UnRAID need better login security's, login&password are not enought.


tech_rkn

Recommended Posts

Dear community,

 

Some thoughts following CNN article about: "hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the defense industrial sector"

 

I am pretty sure others vpn like wireguard and openvpn may have the same flaws.

 

But there is another point of failure in our network. Our ISP routers. Bypassing vpn by direct access using them is possible.

Even sometime easy as they have built in login as admin/admin most of the time... 

 

Yesterday, using burp, hydra and kali I gained access to a test network through the wifi as a demonstration to one of my friend, trying to show him how to hardened his Isp routers. 

 

Once done, I hit his openmediavault Gui, trying log in. Using an eset network scanner, I highlight a login failure as admin/openmediavault was still used. The only thing stoping me by the lack of time was his F2A protection.

 

My point here, is unRAID might be in the same trouble, and don't have F2A login protection.

 

What are your tought on this subject ?

 

 

 

 

  • Like 2
  • Thanks 1
Link to comment

While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date.

 

You highlight a big problem though, default settings in all these docker containers we pull, and I think that boils down to the individual user and the software being used. Your friend is tech savvy enough to setup his own OMV on UnRAID so he should definitely be techy enough to know to change the default admin password. And the software should be made in such a way that default passwords are a major error event that fires warnings everytime you log in to it.

 

2FA is in my opinion a complementary security feature that should not keep a software secure on its own.

 

But I hope some big steps are taken in regards to security by the UnRAID team going forwards. I'm still on my trial period with 12 days left and I really love UnRAID but I keep being scared on some security defaults (SSH enabled with password even though the keys are generated and stored on flash, no simple switch in UI to disable PW logons, why???). Root as default user, major functionality put in the hands of the community (Fix Common Problems etc) which is a huge attack surface because I guess these plugins in UnRAID run as root? It only takes one big community addon to be hit and a lot of servers will be infected, and I guess UnRAIDs stance on this issue will be something along the lines of "you used community addons on your own risk", which is true.

 

Sorry if I'm ranting in an somewhat unrelated thread as this post is more about general security on UnRAID.

 

 

  • Like 4
Link to comment
  • 4 months later...
  • 2 weeks later...
On 4/25/2021 at 4:01 AM, Murr said:

While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up to date.

 

Hi. (Un)fortunately, I deal with security every day at work.

Your point is valid as long as you are referring to Unraid being used in a home setting.

However, in an enterprise (or, maybe in Unraid's case, SMB) environment, perimeter-based security is (rightfully) considered an antiquated concept and each server needs proper protection, regardless of ingress sources. This means that MFA is, indeed, a must.

 

My 2c.

 

Edit: Also, with the new "My servers" plugin, even home configurations can be exposed, so I hope MFA finds its way in that online design.

Edited by cyansmoker
  • Like 2
Link to comment
  • 3 weeks later...

I think the glaring issue is that this thread seems to imply that the unraid user interface, or server itself should be hardened against external attacks. This would mean that unraid itself is exposed to the external network/internet, which basically just shouldn't be the case. This is a big clear red "don't do that."
Instead, use a reverse proxy to get services running on the unraid server exposed to the outside world. As far as getting access to unraid itself exposed to the outside world, if you absolutely must, I would use something like Apache Guacamole with 2FA. This way the server itself is never exposed to the outside world, and your interface to it is protected with 2FA. I don't think this is something in the scope of unraid to develop a secure remote access implementation. I don't think the WebUI has been scrutinized with penetration testing, and I don't think a system with only a root account should ever be exposed to the internet directly.

  • Like 5
Link to comment
  • 2 months later...

Any of the below would be a huge win to have on unraid!

- 2FA: Time sensitive one time code
- 2FA: WebAuthn Device Registration (multiple devices)
- 1FA: WebAuthn Challenge Response Auth

If we really wanted more security / beefy options https://www.truenas.com/docs/core/system/2fa/
TrueNAS is hard to beat atm.

Unraid is decent for it's value - looking forward to the next update!

