mtrivs

I don't route plex through CF either. I saw the warnings that using Argo for streaming can get you banned, so it has deterred me from trying it. I have a fiber connection, so I already get fast speeds, so I would only benefit from faster peering running it over an Argo tunnel. I run NPM presently and have been patiently waiting for it to have Fail2Ban support without hacking something together. Most everything I have is behind authelia anyways, which has a few security measures built in to prevent brute force attempts. The trade off is that there aren't historical IP blocks or dedicated jails like with Fail2Ban, but it is also really easy for an attacker to change their IP also.

Anything you expose should have at least 2 layers of authentication in front of it. Do not trust the login pages for your services will keep everyone out and assume that someone has already found an exploit to allow access. Plex is the only service that I run where 2FA is not possible, but everything else should have layers of security. Things like management UI's (Unraid, NPM admin page, etc.) should almost never be exposed to the internet. I would always be thinking of ways to provide the least amount of exposure possible. For example, instead of exposing sonarr/radarr separately, just expose Ombi behind 2FA to limit the overall attack surface and total number of exposed ports. Argo tunnels are great, but 2FA is the real winner when it comes to security. Cloudflare has a lot of great security features built-in, but where there is a will there is a way.

I wouldn't expose the login page to the internet for any reason. There is too much risk in allowing someone to find an exploit and not really needed. If you are already using cloudflare with port forwarding, look at using an argo tunnel along with the cloudflared docker container. This hides your true IP address and eliminates the port forwarding through your router, to block more access attempts before they hit your network. You can configure access to your server using cloudflare teams + the WARP client as well. This puts cloudflare authentication in front of your server and prevents the unraid login page from being your sole line of defense. If you must provide access through a reverse proxy, I would at lease configure the authelia docker and get a free duo account to secure things with 2FA. https://ibracorp.gitbook.io/cloudflare-tunnel/ https://ibracorp.gitbook.io/authelia/

M/B: Supermicro - X9DRi-LN4+/X9DR3-LN4+ CPU: 2x Intel® Xeon® CPU E5-2660 @ 2.20GHz Memory: 128 GB Multi-bit ECC (max. installable capacity 1536 GB)

Same issue for me as well. Just started with the most recent update. UPDATE: 13 hours later and the issue has resolved itself......Aliens?