My Servers Early Access Plugin


jonp

Recommended Posts

58 minutes ago, repomanz said:

I'm really like this plugin but before I dive into it would it work behind the one of the nginx proxy containers within different vlans (which includes custom docker networks)?  I would like to like to leverage this new feature from the unraid team but put the following behind nginx proxy

 

Properly setting up a reverse proxy is difficult, this is one of the reasons we added the Remote Access functionality. It should be possible to setup a reverse proxy instead of using remote access but it isn't something we actively support.

  • Like 1
Link to comment
8 hours ago, Raptor said:

I have a different problem - after switching SSL/TLS from Yes to auto I need to logon again with http:// but after i enter root password and hit login nothing happends - entered data dissapear, no information about invalid username/password.

 

I can ssh to server with this password :| 

 

I am having difficulty understanding exactly what state you are in.  Let's see if we can get you back to a normal http connection and try again.

 

* On your flash drive, remove any files from the config/ssl/certs folder

* Edit the config/ident.cfg file on the flash drive and ensure you see a line that says USE_SSL="auto"  (if you see "no" or "yes", change it to "auto")

* Reboot (you mentioned being able to SSH in, you can type "reboot" from there)

* You should now be able to access your server via http://servername or http://ipaddress

* Go back to Settings -> Management and provision a certificate

* The urls above will now redirect to https://yourpersonalhash.unraid.net and your local access will be secured over SSL

 

Link to comment
47 minutes ago, ljm42 said:

 

Properly setting up a reverse proxy is difficult, this is one of the reasons we added the Remote Access functionality. It should be possible to setup a reverse proxy instead of using remote access but it isn't something we actively support.


There's a few guides out there I can probably leverage around reverse proxy. Ultimately I want my unraid server itself to be behind the proxy while leveraging this new feature.  Not too comfortable with having an internet exposed port with a direct shot to unraid os security wise.  Is there a technical white paper / write up about this new plugin?

Sounds like i need to do some tinkering. I really do like this new plugin.

Edited by repomanz
Link to comment
33 minutes ago, repomanz said:

Ultimately I want my unraid server itself to be behind the proxy while leveraging this new feature.

 

Remote Access is an optional feature in My Servers. You do not have to enable it in order to use the other features.

Link to comment
1 hour ago, ljm42 said:

* On your flash drive, remove any files from the config/ssl/certs folder

* Edit the config/ident.cfg file on the flash drive and ensure you see a line that says USE_SSL="auto"  (if you see "no" or "yes", change it to "auto")

* Reboot (you mentioned being able to SSH in, you can type "reboot" from there)

* You should now be able to access your server via http://servername or http://ipaddress

 

at this point I see webGUI login screen but can't logon - root/mypassword that works in SSH not working in webGUI.

 

I've try to reset root password - not working (reset only root password, reset all password).

 

After I delete root password and manually remove dynamix.unraid.net.plg from plugins I've manage access to webgui, started array. But when I set password to root account - again can't logon webGUI (login screen accept my password but redirect to login page again, wrong password gives me warning "Invalid Username or Password")

 

Right now I will try to restore usb backup & again install plugin :D

 

Edited by Raptor
Link to comment
55 minutes ago, Raptor said:

 

at this point I see webGUI login screen but can't logon - root/mypassword that works in SSH not working in webGUI.

 

I've try to reset root password - not working (reset only root password, reset all password).

 

After I delete root password and manually remove dynamix.unraid.net.plg from plugins I've manage access to webgui, started array. But when I set password to root account - again can't logon webGUI (login screen accept my password but redirect to login page again, wrong password gives me warning "Invalid Username or Password")

 

Right now I will try to restore usb backup & again install plugin :D

 

 

wow. I don't see how the My Servers plugin could affect this, but let's leave it out of the picture until you can set a root password again.

 

Deleting the files mentioned here from the flash and rebooting should get you a clean state with regards to passwords:

  https://wiki.unraid.net/Troubleshooting#Lost_root_Password

As part of this, I'd recommend putting the flash drive in a Windows computer and letting it fix any problems it finds.

 

After rebooting, go to Users (or Settings -> Users, depending how you are configured) and set a password for root. Be sure to press the "Change" button, not "Reset" :)

 

At that point you should be prompted to login. If still having issues, try clearing your cache and/or using a different browser.

Link to comment
8 minutes ago, OmgImAlexis said:

Please `unraid-api restart` In a terminal on that server. That should resolve it. 

 

Thanks - that fixed it.  Can the unraid team add this to the install wiki (unless this will be handled as part of plugin update later)?

  • Like 1
Link to comment
5 minutes ago, repomanz said:

 

Thanks - that fixed it.  Can the unraid team add this to the install wiki (unless this will be handled as part of plugin update later)?

If all goes well I hope this is actually fixed in one of the next updates and the install does run it.

Link to comment

OK, have added the plugin to both of my servers, configured my firewall to port forward a custom port to each server and added the 'unraid.net' domain to my DNS resolver. I was able to provision with Let's Encrypt and the flash drive backup activation appears successful. Alas even after trying the 'unraid-api restart' in a terminal on each server, I'm still unable to get remote access working. When I try the 'Check' function it fails. When attempting it from a phone using my cellular providers networks (WiFi turned off), I get a 'You do not have permissions to view this page' error for the https://forums.unraid.net/my-servers/ URL.