Edited by FixYouDeveloper
Link to comment
  • 1 month later...
  • 1 month later...
On 3/8/2022 at 8:26 AM, nlz said:

Pretty shocking 2FA is not implemented yet.  Love unraid but the lack of focus on security including regular patching, is frustrating to say the least.

 

That's because unraid isn't meant to be enterprise software or externally accessible via webui.

 

Unraid software is SMB at best and at worst more of a homelab software.

 

As a security engineer, if I suggested Unraid in my work environment, without being utterly facetious, which is a more than 40k user enterprise and is subject to fedramp and hippa, I would probably be fired just for making the suggestion.

 

I do think mfa on everything is a good standard to hold ourselves to...however mfa isn't a replacement for good security practices.

 

I agree it should be on the road map, but high priority...? Honestly, if you throw out your unraid server admin ui and ssh wide open to the internet, or allow your wan-network facing dockers to be privileged, you shouldn't be running unraid in the first place. You should be learning basic network security. As people have said use a VPN, or a remote connection to a different PC on your network to access your admin UI when not there. Or even use the unraid MyServers Plugin and have MFA on your unraid community account.

 

https://blog.creekorful.org/2020/08/docker-privilege-escalation/

 

here is a good example why you should not run your dockers as privileged.

 

here is what privileged actually does:

 

https://www.educba.com/docker-privileged/

  • Like 2
  • Haha 1
  • Upvote 1
Link to comment
  • 2 weeks later...

For me I just have to say this isnt that much needed right now. Why you would ask. Simple answer.

Unraid GUI / WebUI shouldnt be opened outside (Internet). If you just use it on your local lan why would you need 2FA? Some one here also told how to do it. But for me username and password are enough. Even when you use a "simpler" password. If you are worried already on your local lan, then you should change something immediatly.

I would also like 2FA but just when I really want my unraid to be "public" visible. I mean no one with a Windows PC and set everything up for private network uses 2FA on Windows itself right? xD

This can the same "problem" like unRAID without 2FA... As told and limetech also said somewhere (I just remember this), that unRAID isnt build for being visible from outside the LAN NETWORK. (unRAID GUI / WebUI).

Why would I like to see my unRAID outside of the normal local LAN. To visit from outside to check if everything works well or trying to install new dockers and so on? Then I just use my VPN or the unRAID forum site. xD

Even with a 12 symbol containing password if you not use words oder sentences a normal brutforce would take sometime to get in. This is why I change my password every 3 months and just change something within it. So I am still able to remember it. xD

  • Like 1
Link to comment
  • 5 months later...
On 5/4/2022 at 9:22 PM, RiDDiX said:

> Unraid GUI / WebUI shouldnt be opened outside (Internet).


While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line.

Apple Passkeys it's really cool - would love this system of auth.

Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc.

Link to comment
  • 1 month later...
On 10/5/2022 at 10:06 PM, FixYouDeveloper said:


While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line.

Apple Passkeys it's really cool - would love this system of auth.

Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc.

Only if you expose those ports to the internet are they exposed - and depending on how you configure things, connecting to WireGuard doesn't expose the WebUI. That said, WireGuard is also a passive technology, there's no "listening" service that is going to reply to a request, this is of course security via obscurity, but also means that most attackers aren't going to be privy to your use of WireGuard just by traditional port scanning attacks, and even if they were, they'd have to have the correct RSA tokens to authenticate. Barring a pretty egregious error on WireGuard's part security wise, it'd be an incredibly poor attack vector even for a skilled attacker.

Edited by Xaero
Link to comment
  • 1 month later...
On 10/5/2022 at 10:06 PM, FixYouDeveloper said:


While I agree with this standpoint, the Wireguard ports on the server are exposed? It would be prudent to recheck if we need to bump priority of 2FA / 1FA later down the line.

Apple Passkeys it's really cool - would love this system of auth.

Just how exposed will unraid servers be in the future? Perhaps we would be looking at defending from compromised internal gateways such as Wireguard, IoT devices, etc.

WebAuthn in general would be a great addition here (adopting FIDO standard for passkeys, link for those who want to learn more: https://fidoalliance.org/passkeys/

Google, Apple, and Microsoft support the standard today. This would be great to see integrated as a sign-in option to UnRAID, even if it can only support single-device passkeys due to likely lack of BLE availability on most servers that is required for CTAP in cross device authentication scenarios (e.g. browser to mobile). 

