UnRAID need better login security's, login&password are not enought.


tech_rkn

Recommended Posts

1 hour ago, primeval_god said:

No i wouldnt, but what i consider an acceptably complex password for a device on a home network is likely well below that of someone who thinks 2fa is worthwhile. If unRAID were a multi user system, or enabled SMB users to change their own passwords, I could see having a policy setting, but for a single administrator system I dont see a point. Do they have a password strength graphic for the initial setup (its been so long since i did initial setup i dont remember)?

 

Valid points, no argument there. I've asked for a proper multi-user support in the past myself to have a proper RBAC within unRAID - but to no avail. You are spot on - it is a single-user, single-admin system. Honestly, I wouldn't expose this system externally and would not use it outside of the home.

 

For home use - I think it's a pretty solid system.

 

And regarding password strength graphic, they do not. I recently stood up a new system using 6.2.6 - not there.

Edited by ezhik
Link to comment
3 hours ago, ezhik said:

I wouldn't expose this system externally and would not use it outside of the home.

https://connect.myunraid.net/ (an official unRAID product) seems to contradict the constant user posts on this forum saying not to expose unRAID to the internet. The entire premise of https://connect.myunraid.net/ is to expose and manage your unRAID systems remotely. This exposes the unRAID web login form to the internet. Since this seems to be officially supported behavior it would make sense for there to be a greater care for security. Another good example would be strengthening the default SSH configurations to require keypairs in order to connect to SSH by default. SSH in unRAID can be configured for proper security with SSH, making it entirely safe to expose to the internet (at least as safe as any VPS you would access via SSH), but these safer configurations are not the default. The web UI has no such configurations to improve security, such as requiring 2fa.

 

It's fair and reasonable to tell a user that if they are not educated on the risks of exposing their system to the internet that they should not do it, but it's also fair to point out that unRAID's web UI login could be improved by adding 2fa. unRAID's login seems to be php based, and there are a handful of very good composer packages that make implementing 2fa very easy. Hopefully unRAID considers this.

  • Like 1
Link to comment

I personally consider UNRAID a system that always preferred the ease of use over security concerns and I just learned to treat it accordingly. Meaning that I only allow LAN access, share nothing to the internet, install no plugins that I don't trust and use restrictive Docker settings (e.g. for volume mounts, no privileged containers). I love UNRAID for its ease of use as a dataserver and wouldn't want to have it any other way, so requiring 2FA would mostly be an annoyance for me personally. Because as long as everything continues to run as root (which I like, as it makes administration much easier) the only thing that 2FA would accomplish - I think - is leading people into a false sense of security and making stupid decisions in the process... exposing unsecured services to the internet among the various possibilities.

 

I continue to read posts where people ask for LTS versions (which keep getting "security updates"), calling for 2FA or other more advanced security mechanisms. It seriously makes me wonder what their expectations towards UNRAID are and if I'm the only one who doesn't have any such expectations. Because, myself, I want a rock stable dataserver for my LAN (or at most accessible over VPN) which works and requires minimum effort on my part - best case it runs without problems and I don't need to login for anything ever. I have UNRAID servers which still are on 6.8.3. with hundreds of days of uptime, zero issues and I've never been hacked or had any significant efforts from external parties to breach into my servers. I keep my network as secure as possible and apply a principle of no trust towards letting people on my network, which I think is the most important factor for me.

 

I think many people try to make base UNRAID into some kind of "jack of all trades" that can do everything from hosting gameservers to crypto mining while 100% secure with all ports exposed to the internet but also having premium ZFS support and whatnot. For me that makes no sense and I compare it to preferring to eat at a restaurant which does fewer dishes excellently rather than one that offers 500 dishes which are all mediocre at best. There's various software for various use-cases, for me base UNRAID will always be an easy to use dataserver OS - for the rest I have VMs and other software.

 

I'm not saying my personal view is the right one, just wanted to offer another perspective here. 🙂

 

Edited by Rysz
  • Like 2
Link to comment
  • 1 month later...

To add almost all of us have WiFi. So even if we do our absolute best if any router we have has a security vulnerability it is still potentially possible an outside actor could get on our network 

even the best of us unraid without 2fa wouldn’t help in that scenario. Having the option to add 2fa for those who want it just makes sense in the modern day and age with all the wireless tech we have 

Link to comment
  • 1 month later...

I would be willing to assist in the design and implementation of an optional '2fa' section. While I am NOT a coder, I do have significant experience in designing and working with devs etc. to help implement such a feature. I would think that we could start off with 'easy' ones like the changing digits every x seconds (totp), and then tackle the harder ones like u2f/fido2.

 

I sent a request to support to offer my services and time to develop this feature. I am a 'paid' memeber and VERY happy with unraid.

 

Thomas

Link to comment
  • 1 month later...
On 9/24/2021 at 11:02 PM, EArroyo said:

I think a 2FA on the Web login would be a VERY useful and wise addition to unRAID.  Right now username/password is limiting me to have to connect to my VPN in order to peek at my server and see how it's doing...

 

Even given 2fa you should probably still use VPN. The risk of someone brute forcing your u/p is probably not as big of a concern as some unknown vulnerability that just bypasses login all together. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.