Nessus) - Rotate your passwords every 30 days - Randomly generate your passwords with at least 24 characters - Use VLANs to segregate network traffic - Don't use lower versions of SMB - Don't use NFSv3 - Lock down physical access to the server - Install Video Cameras - Review access logs - Disable IPMI if you are running supermicro - Disable hyperthreading if you are running intel chips - Don't use unecrnypted connections (http), instead use nginx as a reverse proxy for encrypting all traffic (certs required) - Setup centralized logging using rsyslog to splunk or elasticsearch (ELK) - Setup appropriate auditing accessing the filesystem and triggers - And many others If you work in infosec then you should know about risk assessments and risk management as well as how convenience and security comes clashing when you need to implement BCP (Business Continuity Planning) once your BIA (Business Impact Analysis) is done. You've raised a valid point that convenience in this case should be optional and @limetech agreed to address it in the follow-up release. But are you that paranoid that you don't trust the way you setup your internal network, do you not have enough traffic filtering setup to spot a data extraction operation through an ICMP or a DNS tunnel? Judging by your comments, you are a pro at this In either case, let's improve things. Everybody can be a critic, remember that. And remember, if somebody wants to pwn you - they will, there is always a way.
  12. If I don't get one, can I buy a few? I have 3 unRAID servers.
  13. I am aware how RDP works. Unless something has changed over years, RDP & 3D acceleration was not something that went well together. If what you are saying is true, that means you can even do light gaming over RDP. That's impressive.
  14. yeah @CHBMB, stop slacking, it's been hours since 6.7.2 released... geez ... what's taking you so long PS. You know I am joking.
  15. Thanks devs for timely updating the plugin for 6.7.1! ALSO thank you for updating the driver version to 430.14! Cheers!
  16. Updated three systems, no problem. Rock on!
  17. Presently if disks are running hot (45C+), the array health check reports as 'FAIL'. This is technically not correct: 1) Parity is valid 2) No disks have reported failures 3) Disks are operating properly Proposals: 1) Create an option to report array as 'WARN' if disks are running hot 2) Ignore high disk temps and only validate parity and cache pool status and report accordingly, which in this case should be 'PASS'. NOTE: - Same thing goes for array status report (health check) when parity check is running, it shouldn't be FAIL, it should be PASS. - Now if it is rebuilding - it should be WARN as the correction process has begun and it is in progress. - If no rebuilding is in place, no parity check and we have a failed disks in either array or a cache pool - FAIL, that's a legitimate failure that should trigger a failure notification. Cheers.
  18. All docker containers show 'Update available' if no internet is present when checking for updates in 6.7.0 . This probably should be fixed.
  19. You can segregate those and put them behind another NAT