  • Upvote 1
Link to comment
  • 5 months later...

Externally, I'm using Traefik, via Authentik to expose all my services including the Unraid UI. Have SSO and multiple MFA options implemented; OTP, WebAuthn and Duo Push. All services are routed through middlewares like crowdsec and modsecurity WAF. 443 to Traefik is the only port open.

 

Internally, I'm using Traefik, via Authelia with SSO and multiple MFA options implemented; OTP and Duo Push; have network segregation with multiple vlans, but one specifically for sensitive workloads, including unraid and a backup NAS; with firewall policies which denies incoming traffic to the vlan, with very few ports being exposed internally to other vlans, and all whitelisted endpoints. Vlan has no inbound internet connectivity (return traffic initiated from the vlan is allowed) and it isnt allocated to any wifi ssid. There's only 1 ethernet port in my house that has access to this vlan. Completely overkill, but why not :)

 

If you want security, you can implement it.

 

Also the default position of X shouldn't be exposed to the internet is invalid. It's all contextual. Of course, don't simply port forward your unraid ui/port externally. As everyone has stated unraid wasn't designed to be directly, externally visible. Keep in mind, the unraid team have implemented their own plugin, to allow 2FA remote access to the dashboard.

Edited by loukaniko85
Link to comment
  • 3 weeks later...
On 7/5/2023 at 4:05 PM, loukaniko85 said:

Also the default position of X shouldn't be exposed to the internet is invalid. It's all contextual. Of course, don't simply port forward your unraid ui/port externally. As everyone has stated unraid wasn't designed to be directly, externally visible. Keep in mind, the unraid team have implemented their own plugin, to allow 2FA remote access to the dashboard.


It is perfectly valid and reasonable to disclaim that the Unraid WebUI, nor the underlying Unraid OS be exposed directly to the internet. It is not hardened or pen tested against that environment and should not be exposed to it. Even if they add 2FA, this does not change the fact that the rest of the OS, and WebUI have not been properly audited for exposure to the internet. Couple that with the OS itself only having a root user and it's just a bad idea to put it on the internet.

If you want remote access to the WebUI - use VPN. VPN are designed from the ground up with the focus on providing secure remote access to machines and networks. They support 2FA. They provide peace of mind knowing that some 0-day exploit for the Unraid WebUI or one of the packages running on Unraid isn't going to compromise your storage solution. 

The official unraid plugin is also a good option, since it's protected with 2fa, though I cannot personally comment on it's usage.

Edited by Xaero
Link to comment

 

On 7/6/2023 at 7:05 AM, loukaniko85 said:

Also the default position of X shouldn't be exposed to the internet is invalid. It's all contextual. Of course, don't simply port forward your unraid ui/port externally. As everyone has stated unraid wasn't designed to be directly, externally visible.

 

On 7/26/2023 at 4:54 AM, Xaero said:

It is perfectly valid and reasonable to disclaim that the Unraid WebUI, nor the underlying Unraid OS be exposed directly to the internet.

 

We're in agreement about the fact that unraid shouldn't be exposed directly - unsure why the remark. Perhaps you misread my statement or misunderstood my initial statement about having a default position of X shouldn't be exposed to the internet, not being a current one. As I stated in my post, and what you also outlined in yours are various ways of exposing unraid/ui to the internet; via a reverse proxy, in my case - and via a VPN, in yours. You're simply proving my premise that even services not designed to be exposed directly, such as unraid/ui in this case, can still be exposed indirectly, securely. Thus the position of X shouldn't be exposed to the internet, is no longer the status quo as there are many ways of exposing services, securely - irrespective of their design.

 

On 7/26/2023 at 4:54 AM, Xaero said:

Even if they add 2FA, this does not change the fact that the rest of the OS, and WebUI have not been properly audited for exposure to the internet. Couple that with the OS itself only having a root user and it's just a bad idea to put it on the internet.
...
The official unraid plugin is also a good option, since it's protected with 2fa, though I cannot personally comment on it's usage.

