UnRAID need better login security's, login&password are not enought.


tech_rkn

Recommended Posts

Dear community,

 

Some thoughts following CNN article about: "hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the defense industrial sector"

 

I am pretty sure others vpn like wireguard and openvpn may have the same flaws.

 

But there is another point of failure in our network. Our ISP routers. Bypassing vpn by direct access using them is possible.

Even sometime easy as they have built in login as admin/admin most of the time... 

 

Yesterday, using burp, hydra and kali I gained access to a test network through the wifi as a demonstration to one of my friend, trying to show him how to hardened his Isp routers. 

 

Once done, I hit his openmediavault Gui, trying log in. Using an eset network scanner, I highlight a login failure as admin/openmediavault was still used. The only thing stoping me by the lack of time was his F2A protection.

 

My point here, is unRAID might be in the same trouble, and don't have F2A login protection.

 

What are your tought on this subject ?

 

 

 

 

  • Like 1
  • Thanks 1
Link to comment

While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date.

 

You highlight a big problem though, default settings in all these docker containers we pull, and I think that boils down to the individual user and the software being used. Your friend is tech savvy enough to setup his own OMV on UnRAID so he should definitely be techy enough to know to change the default admin password. And the software should be made in such a way that default passwords are a major error event that fires warnings everytime you log in to it.

 

2FA is in my opinion a complementary security feature that should not keep a software secure on its own.

 

But I hope some big steps are taken in regards to security by the UnRAID team going forwards. I'm still on my trial period with 12 days left and I really love UnRAID but I keep being scared on some security defaults (SSH enabled with password even though the keys are generated and stored on flash, no simple switch in UI to disable PW logons, why???). Root as default user, major functionality put in the hands of the community (Fix Common Problems etc) which is a huge attack surface because I guess these plugins in UnRAID run as root? It only takes one big community addon to be hit and a lot of servers will be infected, and I guess UnRAIDs stance on this issue will be something along the lines of "you used community addons on your own risk", which is true.

 

Sorry if I'm ranting in an somewhat unrelated thread as this post is more about general security on UnRAID.

 

 

  • Like 3
Link to comment
  • 4 months later...
  • 2 weeks later...
On 4/25/2021 at 4:01 AM, Murr said:

While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date.

 

Hi. (Un)fortunately, I deal with security every day at work.

Your point is valid as long as you are referring to Unraid being used in a home setting.

However, in an enterprise (or, maybe in Unraid's case, SMB) environment, perimeter-based security is (rightfully) considered an antiquated concept and each server needs proper protection, regardless of ingress sources. This means that MFA is, indeed, a must.

 

My 2c.

 

Edit: Also, with the new "My servers" plugin, even home configurations can be exposed, so I hope MFA finds its way in that online design.

Edited by cyansmoker
  • Like 1
Link to comment
  • 3 weeks later...

I think the glaring issue is that this thread seems to imply that the unraid user interface, or server itself should be hardened against external attacks. This would mean that unraid itself is exposed to the external network/internet, which basically just shouldn't be the case. This is a big clear red "don't do that."
Instead, use a reverse proxy to get services running on the unraid server exposed to the outside world. As far as getting access to unraid itself exposed to the outside world, if you absolutely must, I would use something like Apache Guacamole with 2FA. This way the server itself is never exposed to the outside world, and your interface to it is protected with 2FA. I don't think this is something in the scope of unraid to develop a secure remote access implementation. I don't think the WebUI has been scrutinized with penetration testing, and I don't think a system with only a root account should ever be exposed to the internet directly.

  • Like 4
Link to comment
  • 2 months later...

Any of the below would be a huge win to have on unraid!

- 2FA: Time sensitive one time code
- 2FA: WebAuthn Device Registration (multiple devices)
- 1FA: WebAuthn Challenge Response Auth

If we really wanted more security / beefy options https://www.truenas.com/docs/core/system/2fa/
TrueNAS is hard to beat atm.

Unraid is decent for it's value - looking forward to the next update!

Edited by FixYouDeveloper
Link to comment
  • 1 month later...
  • 1 month later...
On 3/8/2022 at 8:26 AM, nlz said:

Pretty shocking 2FA is not implemented yet.  Love unraid but the lack of focus on security including regular patching, is frustrating to say the least.

 

That's because unraid isn't meant to be enterprise software or externally accessible via webui.

 

Unraid software is SMB at best and at worst more of a homelab software.

 

As a security engineer, if I suggested Unraid in my work environment, without being utterly facetious, which is a more than 40k user enterprise and is subject to fedramp and hippa, I would probably be fired just for making the suggestion.

 

I do think mfa on everything is a good standard to hold ourselves to...however mfa isn't a replacement for good security practices.

 

I agree it should be on the road map, but high priority...? Honestly, if you throw out your unraid server admin ui and ssh wide open to the internet, or allow your wan-network facing dockers to be privileged, you shouldn't be running unraid in the first place. You should be learning basic network security. As people have said use a VPN, or a remote connection to a different PC on your network to access your admin UI when not there. Or even use the unraid MyServers Plugin and have MFA on your unraid community account.

 

https://blog.creekorful.org/2020/08/docker-privilege-escalation/

 

here is a good example why you should not run your dockers as privileged.

 

here is what privileged actually does:

 

https://www.educba.com/docker-privileged/

  • Like 2
  • Upvote 1
Link to comment
  • 2 weeks later...

For me I just have to say this isnt that much needed right now. Why you would ask. Simple answer.

Unraid GUI / WebUI shouldnt be opened outside (Internet). If you just use it on your local lan why would you need 2FA? Some one here also told how to do it. But for me username and password are enough. Even when you use a "simpler" password. If you are worried already on your local lan, then you should change something immediatly.

I would also like 2FA but just when I really want my unraid to be "public" visible. I mean no one with a Windows PC and set everything up for private network uses 2FA on Windows itself right? xD

This can the same "problem" like unRAID without 2FA... As told and limetech also said somewhere (I just remember this), that unRAID isnt build for being visible from outside the LAN NETWORK. (unRAID GUI / WebUI).

Why would I like to see my unRAID outside of the normal local LAN. To visit from outside to check if everything works well or trying to install new dockers and so on? Then I just use my VPN or the unRAID forum site. xD

Even with a 12 symbol containing password if you not use words oder sentences a normal brutforce would take sometime to get in. This is why I change my password every 3 months and just change something within it. So I am still able to remember it. xD

  • Like 1
Link to comment
  • 5 months later...
On 5/4/2022 at 9:22 PM, RiDDiX said:

> Unraid GUI / WebUI shouldnt be opened outside (Internet).


While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line.

Apple Passkeys it's really cool - would love this system of auth.

Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc.

Link to comment
  • 1 month later...
On 10/5/2022 at 10:06 PM, FixYouDeveloper said:


While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line.

Apple Passkeys it's really cool - would love this system of auth.

Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc.

Only if you expose those ports to the internet are they exposed - and depending on how you configure things, connecting to WireGuard doesn't expose the WebUI. That said, WireGuard is also a passive technology, there's no "listening" service that is going to reply to a request, this is of course security via obscurity, but also means that most attackers aren't going to be privy to your use of WireGuard just by traditional port scanning attacks, and even if they were, they'd have to have the correct RSA tokens to authenticate. Barring a pretty egregious error on WireGuard's part security wise, it'd be an incredibly poor attack vector even for a skilled attacker.

Edited by Xaero
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.