 

Suggestions?

 

Link to comment
3 minutes ago, OmgImAlexis said:

If all goes well I hope this is actually fixed in one of the next updates and the install does run it.


This is mostly likely because I was already authenticated within my browser sessions with unraid forum but I noticed when I logged in with the my servers plugin it did not prompt me for 2FA which I have enabled. I assume the plugin referenced my authentication session token here.  Wonder if it would be better security when setting this up to prompt for 2FA.

Link to comment

So if someone port scans my WAN IP, see's the open port (not 443 btw) and hits it over and over again attempting brute force on root, what's in place to protect my server from this attack?

 

I fear this feature is born out of convenience and that security is going to be an afterthought with potential consequential results.

  • Like 2
Link to comment
Just now, SpuddyUK said:

So if someone port scans my WAN IP, see's the open port (not 443 btw) and hits it over and over again attempting brute force on root, what's in place to protect my server from this attack?

 

I fear this feature is born out of convenience and that security is going to be an afterthought with potential consequential results.

 

That's why you use a complex password and hopefully eventual 2FA.

Link to comment
9 minutes ago, AgentXXL said:

 

That's why you use a complex password and hopefully eventual 2FA.

I think the first is a given, but more emphasis should surely be on 2FA and a fail2ban type solution before advising people to put their servers on the open internet. Just my thoughts, waiting for that first "my server has been hacked" post.

Edited by SpuddyUK
  • Like 1
Link to comment

So i got it all up and running. - Except now when i go to tower/ or [ip address] it changes it to the unraid.net page. is there a way to access directly it on my local network inside my network and from the unraid.net page outside of my network?

Link to comment
6 minutes ago, SpuddyUK said:

waiting for that first "my server has been hacked" post.

People have been opening up their Unraid servers and getting hacked for years. The "my servers" is hopefully a step forwards in that it requires ssl and passwords to be enabled to even work.

  • Like 1
Link to comment
12 minutes ago, jonathanm said:

People have been opening up their Unraid servers and getting hacked for years. 

only this time it's being actively endorsed by limetech. Maybe in addition to the 2fa for gui login and fail2ban for x failed login attempts, there might be a requisite for a complex root password to even enable "my servers".

 

p.s I am a cyber security researcher.

 

Hello lovely treasure trove of unraid servers to have a go at. This list is only going to increase as people enable the feature and search engines crawl.

https://www.shodan.io/search?query=unraid.net

Edited by SpuddyUK
Link to comment

 

2 minutes ago, jonathanm said:

People have been opening up their Unraid servers and getting hacked for years. The "my servers" is hopefully a step forwards in that it requires ssl and passwords to be enabled to even work.


Agree - it's a great step in the right direction. For future updates I'm hoping to see some further hardening.   Can someone explain the technical authentication details of how the remote access works? Is it my login, pass, 2fa token plus a unique generated ssh key? If those credentials fail what occurs? Block, Reject or hold the session open for a period of minutes?

Link to comment
3 minutes ago, repomanz said:

 


Agree - it's a great step in the right direction. For future updates I'm hoping to see some further hardening.   Can someone explain the technical authentication details of how the remote access works? Is it my login, pass, 2fa token plus a unique generated ssh key? If those credentials fail what occurs? Block, Reject or hold the session open for a period of minutes?

As I see it, 2FA is not required if you directly access https://yourhash.unraid.net, only if you login via the forum.

Link to comment
20 minutes ago, DevXen said:

So i got it all up and running. - Except now when i go to tower/ or [ip address] it changes it to the unraid.net page. is there a way to access directly it on my local network inside my network and from the unraid.net page outside of my network?

Same questions. Disabled the plugin after disabling/logging out of the feature and now getting redirected to the hash URL. Currently unable to access GUI.

Any way to get it working again? Seems this needs a way to allow easier LAN access.

Edited by bluesky509
Link to comment
6 minutes ago, SpuddyUK said:

As I see it, 2FA is not required if you directly access https://yourhash.unraid.net, only if you login via the forum.

 

That is correct.  If you enable Remote Access this requires a port-forward in your router.  You must use a strong wegGUI password (or what @SpuddyUK calls a complex password) and consider using a non-standard external port.

 

15 minutes ago, SpuddyUK said:

complex root password

 

Perhaps you can shed some light on what would be sufficiently complex?

Link to comment
3 minutes ago, bluesky509 said:

Same questions. Disabled the plugin after disabling/logging out of the feature and now getting redirected to the hash URL. Currently unable to access GUI.

Any way to get it working again? Seems this needs a way to allow easier LAN access.

 

i can access it with: https://IP:port   but since my local ip doesn't have a ssl. it has a big warning in Firefox. Warning: Potential Security Risk Ahead. that i have to accept the risk each time.

Link to comment
1 minute ago, bluesky509 said:

Tried that route. Not working.

 So I disabled SSL and the IP address worked but would not let me sign in. however tower/Main still worked and was logged in. so i enabled ssl again and now its forwarding to the unraid.net page instead of the local IP. Hmm.

Link to comment
Guest
This topic is now closed to further replies.