 

Your two statements seem like a contradiction here. Though, I wouldn't expose my service with the unraid connect method; they require you to port forward directly to your unraid machine. Though, only https is exposed here, not any other part of the OS. Its not just the root credentials/2fa thats required with their method- you authenticate with your forum credentials, then the 2nd factor - then once successful, you're at your unraid/ui landing page.. now its time for your local root credentials. Though again, I dont and wouldnt use this method.

 

On 7/26/2023 at 4:54 AM, Xaero said:

If you want remote access to the WebUI - use VPN. VPN are designed from the ground up with the focus on providing secure remote access to machines and networks. They support 2FA. They provide peace of mind knowing that some 0-day exploit for the Unraid WebUI or one of the packages running on Unraid isn't going to compromise your storage solution.

 

VPN is a good option in general. Though if you look at the OP (below) the initial query was specifically about not using VPNs and implementing 2FA. Hence my statement about using a reverse proxy, which can introduce 2FA to all your services. Whether you expose it on the internet, or simply use it internally.

 

On 4/21/2021 at 8:18 PM, tech_rkn said:

Some thoughts following CNN article about: "hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the defense industrial sector"

 

I am pretty sure others vpn like wireguard and openvpn may have the same flaws.

 

But there is another point of failure in our network. Our ISP routers. Bypassing vpn by direct access using them is possible.

Even sometime easy as they have built in login as admin/admin most of the time... 

 

Yesterday, using burp, hydra and kali I gained access to a test network through the wifi as a demonstration to one of my friend, trying to show him how to hardened his Isp routers. 

 

Once done, I hit his openmediavault Gui, trying log in. Using an eset network scanner, I highlight a login failure as admin/openmediavault was still used. The only thing stoping me by the lack of time was his F2A protection.

 

My point here, is unRAID might be in the same trouble, and don't have F2A login protection.

 

With all that said, I prefer using a reverse proxy to expose internal services, as this can provide the same level of secure access. They also support 2FA. They also protect the internal services from attack.

Link to comment
  • 4 months later...

+1 for 2FA or MFA support.

 

Has anyone submitted a feature request yet? To have this formally tracked? We are all in agreement it needs to happen, has a feature request been submitted?

 

I also would mention that a password policy should be enforced for the "root" user. (I can set a password 123456, which clearly is not a very bright idea).

NOTE: Probably TOTP would be easiest to implement.

Edited by ezhik
Link to comment
9 hours ago, ezhik said:

Has anyone submitted a feature request yet? To have this formally tracked? We are all in agreement it needs to happen, has a feature request been submitted?

There are several , though i wouldnt agree that we all think it should happen.

 

9 hours ago, ezhik said:

I also would mention that a password policy should be enforced for the "root" user. (I can set a password 123456, which clearly is not a very bright idea).

Absolutely not, If i want to set my password to 'password' on my own system that is my prerogative. 

 

 

Link to comment
46 minutes ago, primeval_god said:

There are several , though i wouldnt agree that we all think it should happen.

 

Let me paraphrase that then - there is a significant user base that is interested in the 2FA/MFA feature to improve the security posture of their environment.

 

46 minutes ago, primeval_god said:

 

Well noted, thanks.

 

46 minutes ago, primeval_god said:

Absolutely not, If i want to set my password to 'password' on my own system that is my prerogative. 

 

 

 

Uff, you would really do that? As such, then I would advocate for the ability to set a password policy on the unRAID server. The default should be a more secure option and if someone wants to relax the PP, then an option should be provided.

 

Link to comment
2 hours ago, ezhik said:

Uff, you would really do that? As such, then I would advocate for the ability to set a password policy on the unRAID server. The default should be a more secure option and if someone wants to relax the PP, then an option should be provided.

No i wouldnt, but what i consider an acceptably complex password for a device on a home network is likely well below that of someone who thinks 2fa is worthwhile. If unRAID were a multi user system, or enabled SMB users to change their own passwords, I could see having a policy setting, but for a single administrator system I dont see a point. Do they have a password strength graphic for the initial setup (its been so long since i did initial setup i dont remember)?

  • Like 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.