tech_rkn Posted April 21, 2021 Share Posted April 21, 2021 Dear community, Some thoughts following CNN article about: "hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the defense industrial sector" I am pretty sure others vpn like wireguard and openvpn may have the same flaws. But there is another point of failure in our network. Our ISP routers. Bypassing vpn by direct access using them is possible. Even sometime easy as they have built in login as admin/admin most of the time... Yesterday, using burp, hydra and kali I gained access to a test network through the wifi as a demonstration to one of my friend, trying to show him how to hardened his Isp routers. Once done, I hit his openmediavault Gui, trying log in. Using an eset network scanner, I highlight a login failure as admin/openmediavault was still used. The only thing stoping me by the lack of time was his F2A protection. My point here, is unRAID might be in the same trouble, and don't have F2A login protection. What are your tought on this subject ? 2 1 Quote Link to comment
Murr Posted April 25, 2021 Share Posted April 25, 2021 While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date. You highlight a big problem though, default settings in all these docker containers we pull, and I think that boils down to the individual user and the software being used. Your friend is tech savvy enough to setup his own OMV on UnRAID so he should definitely be techy enough to know to change the default admin password. And the software should be made in such a way that default passwords are a major error event that fires warnings everytime you log in to it. 2FA is in my opinion a complementary security feature that should not keep a software secure on its own. But I hope some big steps are taken in regards to security by the UnRAID team going forwards. I'm still on my trial period with 12 days left and I really love UnRAID but I keep being scared on some security defaults (SSH enabled with password even though the keys are generated and stored on flash, no simple switch in UI to disable PW logons, why???). Root as default user, major functionality put in the hands of the community (Fix Common Problems etc) which is a huge attack surface because I guess these plugins in UnRAID run as root? It only takes one big community addon to be hit and a lot of servers will be infected, and I guess UnRAIDs stance on this issue will be something along the lines of "you used community addons on your own risk", which is true. Sorry if I'm ranting in an somewhat unrelated thread as this post is more about general security on UnRAID. 4 Quote Link to comment
EArroyo Posted September 25, 2021 Share Posted September 25, 2021 I think a 2FA on the Web login would be a VERY useful and wise addition to unRAID. Right now username/password is limiting me to have to connect to my VPN in order to peek at my server and see how it's doing... 1 Quote Link to comment
paaland Posted October 1, 2021 Share Posted October 1, 2021 It should also be possible to disable password authentication via SSH and only rely on SSH keys since that's tied to the web login (same username & password on both). 1 Quote Link to comment
cyansmoker Posted October 15, 2021 Share Posted October 15, 2021 (edited) On 4/25/2021 at 4:01 AM, Murr said: While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date. Hi. (Un)fortunately, I deal with security every day at work. Your point is valid as long as you are referring to Unraid being used in a home setting. However, in an enterprise (or, maybe in Unraid's case, SMB) environment, perimeter-based security is (rightfully) considered an antiquated concept and each server needs proper protection, regardless of ingress sources. This means that MFA is, indeed, a must. My 2c. Edit: Also, with the new "My servers" plugin, even home configurations can be exposed, so I hope MFA finds its way in that online design. Edited October 15, 2021 by cyansmoker 2 Quote Link to comment
nlz Posted November 1, 2021 Share Posted November 1, 2021 +1, definitely needs 2FA with an app, at minimum. Quote Link to comment
Xaero Posted November 2, 2021 Share Posted November 2, 2021 I think the glaring issue is that this thread seems to imply that the unraid user interface, or server itself should be hardened against external attacks. This would mean that unraid itself is exposed to the external network/internet, which basically just shouldn't be the case. This is a big clear red "don't do that." Instead, use a reverse proxy to get services running on the unraid server exposed to the outside world. As far as getting access to unraid itself exposed to the outside world, if you absolutely must, I would use something like Apache Guacamole with 2FA. This way the server itself is never exposed to the outside world, and your interface to it is protected with 2FA. I don't think this is something in the scope of unraid to develop a secure remote access implementation. I don't think the WebUI has been scrutinized with penetration testing, and I don't think a system with only a root account should ever be exposed to the internet directly. 5 Quote Link to comment
hot22shot Posted November 3, 2021 Share Posted November 3, 2021 To secure my unraid WebUI access I configured NPM as my reverse proxy coupled with Authelia to provide 2FA. Quote Link to comment
FixYouDeveloper Posted January 22, 2022 Share Posted January 22, 2022 (edited) Any of the below would be a huge win to have on unraid! - 2FA: Time sensitive one time code - 2FA: WebAuthn Device Registration (multiple devices) - 1FA: WebAuthn Challenge Response Auth If we really wanted more security / beefy options https://www.truenas.com/docs/core/system/2fa/ TrueNAS is hard to beat atm. Unraid is decent for it's value - looking forward to the next update! Edited January 22, 2022 by FixYouDeveloper Quote Link to comment
