Raiever Posted January 1, 2022 Share Posted January 1, 2022 Hello all! Relatively new to Unraid but I have been working my way through lots of guides and security measure practices! Just wanted to ask a few questions and include some background details. Basic details: SMB1 is disabled Flash share is no export, and private I have SSH/FTP/Telnet/UPNP turned off Shares are all turned to no export, and private Unraid Root has a 45 character private password My router has a firewall (UDM) and is configured on high alert for my server I have HTTP/HTTPS set to two custom ports and port forward 80/443 to these in my router I have my own domain name, and use NGINX Proxy Manager with CF Full SSL as my reverse proxy Questions: 1. As stated I use NPM + CF Full SSL for handling SSL on my services like Jellyfin. However out of curiosity, is it *safe* to forward my Unraid server/Unraid login page to a subdomain with SSL? Example being Jellyfin.mydomain.abc for my Jellyfin login, and unraid.mydomain.abc for unraid access. The reason being, I want to have remote access when outside of my network (besides.. well remoting into my desktop and accessing the login). I have the SSL feature turned on, and enforced with the SSL certificate setup via "Management Access" yet still receive the "Insecure" message when going to my login page. I am unsure if I configured something incorrect, or if this is considered safe but figured it was worth asking. 😁 2. My Docker network is setup on its own custom interface, and all of my apps are currently Reverse proxied, is there any further.. "best practice" safety measures that can be implemented to protect my unraid box? 3. For VM's that need to be public facing (such as an Ubuntu host, hosting custom discord bots) does there need to be any type of security implemented besides general practice stuff like username/passwords, no remote services, etc. in order to protect my unraid server? I am sure I will come up with more questions, but this is a good start! Thanks in advance to anyone who offers any guidance! Quote Link to comment
Squid Posted January 1, 2022 Share Posted January 1, 2022 1 hour ago, Raiever said: However out of curiosity, is it *safe* to forward my Unraid server/Unraid login page to a subdomain with SSL? Example being Jellyfin.mydomain.abc for my Jellyfin login, and unraid.mydomain.abc for unraid access. That's how the SWAG app and MyServers fundamentally work. Not a networking guy, so will leave it to others with regards to the certificate etc. 1 hour ago, Raiever said: My Docker network is setup on its own custom interface, and all of my apps are currently Reverse proxied, is there any further.. "best practice" safety measures that can be implemented to protect my unraid box? Only give them access to the paths with the minimum required access necessary. IE: No need for Plex to have any access to your banking info. Plex as an example doesn't necessarily need write access to any of the shares either. 1 Quote Link to comment
Raiever Posted January 1, 2022 Author Share Posted January 1, 2022 17 minutes ago, Squid said: That's how the SWAG app and MyServers fundamentally work. Not a networking guy, so will leave it to others with regards to the certificate etc. Only give them access to the paths with the minimum required access necessary. IE: No need for Plex to have any access to your banking info. Plex as an example doesn't necessarily need write access to any of the shares either. Fair enough, that doesn't exactly answer it so I will await further input but thank you! 🙂 Also for the life of me can't figure out how you split that quote so full response below. 1. I know I could also setup Wire-guard for a VPN connection to remote in, but if public exposure (boy that sounds great doesn't it? lol) with a reverse proxy SSL setup and Cloudflare protecting the direct IP connection, I genuinely wonder if it is an okay alternative to a VPN setup for external access. The thing is that obviously, the more you expose yourself, the more insecure things become. I have logging for every connection to the server in my router and CF, as well as auto-firewall blacklisting for well-known abusive IPs, and country restrictions through CF, on top of all the above security measures. Unsure how much more is needed (the so-called point of diminished returns). 2. This makes sense, I currently don't need ANY of my VM's to actually touch and of my shares.. and the only thing currently touching any share is JellyFin, for its media. Except, it's setup as far as I can tell to ONLY touch the two media folders its assigned to plus its appdata and cache folders. I figured that it's pretty much a VM and VM only, with no direct access to the OS below it. Quote Link to comment
Raiever Posted January 1, 2022 Author Share Posted January 1, 2022 To add on to this, I would like to note that my NPM currently has my login page reverse proxied with full SSL encryption, and the standard 443 port is changed to a much higher, random port but port forwarded.. This *is* causing my router to freak out about port 443 connection attempts, but obviously.. that is pointing to nothing and dropping all connections. I would love to swap to SWAG for Fail2Ban, but I can't be bothered at this time to change over. I wonder if their is an easy to do auto blocking/lockouts without swapping to SWAG? This is truly my biggest question.. Is it *safe* to have the unraid login page; on a random port, with SSL, protected by cloudflare, and a 45 character root password.. public facing? Thanks for any feedback Quote Link to comment
