tech_rkn Posted April 17, 2021 Share Posted April 17, 2021 I saw the F2A for the forum. Nice. How about F2A for unRAID himself ? I am using my yubikey on almost every accounts/services I have, except my own unRAID... 2 Quote Link to comment
gacpac Posted April 19, 2021 Share Posted April 19, 2021 I saw this coming from a mile away when the feature was advertised via the plugin. Port forward can be quite dangerous if not done right. I rather use openvpn still for that. Thanks @jonp for the post!! 1 Quote Link to comment
tech_rkn Posted April 20, 2021 Share Posted April 20, 2021 Securing a tunnelwithe openvpn or wireguard is nice, but a unsecured door is still an unsecure door... There is a spof in every home, your isp router. Usually, for economic reason, this box are low grade quality, sometimes without firewall or even set with an admin/admin like password never change by the users and can be ( not so easy but feasible ) access through wifi ( as for my neighbours , both of them, with 2 different isp ) When done, their network are simply open. At that time, forget your nicely done tunnel. Adding one more security layer like a F2A/fido validation for the sign-in is not so stupid. 1 Quote Link to comment
aarontry Posted May 12, 2021 Share Posted May 12, 2021 Thanks for the sharing on security. I often need to access unRaid GUI while I'm out on a trip. I used to use OpenVPN to connect to home and access the management gui from LAN. Now with 6.9.2 I have the port forwarding setup for HTTPS to unRaid and it's the only port I am exposing on the internet. A strong root password has been set and all other services are behind my firewall. So now my question is: Is it equally safe to access my server this way compare to accessing through OpenVPN? Quote Link to comment
JonathanM Posted May 12, 2021 Share Posted May 12, 2021 20 minutes ago, aarontry said: Is it equally safe to access my server this way compare to accessing through OpenVPN? No, it trades security for convenience. A properly configured VPN means only encryption key configured and credentialed endpoints can gain access instead of only requiring a browser and password. However, in the context of this thread, it seems to be secure enough for the moment, as the hacked servers invariably seemed to have blank root passwords. Quote Link to comment
aarontry Posted May 12, 2021 Share Posted May 12, 2021 1 minute ago, jonathanm said: No, it trades security for convenience. A properly configured VPN means only encryption key configured and credentialed endpoints can gain access instead of only requiring a browser and password. However, in the context of this thread, it seems to be secure enough for the moment, as the hacked servers invariably seemed to have blank root passwords. The only vulnerability I can think of regarding the security of unRaid Server in this context is there might be undiscovered security issues that allow attackers to bypass the form based login and gain access to other services. Quote Link to comment
mmwilson0 Posted May 12, 2021 Share Posted May 12, 2021 On 3/24/2021 at 7:20 PM, jonp said: Set a strong root password On 3/24/2021 at 7:20 PM, jonp said: Set up 2FA on your Unraid Forum Account. Can we please please please get the ability to create user accounts, disable root logon, and enable mfa. 5 Quote Link to comment
trurl Posted May 12, 2021 Share Posted May 12, 2021 10 hours ago, aarontry said: I often need to access unRaid GUI while I'm out on a trip. Very easy to do this, just setup WireGuard. I can access my whole LAN that way. WireGuard is builtin to Unraid. Then, you will have the situation where 10 hours ago, jonathanm said: only encryption key configured and credentialed endpoints can gain access Quote Link to comment
aarontry Posted May 13, 2021 Share Posted May 13, 2021 17 hours ago, trurl said: Very easy to do this, just setup WireGuard. I can access my whole LAN that way. WireGuard is builtin to Unraid. Then, you will have the situation where What's the purpose of the new plugin (unraid.net) if VPN is the preferred way of accessing unRaid? I already have the VPN setup and I am considering switching to the plugin instead. Quote Link to comment
itimpi Posted May 13, 2021 Share Posted May 13, 2021 1 hour ago, aarontry said: What's the purpose of the new plugin (unraid.net) if VPN is the preferred way of accessing unRaid? I already have the VPN setup and I am considering switching to the plugin instead. The remote access feature of the plugin may not be quite as secure as using a VPN but it is much easier (and thus less error prone) for the naïve user to set up. The plugin does, however, have other features that you can use even if you do not intend to use the remote access feature. Quote Link to comment
billington.mark Posted May 13, 2021 Share Posted May 13, 2021 On 4/17/2021 at 9:16 AM, tech_rkn said: I saw the F2A for the forum. Nice. How about F2A for unRAID himself ? I am using my yubikey on almost every accounts/services I have, except my own unRAID... +1 to this. TOTP 2FA code implementation would be a welcome feature addition. 4 Quote Link to comment
Marshalleq Posted September 5, 2021 Share Posted September 5, 2021 As far as I know, a DMZ is actually not meant to be a forward to all thing, but it just happens to be implemented that way on cheap routers that you'd get from an ISP. So the advise is sound for that segment. If however you had a proper firewall, like Opnsense/PFSense and many others, putting something in the DMZ doesn't automatically forward all ports there. It's just meant to be a place which protects your internal network from the private by having the private limit where it connects and the same of the public. These days, networks are so complicated the branding of a DMZ I assume has mostly gone out the window, but the concept continues to be used and these cheap routers keep it as a free for all to get things going when people don't fully understand what they're doing. That's my 2c anyway - just wanted to throw a bit of education along with the 'don't do statement. Quote Link to comment