nlz Posted March 8, 2022 Share Posted March 8, 2022 Pretty shocking 2FA is not implemented yet. Love unraid but the lack of focus on security including regular patching, is frustrating to say the least. 1 Quote Link to comment
WenzelComputing Posted April 24, 2022 Share Posted April 24, 2022 On 3/8/2022 at 8:26 AM, nlz said: Pretty shocking 2FA is not implemented yet. Love unraid but the lack of focus on security including regular patching, is frustrating to say the least. That's because unraid isn't meant to be enterprise software or externally accessible via webui. Unraid software is SMB at best and at worst more of a homelab software. As a security engineer, if I suggested Unraid in my work environment, without being utterly facetious, which is a more than 40k user enterprise and is subject to fedramp and hippa, I would probably be fired just for making the suggestion. I do think mfa on everything is a good standard to hold ourselves to...however mfa isn't a replacement for good security practices. I agree it should be on the road map, but high priority...? Honestly, if you throw out your unraid server admin ui and ssh wide open to the internet, or allow your wan-network facing dockers to be privileged, you shouldn't be running unraid in the first place. You should be learning basic network security. As people have said use a VPN, or a remote connection to a different PC on your network to access your admin UI when not there. Or even use the unraid MyServers Plugin and have MFA on your unraid community account. https://blog.creekorful.org/2020/08/docker-privilege-escalation/ here is a good example why you should not run your dockers as privileged. here is what privileged actually does: https://www.educba.com/docker-privileged/ 2 1 1 Quote Link to comment
RiDDiX Posted May 4, 2022 Share Posted May 4, 2022 For me I just have to say this isnt that much needed right now. Why you would ask. Simple answer. Unraid GUI / WebUI shouldnt be opened outside (Internet). If you just use it on your local lan why would you need 2FA? Some one here also told how to do it. But for me username and password are enough. Even when you use a "simpler" password. If you are worried already on your local lan, then you should change something immediatly. I would also like 2FA but just when I really want my unraid to be "public" visible. I mean no one with a Windows PC and set everything up for private network uses 2FA on Windows itself right? This can the same "problem" like unRAID without 2FA... As told and limetech also said somewhere (I just remember this), that unRAID isnt build for being visible from outside the LAN NETWORK. (unRAID GUI / WebUI). Why would I like to see my unRAID outside of the normal local LAN. To visit from outside to check if everything works well or trying to install new dockers and so on? Then I just use my VPN or the unRAID forum site. Even with a 12 symbol containing password if you not use words oder sentences a normal brutforce would take sometime to get in. This is why I change my password every 3 months and just change something within it. So I am still able to remember it. 1 Quote Link to comment
FixYouDeveloper Posted October 6, 2022 Share Posted October 6, 2022 On 5/4/2022 at 9:22 PM, RiDDiX said: > Unraid GUI / WebUI shouldnt be opened outside (Internet). While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line. Apple Passkeys it's really cool - would love this system of auth. Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc. Quote Link to comment
Xaero Posted November 22, 2022 Share Posted November 22, 2022 (edited) On 10/5/2022 at 10:06 PM, FixYouDeveloper said: While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line. Apple Passkeys it's really cool - would love this system of auth. Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc. Only if you expose those ports to the internet are they exposed - and depending on how you configure things, connecting to WireGuard doesn't expose the WebUI. That said, WireGuard is also a passive technology, there's no "listening" service that is going to reply to a request, this is of course security via obscurity, but also means that most attackers aren't going to be privy to your use of WireGuard just by traditional port scanning attacks, and even if they were, they'd have to have the correct RSA tokens to authenticate. Barring a pretty egregious error on WireGuard's part security wise, it'd be an incredibly poor attack vector even for a skilled attacker. Edited November 22, 2022 by Xaero Quote Link to comment
jpslv Posted January 19 Share Posted January 19 Would love to use my YubiKey on unRAID's GUI. 2 Quote Link to comment
Biost0rm Posted January 27 Share Posted January 27 On 10/5/2022 at 10:06 PM, FixYouDeveloper said: While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line. Apple Passkeys it's really cool - would love this system of auth. Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc. WebAuthn in general would be a great addition here (adopting FIDO standard for passkeys, link for those who want to learn more: https://fidoalliance.org/passkeys/ ) Google, Apple, and Microsoft support the standard today. This would be great to see integrated as a sign-in option to UnRAID, even if it can only support single-device passkeys due to likely lack of BLE availability on most servers that is required for CTAP in cross device authentication scenarios (e.g. browser to mobile). 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.