jameson_uk Posted March 30, 2021 Share Posted March 30, 2021 Is there a proper way of changing the listen address for SSH and unraid front end in a way that will stick? It looks like /etc/ssh/sshd_config has listenaddress commented out so will default to 0.0.0.0 and /etc/nginx/conf.d/emhttp-servers.conf had listen *:80 default_server; listen [::]:80 default_server; Looks like Samba doesn't have anything configured again so I believe will bind to all interfaces. So as it stands everything is listening on every interface I can change each of the config files but these won't survive a restart. Is there a way of achieving this? Quote Link to comment
bonienl Posted March 30, 2021 Share Posted March 30, 2021 There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI) BIND_MGT="yes" After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0). 1 Quote Link to comment
tjb_altf4 Posted March 31, 2021 Share Posted March 31, 2021 3 hours ago, bonienl said: There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI) BIND_MGT="yes" After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0). Can this be setup as an isolated network without breaking anything? i.e. does this network still need internet access for UnraidOS, docker & plugin (github) updates? Quote Link to comment
bonienl Posted March 31, 2021 Share Posted March 31, 2021 14 hours ago, tjb_altf4 said: Can this be setup as an isolated network without breaking anything? i.e. does this network still need internet access for UnraidOS, docker & plugin (github) updates? This setting restricts management access to interface eth0 only, still this interface needs connectivity as before to do upgrades and plugin/docker installations. 1 Quote Link to comment
jameson_uk Posted March 31, 2021 Author Share Posted March 31, 2021 17 hours ago, bonienl said: There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI) BIND_MGT="yes" After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0). always eth0? What about Samba / Docker? I don't actually have the second NIC yet to test but I am hoping I would be able to have management and samba on one nic and docker on both. Quote Link to comment
jameson_uk Posted August 31, 2021 Author Share Posted August 31, 2021 OK I have started playing around with this and BIND_MGT="yes" Seems to do the trick for the web interface. For Samba I added the following lines to [global] section in the SMB config via the UI bind interfaces only = yes interfaces = lo eth0 and that seems to work. SSH however is still listening on my second IP. I have added a VLAN interface in the network setting and assigned a static IP there. Now the only things I can see running on this VLAN IP are SSH and rpcbind (which is a separate question...) and the Docker mappings I have setup Is the above incorrect that BIND_MGT does not limit SSH or is this a bug? Quote Link to comment
jameson_uk Posted September 27, 2021 Author Share Posted September 27, 2021 On 8/31/2021 at 2:29 PM, jameson_uk said: Is the above incorrect that BIND_MGT does not limit SSH or is this a bug? Seems there are a few changes around access defaults in 6.10 so just bumping this. Particularly with the new cloud functions I would certainly only want to allow SSH on my local network Quote Link to comment
jameson_uk Posted October 4, 2021 Author Share Posted October 4, 2021 In the vain hope that someone might actually look into these issues.... So doing some digging and noticed that BIND_MGT does work for ipv4 but I can see that nginx is listening on ports 80/443 on all ipv6 interfaces. So the setting only appears to be working for ipv4. Quote Link to comment
sjaak Posted October 4, 2021 Share Posted October 4, 2021 i cant connect with ssh to unRAID on the second NIC, bind_mgt works fine for me... also nginx is only listening on eth0. i don't have ssl enabled so no listening on port 443 SMB/NFS is not affected with this setting, its not a management thing... Quote Link to comment
itimpi Posted October 4, 2021 Share Posted October 4, 2021 9 minutes ago, sjaak said: i cant connect with ssh to unRAID on the second NIC, bind_mgt works fine for me... also nginx is only listening on eth0. i don't have ssl enabled so no listening on port 443 SMB/NFS is not affected with this setting, its not a management thing... You basically want to have the NIC that is going to be used to access Unraid set as eth0. You can change which NIC is eth0 under Settings ->Network Settings Quote Link to comment
jameson_uk Posted October 4, 2021 Author Share Posted October 4, 2021 18 minutes ago, sjaak said: i cant connect with ssh to unRAID on the second NIC, bind_mgt works fine for me... also nginx is only listening on eth0. i don't have ssl enabled so no listening on port 443 SMB/NFS is not affected with this setting, its not a management thing... So when you run netstat -nplt what does it say for port 22? Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on 0.0.0.0:22 (ie. all interfaces). As for nginx the same goes, I see tcp 0 0 x.x.x.x:80 0.0.0.0:* LISTEN 9182/nginx: master tcp6 0 0 :::80 :::* LISTEN 9182/nginx: master So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6. I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on 0.0.0.0:22 so I don't see why this wouldn't have worked from a second NIC. Quote Link to comment
sjaak Posted October 5, 2021 Share Posted October 5, 2021 18 hours ago, itimpi said: You basically want to have the NIC that is going to be used to access Unraid set as eth0. You can change which NIC is eth0 under Settings ->Network Settings i know, 18 hours ago, jameson_uk said: So when you run netstat -nplt what does it say for port 22? Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on 0.0.0.0:22 (ie. all interfaces). As for nginx the same goes, I see tcp 0 0 x.x.x.x:80 0.0.0.0:* LISTEN 9182/nginx: master tcp6 0 0 :::80 :::* LISTEN 9182/nginx: master So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6. I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on 0.0.0.0:22 so I don't see why this wouldn't have worked from a second NIC. dangit, just test another nic with a static ip, i can access the gui... ssh is only listening to eth0 nginx is indeed listening on 0.0.0.0 and ::: so it is open on the other networks. i don't have enabled unraid to use ipv6, only some dockers and VM are using ipv6... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.