My Servers Early Access Plugin


jonp

Recommended Posts

2 minutes ago, limetech said:

 

That is correct.  If you enable Remote Access this requires a port-forward in your router.  You must use a strong wegGUI password (or what @SpuddyUK calls a complex password) and consider using a non-standard external port.

 

 

Perhaps you can shed some light on what would be sufficiently complex?

Opinions differ but consensus is generally at least 12 characters to include all of the four categories of lower-case, upper-case, number(s) and symbol(s).

 

Of course you can lead a horse to water but not make them drink, so there is a risk of Password01!!, so any logic around preventing those type of passwords would probably be helpful too. There are countless lists online of the 100 most used passwords that you might be able to reference and prevent being used/saved.

Link to comment
53 minutes ago, SpuddyUK said:

So if someone port scans my WAN IP, see's the open port (not 443 btw) and hits it over and over again attempting brute force on root, what's in place to protect my server from this attack?

 

We limit logins processed by nginx in this manner:

 

#
# limit the amount of failed auth requests per IP address
#
limit_req_zone \$binary_remote_addr zone=authlimit:1m rate=30r/m;

:

location /login {
        allow all;
        limit_req zone=authlimit burst=20 nodelay;
        try_files /login.php =404;
        include fastcgi_params;
}

 

56 minutes ago, SpuddyUK said:

I fear this feature is born out of convenience and that security is going to be an afterthought with potential consequential results.

 

Absolutely not.  This feature has been in development for a long time and a lot of the delay in release, even for beta, has been around security concerns.

 

 

33 minutes ago, SpuddyUK said:

p.s I am a cyber security researcher.

 

We very much appreciate your feedback.

  • Like 2
Link to comment
9 minutes ago, DevXen said:

 So I disabled SSL and the IP address worked but would not let me sign in. however tower/Main still worked and was logged in. so i enabled ssl again and now its forwarding to the unraid.net page instead of the local IP. Hmm.

I found I am now only able to access unraid via a different computer that I originally had used to set this feature up. I can access it via hash or local IP but am unable to get to it from other computers on the network. Re-enabled remote feature and trying to get access via forums won't connect either. Plugin says it's working!?!?!

 

EDIT... Working again. Not sure why it wasn't working before.

Edited by bluesky509
working order
Link to comment
8 minutes ago, SpuddyUK said:

Opinions differ but consensus is generally at least 12 characters to include all of the four categories of lower-case, upper-case, number(s) and symbol(s).

 

Of course you can lead a horse to water but not make them drink, so there is a risk of Password01!!, so any logic around preventing those type of passwords would probably be helpful too. There are countless lists online of the 100 most used passwords that you might be able to reference and prevent being used/saved.

 

There is a plugin available: Dynamix Password Validator:

 

"Adds the "zxcvbn.js" javascript password validator script, which is used for password strength validation. Passwords are rated in five strengths: worst, bad, weak, good, strong."

Link to comment
1 hour ago, AgentXXL said:

OK, have added the plugin to both of my servers, configured my firewall to port forward a custom port to each server and added the 'unraid.net' domain to my DNS resolver. I was able to provision with Let's Encrypt and the flash drive backup activation appears successful. Alas even after trying the 'unraid-api restart' in a terminal on each server, I'm still unable to get remote access working. When I try the 'Check' function it fails. When attempting it from a phone using my cellular providers networks (WiFi turned off), I get a 'You do not have permissions to view this page' error for the https://forums.unraid.net/my-servers/ URL.

 

Suggestions?

 

 

So still no luck... the 'Check' function fails on both of my servers. Tried the 'unraid-api restart' on both, rebooted, still no go. One of the servers shows up as available for remote access when I go to the url using my cell network, but it won't actually connect.

 

After a reboot both servers show up in the My Servers section, one with a checkmark and the other with a red X. The one with the checkmark is the one that shows remote access as available, but won't connect. I'll potentially try the full reset method mentioned but I'll need to let my users finish their Plex sessions.

 

 

Link to comment
11 minutes ago, limetech said:

 

We limit logins processed by nginx in this manner:

 


#
# limit the amount of failed auth requests per IP address
#
limit_req_zone \$binary_remote_addr zone=authlimit:1m rate=30r/m;

:

location /login {
        allow all;
        limit_req zone=authlimit burst=20 nodelay;
        try_files /login.php =404;
        include fastcgi_params;
}

 

 

Absolutely not.  This feature has been in development for a long time and a lot of the delay in release, even for beta, has been around security concerns.

 

 

 

We very much appreciate your feedback.

Thanks for the considered response and for being open about it. Happy to take anything offline where helpful.

 

Rate-limiting a great tool to employ as part of a wider security hardening toolkit. Unfortunately, with botnets the above will do little to prevent a brute-force of root on a specific server. All those hundreds of thousands if not millions of IoT devices that have been compromised will do their business for them from individual IP addresses. Fail2Ban suffers similarly. This is why layers are so important.

 

Let me be clear, I am a paid customer and enthusiast of unraid. I even quite like the features this offers in principle. However, my fear is that savvy users whom require remote access have already arranged it with something like VPN, WireGuard the like. We might be sweeping the rest along here into remote access with root and "rootpassword".

 

Additionally, I would suggest some security auditing of the code/api if you haven't already done so. Better to pay someone to find potential routes to compromise than being held over a barrel. Bug bounty could be beneficial, free license/$500/xyz for each vulnerability rated x or above.

 

I will keep an eye on this to see how it develops. 

 

Thanks for engaging.

  • Like 1
Link to comment
1 minute ago, AliH said:

Isnt 2FA a feature of the unraid server plugin?

