potjoe Posted November 11, 2021 Share Posted November 11, 2021 Hi! I thought about enabling Remote Access through My Servers for some time, but to me it still seems too embarassing to expose the server with an one factor authentication, no matter how strong root password is. Thus, I had two questions to address to the (amazing) unraid team : - In a short term / mid-term perspective, would it be possible to disclose the ip ranges used by My Servers API to remote access into servers ? This would allow for instance to restrict at a firewall level what IPs can or cannot access to the server, and thus restrict it to Unraid's official servers. Many major services which rely on WAN port forwarding, such as Plex, or Cloudflare, publicly disclose their Ip Ranges specifically for that purpose (see here or here). - In a Mid-term / long-term perspective, have some other implementations of remote access login already been thought of ? 2FA, Key authentication, it's an open debate... For now, I'm still worried to think that it relies on a single factor, password authentication, and this is why I was wondering if something had been thought / was worked out / was coming soon regarding the security of remote access through My Servers. As always, thank for the hard work put into this great piece of software. Link to comment
ljm42 Posted November 12, 2021 Share Posted November 12, 2021 There seems to be some confusion here. Remote Access is an optional feature of the My Servers plugin. It is the only part of My Servers that uses a port forward. The only time we access that port forward is when you press the "check" button, this is just a convenience for you to let you know that the port forward is setup correctly. We do not know your root password, and cannot do anything over that port forward other than confirm your server responds. You are welcome to add any firewall rules you want to that port forward. Worst case, you will break the "check" button, but if you are adding firewall rules you should have your own ways of confirming them anyway. Yes we are looking at 2FA for the optional Remote Access feature, but I'm not going to pre-announce anything at this time 1 Link to comment
potjoe Posted November 12, 2021 Author Share Posted November 12, 2021 Thanks for the clarifications. Indeed, I was confused by the wording, since I thought the Remote Access was performed by the intermediary of Unraid's official servers acting as a proxy, and not with a DNS entry as it is actually. Sorry for that! 4 hours ago, ljm42 said: Yes we are looking at 2FA for the optional Remote Access feature, but I'm not going to pre-announce anything at this time Sure, I'm glad to know it's is looked at! Thanks again. Link to comment
Recommended Posts