loopback Posted December 21, 2020 Share Posted December 21, 2020 I'm currently thinking about turning my dedicated machine i own in a datacenter into my new unRAID machine. This would serve me some shares that store data and some VMs for development purposes. This will by no means have any sensitive data on it, basically nothing of value that i would cry after when i lose it or that anyone could do anything with. I know that using a VPN would be the better way, but this is not possible in this case due to my router not supporting it and needing the software on every device that needs access, which is not possible. Currently i have planned the following: - Turning off anything on the server that i wont use (SSH/ Telnet/ FTP/ NetBIOS) - Using my hardware firewall to filter out any traffic except the necessary ones (Open ports will be 80/ 443/ 445) - Using a very strong password for root and any user that is connecting to my shares - Not having any public shares - Completely hiding the flash drive from being shared to anything, in the event where i would need to access it and cant connect to the server, i can have physical access by driving there Is there anything i could do additionally to improve the security even further? Also is there any other ports unRAID needs to work correctly? I cant think of any but maybe someone with more experience has some in mind. Greetings 1 Quote Link to comment
NAS Posted December 21, 2020 Share Posted December 21, 2020 Do not open 445 to the internet. Quote Link to comment
trurl Posted December 21, 2020 Share Posted December 21, 2020 11 hours ago, loopback said: I know that using a VPN would be the better way, but this is not possible in this case due to my router not supporting it and needing the software on every device that needs access, which is not possible. You don't need VPN in your router. WireGuard VPN is built-in to Unraid. You do need WireGuard installed on every device that needs access though. Why isn't it possible? Quote Link to comment
tudalex Posted January 21, 2021 Share Posted January 21, 2021 It is a bad ideea. I recommend installing something like Ngnix proxy manager and adding at least some basic auth in front of it over SSL.The reason why it can be a bad ideea is that you might never be sure that the whole UI is propperly protected. By adding a proxy in front or even better a vpn like wireguard, the attacker will have to bypass this authentication before getting to the unraid server. Nginx basic auth and witeguard auth are way more battle tested (not to mention a lot smaller as attack surface) than the whole unraid UI. 3 Quote Link to comment
Opawesome Posted February 11, 2021 Share Posted February 11, 2021 (edited) On 12/21/2020 at 9:36 AM, loopback said: Currently i have planned the following: [...] - Using my hardware firewall to filter out any traffic except the necessary ones (Open ports will be 80/ 443/ 445) [...] Also is there any other ports unRAID needs to work correctly? [...] Hi @loopback Based on what I understand of your use case and knowledge in security I would also strongly advise against opening any of the 80/443/445 port (or corresponding HTTP, HTTPS and SMB services) to the internet (not that I am an expert myself either). IMO, the simplest and safest way to remotely access your Unraid server is via VPN. In addition to @trurl's suggestion to use WireGuard, I would also recommend OpenVPN, which have been around (and audited) for a long time now, and therefore could be seen by some as potentially less likely to suffer from vulnerabilities compared to WireGuard. If you really cannot use a VPN because of the need to have a VPN client or a VPN-client capable router, then @tudalex suggestion may be the way to go. You would then need to install some sort of web service to access your files (maybe a cloud file service like nextcloud ?). Then, as an additional mitigation measure, you can avoid using default ports for the different services you have opened to the internet, and use high number ports instead (like 45299 instead of 443 for your Nginx proxy). I have personally found it to drastically reduce the number of BOT attacks on my network. Some will argue that this is "security through obscurity" and that therefore it is bad. And some would argue that in some use cases, a bit of obscurity is beneficial. Finally, you could install fail2ban and have it watch for failed attempts to connect to the services running on your server. When a potential attack is detected (i.e. multiple failed connection attempts in a set period of time), fail2ban will ban the IP and prevent it from connecting to your machine. Please feel free to report back with what you did. Best, OP Edited February 11, 2021 by Opawesome 1 Quote Link to comment
Opawesome Posted February 11, 2021 Share Posted February 11, 2021 I forgot to mention that the huge 2017 WannaCry cyber attack used a vulnerability in the SMB protocol (port 445) to spread around the globe (https://en.wikipedia.org/wiki/WannaCry_ransomware_attack). So in a way, even if you do not care about your data being at risk, leaving such services opened to the internet can help the spread of cyber attacks and harm others. 2 Quote Link to comment
Opawesome Posted February 18, 2021 Share Posted February 18, 2021 Today, I found this tutorial by Mister @SpaceInvaderOne. This may be worth having a look @loopback. On paper, it seems to suit your needs : 1 Quote Link to comment
tech_rkn Posted April 18, 2021 Share Posted April 18, 2021 On 2/11/2021 at 5:17 PM, Opawesome said: Hi @loopback Based on what I understand of your use case and knowledge in security I would also strongly advise against opening any of the 80/443/445 port (or corresponding HTTP, HTTPS and SMB services) to the internet (not that I am an expert myself either). IMO, the simplest and safest way to remotely access your Unraid server is via VPN. In addition to @trurl's suggestion to use WireGuard, I would also recommend OpenVPN, which have been around (and audited) for a long time now, and therefore could be seen by some as potentially less likely to suffer from vulnerabilities compared to WireGuard. If you really cannot use a VPN because of the need to have a VPN client or a VPN-client capable router, then @tudalex suggestion may be the way to go. You would then need to install some sort of web service to access your files (maybe a cloud file service like nextcloud ?). Then, as an additional mitigation measure, you can avoid using default ports for the different services you have opened to the internet, and use high number ports instead (like 45299 instead of 443 for your Nginx proxy). I have personally found it to drastically reduce the number of BOT attacks on my network. Some will argue that this is "security through obscurity" and that therefore it is bad. And some would argue that in some use cases, a bit of obscurity is beneficial. Finally, you could install fail2ban and have it watch for failed attempts to connect to the services running on your server. When a potential attack is detected (i.e. multiple failed connection attempts in a set period of time), fail2ban will ban the IP and prevent it from connecting to your machine. Please feel free to report back with what you did. Best, OP Dig this one...." Fail2ban with unRAID how to " is needed cause was not able to find any CA called fail2ban, or any how to install via console...specifically for unRAID and his docker. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.