Hardening to expose to the internet


loopback

8 posts in this topic Last Reply

Recommended Posts

I'm currently thinking about turning my dedicated machine i own in a datacenter into my new unRAID machine. This would serve me some shares that store data and some VMs for development purposes.
This will by no means have any sensitive data on it, basically nothing of value that i would cry after when i lose it or that anyone could do anything with.

 

I know that using a VPN would be the better way, but this is not possible in this case due to my router not supporting it and needing the software on every device that needs access, which is not possible.

 

Currently i have planned the following:

- Turning off anything on the server that i wont use (SSH/ Telnet/ FTP/ NetBIOS)

- Using my hardware firewall to filter out any traffic except the necessary ones (Open ports will be 80/ 443/ 445)

- Using a very strong password for root and any user that is connecting to my shares

- Not having any public shares

- Completely hiding the flash drive from being shared to anything, in the event where i would need to access it and cant connect to the server, i can have physical access by driving there

 

Is there anything i could do additionally to improve the security even further? Also is there any other ports unRAID needs to work correctly? I cant think of any but maybe someone with more experience has some in mind.

 

Greetings

Link to post
11 hours ago, loopback said:

I know that using a VPN would be the better way, but this is not possible in this case due to my router not supporting it and needing the software on every device that needs access, which is not possible.

You don't need VPN in your router. WireGuard VPN is built-in to Unraid. You do need WireGuard installed on every device that needs access though. Why isn't it possible?

 

 

Link to post
  • 5 weeks later...

It is a bad ideea. I recommend installing something like Ngnix proxy manager and adding at least some basic auth in front of it over SSL.

The reason why it can be a bad ideea is that you might never be sure that the whole UI is propperly protected. By adding a proxy in front or even better a vpn like wireguard, the attacker will have to bypass this authentication before getting to the unraid server. Nginx basic auth and witeguard auth are way more battle tested (not to mention a lot smaller as attack surface) than the whole unraid UI.

Link to post
  • 3 weeks later...
On 12/21/2020 at 9:36 AM, loopback said:

Currently i have planned the following: [...]

- Using my hardware firewall to filter out any traffic except the necessary ones (Open ports will be 80/ 443/ 445) [...]

 

Also is there any other ports unRAID needs to work correctly? [...]

 

Hi @loopback

 

Based on what I understand of your use case and knowledge in security I would also strongly advise against opening any of the 80/443/445 port (or corresponding HTTP, HTTPS and SMB services) to the internet (not that I am an expert myself either).

 

IMO, the simplest and safest way to remotely access your Unraid server is via VPN. In addition to @trurl's suggestion to use WireGuard, I would also recommend OpenVPN, which have been around (and audited) for a long time now, and therefore could be seen by some as potentially less likely to suffer from vulnerabilities compared to WireGuard.

 

If you really cannot use a VPN because of the need to have a VPN client or a VPN-client capable router, then @tudalex suggestion may be the way to go. You would then need to install some sort of web service to access your files (maybe a cloud file service like nextcloud ?).

 

Then, as an additional mitigation measure, you can avoid using default ports for the different services you have opened to the internet, and use high number ports instead (like 45299 instead of 443 for your Nginx proxy). I have personally found it to drastically reduce the number of BOT attacks on my network. Some will argue that this is "security through obscurity" and that therefore it is bad. And some would argue that in some use cases, a bit of obscurity is beneficial. 

 

Finally, you could install fail2ban and have it watch for failed attempts to connect to the services running on your server. When a potential attack is detected (i.e. multiple failed connection attempts in a set period of time), fail2ban will ban the IP and prevent it from connecting to your machine. 

 

Please feel free to report back with what you did.

 

Best,

OP

Edited by Opawesome
Link to post
  • 1 month later...
On 2/11/2021 at 5:17 PM, Opawesome said:

 

Hi @loopback

 

Based on what I understand of your use case and knowledge in security I would also strongly advise against opening any of the 80/443/445 port (or corresponding HTTP, HTTPS and SMB services) to the internet (not that I am an expert myself either).

 

IMO, the simplest and safest way to remotely access your Unraid server is via VPN. In addition to @trurl's suggestion to use WireGuard, I would also recommend OpenVPN, which have been around (and audited) for a long time now, and therefore could be seen by some as potentially less likely to suffer from vulnerabilities compared to WireGuard.

 

If you really cannot use a VPN because of the need to have a VPN client or a VPN-client capable router, then @tudalex suggestion may be the way to go. You would then need to install some sort of web service to access your files (maybe a cloud file service like nextcloud ?).

 

Then, as an additional mitigation measure, you can avoid using default ports for the different services you have opened to the internet, and use high number ports instead (like 45299 instead of 443 for your Nginx proxy). I have personally found it to drastically reduce the number of BOT attacks on my network. Some will argue that this is "security through obscurity" and that therefore it is bad. And some would argue that in some use cases, a bit of obscurity is beneficial. 

 

Finally, you could install fail2ban and have it watch for failed attempts to connect to the services running on your server. When a potential attack is detected (i.e. multiple failed connection attempts in a set period of time), fail2ban will ban the IP and prevent it from connecting to your machine. 

 

Please feel free to report back with what you did.

 

Best,

OP

Dig this one...." Fail2ban with unRAID how to " is needed cause was not able to find any CA called fail2ban, or any how to install via console...specifically for unRAID and his docker.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.