Del

Personally, I would do it the other way around - prefer a VM dedicated to VPN rather than a Docker. Reasoning is that if the VPN endpoint were compromised, if in a VM, there is another OS layer to get around. Probably not a lot in it for home use though.

And to be honest, I wouldn't expect Unraid to be fully hardened; its a risk/reward balance the end-user needs to accept. Having done quite a bit of reading over these forums, my biggest concern is that the developers seem to have a head in the sand attitude to security. Yes, I fully accept that an Unraid box should never be connected to the internet, but the threat landscape has changed significantly recently and software running on an internal LAN needs to be implemented accordingly. There seem to be quite a few security threads where the developers haven't bothered to reply when the questioning got too hard; my direct question above is another example (despite them answering other threads, proving they are online...) I would be more concerned. If your PC were to be infected with botnet software, it may not be apparent, but the attacker has full control over your PC and its network stack. This could be used to scan the internal LAN for Linux hosts with open port 80 -- yep, thats Unraid. The attackers can then directly attack your Unraid Linux box, using the Windows botnet infected PC as a lever into your network. Its not just Windows PC's. Check out the recent huge Merai DDOS attack that compromised IoT devices (IP Cameras etc). The leaked code for Merai is freely available for download and I'm sure there are plenty of people using it to gain access to private LANs through an insecured IP Camera. This is what I mean by the threat landscape has changed recently - the threat is now inside as well! Don't get me wrong, i think Unraid is excellent. It ticks all the boxes I need for the in-laws media server and with the docker and KVM implementation, I'm even considering it as a replacement for a few ProxMox test servers, but reading the other threads on the forum makes me question the security commitment. I guess spending time adding eye-candy and stuff like that is more profitable than mundane security stuff, which is a very short-sighted approach.

Yep, I never expose any services outwards, except VPN server from a properly hardened endpoint. My biggest concern that would be a compromised machine on the internal network would then be able launch an attack against the Unraid server, which isn't designed for such an attack. An attack on a internal PC is one thing, but to find out that other devices have been compromised really makes a bad day worse. Its not just Cryptolocker style either; a compromised PC could drop a botnet onto other devices... Thanks for those extra tips; a bit shocking that telnet runs by default though! Yep, this is normal practice. On the perimeter is Sophos UTM9, running IDS/IPS as well as web-proxy to try to catch stuff inbound, or at least get early notice of an issue. This should be generic advice for anyone running a server. They are mega cheap now... If I get a moment, I think I will run a Nessus scan and see what it uncovers, to get an understanding of what it looks like from the outside in...

Hi Thanks for your reply. Good to hear about HTTPS access. I'm a little confused about your first sentence though - I'm asking about how secure is the underlying OS? Also, please could you address this part of my original query: "Also, can anyone comment on how Unraid security is handled recently? I read the policy sticky at the top of this board and it left me feeling quite concerned about how serious the developers are at keeping things up to date when a relevant CVE hits."

Hi Ive read in these forums that "unraid is unsecure", but no real substance to what that means. I'm an ITSec Pro, looking for a easy to use solution for the in-laws and (thought that) unraid met the bill very well, especially after they had positive comments after I showed them a quick demo. Its only a family Plex/music/photo server... Assuming best practice is followed with users having minimal rights/strong password, shares Read Only unless RW strictly needed, no direct exposure to internet, kept up to date etc. how would you rate Unraids ability to repel an attack from a compromised device on the internal LAN? Also, can anyone comment on how Unraid security is handled recently? I read the policy sticky at the top of this board and it left me feeling quite concerned about how serious the developers are at keeping things up to date when a relevant CVE hits. Thanks Del