Goldmaster Posted December 12, 2021 Share Posted December 12, 2021 (edited) Would be good to edit this post to consider also installing talescale, which is built on wireguard and requires NO port forwarding. @Sycotixhas done a video guide on setting it up here https://youtu.be/nzBQTJ2isOI Edited December 12, 2021 by Goldmaster 1 Quote Link to comment
Vetteman Posted December 16, 2021 Share Posted December 16, 2021 (edited) Sorry if this is asked elsewhere. I do have experience setting up shared folders at work as I was a system admin for 30 years via Novell Netware, Windows servers, Novell Suse. At home I've been using an Ubuntu variant Zorin-Os for file sharing. So the shares I've created on Unraid I have set the following Export Yes (hidden) Security "Private" I have read write, other user accounts read-only My question is about the default Unraid shares. I've set them to domains appdata isos system Export "No" and Security "Public" But wondering if I should set Export to "Hidden" and Security to "Private" giving no one access? On my Ubuntu server using the default firewall, ufw I would close all Samba ports udp 137, 138 & tcp 139, 445. Then open them up for the hosts on my private home network using the following syntax for each of the client's computers who required access. The shares were also accessed via an username and password like Unraid. sudo ufw allow proto udp to any port 137,138 from 10,x,x,x sudo ufw allow proto tcp to any port 139,445 from 10,x,x,x Is this doable or advisable to do in Unraid? Not sure what firewall Unraid is using? I found using "host allow" or "host deny" in the smb.conf did not work for me, So I used the ufw rules which worked 100% of the time after resarting the firewall. Cheers & many thanks... Vetteman Edited December 16, 2021 by Vetteman remove "flash" drive as my questions re flash were addressed earlier in this thread Quote Link to comment
itimpi Posted December 16, 2021 Share Posted December 16, 2021 If you do not export those shares then the security setting is not relevant. If you do want to export them then your ideas make sense. 1 Quote Link to comment
Vetteman Posted December 20, 2021 Share Posted December 20, 2021 On 12/17/2021 at 7:46 AM, NAStyBox said: Are they all coming from the same region by chance? I believe that is a very fair question. Perplexed why no one has answered. Quote Link to comment
ChatNoir Posted December 20, 2021 Share Posted December 20, 2021 Just now, Vetteman said: I believe that is a very fair question. Perplexed why no one has answered. If memory serves, IP of origin was all over the place. Europe, Asia, US, etc. But that doesn't mean much since the hackers probably don't use their home address IP. 2 Quote Link to comment
SpencerJ Posted December 20, 2021 Share Posted December 20, 2021 8 minutes ago, Vetteman said: I believe that is a very fair question. Perplexed why no one has answered. 5 minutes ago, ChatNoir said: But that doesn't mean much since the hackers probably don't use their home address IP. This^. We also don't have much attacker info. This warning was issued due to various (mostly new) users coming here in bad situations and we felt it was best to try and reiterate the best practices in the OP. 1 Quote Link to comment
V1per5h0t Posted January 5, 2022 Share Posted January 5, 2022 (edited) RDP attacks are becoming common because (a) more people are working from home, so using this service and (b) it's seems relatively simple to identify if an IP address has exposed RDP ports and is therefore a hackable target. Firstly, please do not forward ports through your firewall, especially not for RDP (for the reason above). VPNs are a good option for RDP, but I personally use Cloudflare's tunneling capabilities. If you want to figure out how to set up a tunnel on Unraid: Cloudflare: How to Set up Cloudflare Argo Tunnel FREE on Unraid - Bypass CGNAT - YouTube. If you want to then set up RDP over that tunnel, see: Connect through Cloudflare Access over RDP · Cloudflare for Teams docs Edited January 5, 2022 by V1per5h0t Inserting links Quote Link to comment
murk00 Posted February 19, 2023 Share Posted February 19, 2023 The only port that I have open is for running plex which allows for remote access. What are the best practices to protect myself for this situation? Quote Link to comment
GRRRRRRR Posted February 19, 2023 Share Posted February 19, 2023 The question is when VPN is not an option, right? When I absolutely must open the port to the Internet or an unverified system (what if the hackers are in the Plex itself already and get in trhough that?) in this case I put in OS level hardening as much as I can usually however it's a custom boundary based on the OS features + some security system features such as run as limited user, apparmor docker vm etc I turn on as many things as there are as well as do not put any actual data near the open port so it's like a DMZ ? with multiple checkpoints, nothing comes in that should not, and nothing comes out that should not. if it's http I put WAF. Infront I put a Suricata. And in front of that even a thirdparty scrubbing with a sensitive auto trigger, if I have to. And in front of that I can put a cloud CDN for additional protection and scrubbing. I can also put a weird analytical system that does weird anomaly pattern detection and even fine tune that algorithm for a very sensitive auto trigger. I can also put a few simple script that let me in separately and then my plex client that's with me can also go in. All that because some plex client devices such as SmartTVs at the GF house may not be able to VPN in. Quote Link to comment
PhilBarker Posted March 10, 2023 Share Posted March 10, 2023 There's a big difference between opening up the plex port for sharing your legally purchased media and opening up the main web port so you can access the unraid admin panel remotely. I'd never even consider doing that - as others have said you can use a VPN for that or personally I use tailscale. The tailscale client installs on my phone, laptop etc... and I can access my unraid admin panel from anywhere securely if I need to (not that I ever have had to). These kind of hacks are usually not that smart and are just scanning IP's looking for an unraid server to respond. If you've only got plex ports open you've not got much to worry about. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.