No it's only for forum login.  Besides being nice in general, when you install the unraid.net plugin and sign-in the server, you see a new forum submenu item called "My Servers".  When you click that you can see all your servers that have the plugin installed and also have signed in.  There is a limited set of functionality at this time, however we wanted to offer a little more security for accessing the My Servers forum menu item.

 

Note: if you enable the Remote Access feature you must use a strong root password on each individual signed-in server.  We plan to add 2FA also to the server root login as well (incorporation of PAM in 6.9 was a step in this direction).

  • Like 5
  • Thanks 1
Link to comment

Looking forward to 2FA for root.

I am now able to access gui via local IP bypassing security notice. My Servers says I'm online and with local access enabled but now the hash url isn't working.

 

Also, it says it doesn't recommend port 444. Are their ports that are recommend?

Edited by bluesky509
Link to comment
4 minutes ago, bluesky509 said:

Looking forward to 2FA for root.

I am now able to access gui via local IP bypassing security notice. My Servers says I'm online and with local access enabled but now the hash url isn't working.

 

my remote access isn't working cause its conflicting with swag I think. if i change the port from 443 to a different port it works but then i have to add that to my webgui to use unraid and thats kinda a pain.

Link to comment
37 minutes ago, bluesky509 said:

Would SWAG cause any conflicts with the remote feature as long as SWAG is not utilizing port 443 or 80?

Trying to figure out why my hash url isn't working.

I think swag has too have port 443 forwarded to whichever port swag is set for. So it can intercept all https connections and redirect them as set since services like nextcloud will attempt to connect on 443.

Link to comment
2 hours ago, DevXen said:

So now i'm kinda afraid that if i disable or remove the plugin i won't be able to access my server.

 

Just to be clear, the My Servers plugin has nothing to do with setting up SSL for local access, except that local SSL is a pre-requisite for Remote Access.  

 

Whether or not the My Servers plugin is installed has no bearing on how local SSL works.

 

You can have the plugin installed with local SSL disabled and you will have access to all of My Servers except for Remote Access.

 

3 hours ago, DevXen said:

So I disabled SSL and the IP address worked but would not let me sign in. however tower/Main still worked and was logged in. so i enabled ssl again and now its forwarding to the unraid.net page instead of the local IP. Hmm.

 

With SSL enabled you have to access the server using... SSL

 

So with SSL enabled if you go to http://<computername> or http://<ip address> it will automatically redirect you to the secure https://yourpersonalhash.unraid.net

 

If you try to use https://<computername> or https://<ip address> your browser will complain because the SSL certificate does not match. Although you can ignore the warning and use the webgui through these invalid urls, there is no reason to do that. You should visit http://<ip address> and let the server redirect you to the secure url.

 

If you absolutely do not want to use the yourpersonalhash.unraid.net url then you will need to disable SSL. It is not possible to have a non-self-signed SSL certificate without a Fully Qualified Domain Name, which is what the unraid.net url seamlessly provides.

Link to comment
1 hour ago, bluesky509 said:

Would SWAG cause any conflicts with the remote feature as long as SWAG is not utilizing port 443 or 80?

Trying to figure out why my hash url isn't working.

 using SWAG not utilizing 80, 443 and all working fine after "unraid-api restart"

Link to comment
7 minutes ago, ljm42 said:

Just to be clear, the My Servers plugin has nothing to do with setting up SSL for local access, except that local SSL is a pre-requisite for Remote Access. 

If SSL is currently disabled will this plugin change that setting as part of the install process?

Link to comment
9 minutes ago, ljm42 said:

You can have the plugin installed with local SSL disabled and you will have access to all of My Servers except for Remote Access.

 

I was more concerned with the fact when i disabled SSL and accessed my http://ip as well as http://tower it wanted me to login and wouldnt accept my login credentials. Or allow me to login.

Link to comment
3 hours ago, AgentXXL said:

So still no luck... the 'Check' function fails on both of my servers.

 

So you successfully setup local SSL and are accessing the server through https://yourpersonalhash.unraid.net , correct?

 

And now you trying to enable Remote Access, but when you press "Check" it gives an error? 

 

This means either:

1) DNS for www.yourpersonalhash.unraid.net is not resolving (note the "www" up front, this should resolve to your external IP)

2) or your port forward is not working

 

Reinstalling the plugin will not help, nor will restarting the api :) 

 

At one point you mentioned:

Quote

added the 'unraid.net' domain to my DNS resolver.

I'm not sure what that means?

Link to comment
Just now, DevXen said:

I was more concerned with the fact when i disabled SSL and accessed my http://ip as well as http://tower it wanted me to login and wouldnt accept my login credentials. Or allow me to login.

 

I suspect that your browser has cached its knowledge of https being configured for that domain and so the login process was being redirected behind the scenes. Clearing your cache or using incognito mode will likely solve it.

Link to comment
Just now, ljm42 said:

 

I suspect that your browser has cached its knowledge of https being configured for that domain and so the login process was being redirected behind the scenes. Clearing your cache or using incognito mode will likely solve it.

 

Aww i tried incognito mode it didnt let me login. I went back to ssl. But maybe I'll disable it and clear the cache and see if that works. But it had me freaking out cause i couldn't access my server. Luckily it was still logged in on another tab and i was able to enable the ssl and get back into it. 

Link to comment
12 minutes ago, wgstarks said:

If SSL is currently disabled will this plugin change that setting as part of the install process?

 

No the plugin does not automatically change anything related to local SSL access.

 

The only time it changes is if you are following the instructions here:

  https://wiki.unraid.net/My_Servers#Configuring_Remote_Access

and you provision a certificate for local access. Local SSL access has been core Unraid functionality for a few years and is not related to the plugin.

  • Thanks 1
Link to comment
Guest
This topic is now closed to further replies.