mtrivs Posted January 3, 2022 Share Posted January 3, 2022 I wouldn't expose the login page to the internet for any reason. There is too much risk in allowing someone to find an exploit and not really needed. If you are already using cloudflare with port forwarding, look at using an argo tunnel along with the cloudflared docker container. This hides your true IP address and eliminates the port forwarding through your router, to block more access attempts before they hit your network. You can configure access to your server using cloudflare teams + the WARP client as well. This puts cloudflare authentication in front of your server and prevents the unraid login page from being your sole line of defense. If you must provide access through a reverse proxy, I would at lease configure the authelia docker and get a free duo account to secure things with 2FA. https://ibracorp.gitbook.io/cloudflare-tunnel/ https://ibracorp.gitbook.io/authelia/ 1 Quote Link to comment
Raiever Posted January 3, 2022 Author Share Posted January 3, 2022 44 minutes ago, mtrivs said: I wouldn't expose the login page to the internet for any reason. There is too much risk in allowing someone to find an exploit and not really needed. If you are already using cloudflare with port forwarding, look at using an argo tunnel along with the cloudflared docker container. This hides your true IP address and eliminates the port forwarding through your router, to block more access attempts before they hit your network. You can configure access to your server using cloudflare teams + the WARP client as well. This puts cloudflare authentication in front of your server and prevents the unraid login page from being your sole line of defense. If you must provide access through a reverse proxy, I would at lease configure the authelia docker and get a free duo account to secure things with 2FA. https://ibracorp.gitbook.io/cloudflare-tunnel/ https://ibracorp.gitbook.io/authelia/ It's funny that you mention this, as I was actually JUST watching the Ibracorp tunnel video and was going to break into setting it up. So it really doesn't make any sense to expose the unraid URL which is fair. I have it turned off for the time being but won't bother reverse proxying. I guess my other question would be.. is there a point to subdomaining my NPM page? I imagine it is the same answer as the unraid login server, because the NPM page brings me to the login page, and can then have the same exploits/login spamming. The only services that should be forwarded obviously are ones that need to be connected to like Plex or Jellyfin, etc. yes? Thanks for the tips! Quote Link to comment
mtrivs Posted January 3, 2022 Share Posted January 3, 2022 Anything you expose should have at least 2 layers of authentication in front of it. Do not trust the login pages for your services will keep everyone out and assume that someone has already found an exploit to allow access. Plex is the only service that I run where 2FA is not possible, but everything else should have layers of security. Things like management UI's (Unraid, NPM admin page, etc.) should almost never be exposed to the internet. I would always be thinking of ways to provide the least amount of exposure possible. For example, instead of exposing sonarr/radarr separately, just expose Ombi behind 2FA to limit the overall attack surface and total number of exposed ports. Argo tunnels are great, but 2FA is the real winner when it comes to security. Cloudflare has a lot of great security features built-in, but where there is a will there is a way. 1 Quote Link to comment
Raiever Posted January 4, 2022 Author Share Posted January 4, 2022 (edited) 19 hours ago, mtrivs said: Anything you expose should have at least 2 layers of authentication in front of it. Do not trust the login pages for your services will keep everyone out and assume that someone has already found an exploit to allow access. Plex is the only service that I run where 2FA is not possible, but everything else should have layers of security. Things like management UI's (Unraid, NPM admin page, etc.) should almost never be exposed to the internet. I would always be thinking of ways to provide the least amount of exposure possible. For example, instead of exposing sonarr/radarr separately, just expose Ombi behind 2FA to limit the overall attack surface and total number of exposed ports. Argo tunnels are great, but 2FA is the real winner when it comes to security. Cloudflare has a lot of great security features built-in, but where there is a will there is a way. Quick question, I keep seeing folks talking about Argo Tunneling and Media servers having issues such as CF account bans due to certain data that shouldn't be routed through their systems. Do you route your Plex / Media servers through CF Argo personally? Have you had any issues like this? Second, I am guessing you are running SWAG and not NGINX Proxy Manager, do you know of any other way to get something like Fail2Ban running? Or would you just suggest to follow up with Authelia? Thanks in advance for your help! Edited January 4, 2022 by Raiever Quote Link to comment
mtrivs Posted January 5, 2022 Share Posted January 5, 2022 I don't route plex through CF either. I saw the warnings that using Argo for streaming can get you banned, so it has deterred me from trying it. I have a fiber connection, so I already get fast speeds, so I would only benefit from faster peering running it over an Argo tunnel. I run NPM presently and have been patiently waiting for it to have Fail2Ban support without hacking something together. Most everything I have is behind authelia anyways, which has a few security measures built in to prevent brute force attempts. The trade off is that there aren't historical IP blocks or dedicated jails like with Fail2Ban, but it is also really easy for an attacker to change their IP also. Quote Link to comment
Raiever Posted January 5, 2022 Author Share Posted January 5, 2022 20 hours ago, mtrivs said: I don't route plex through CF either. I saw the warnings that using Argo for streaming can get you banned, so it has deterred me from trying it. I have a fiber connection, so I already get fast speeds, so I would only benefit from faster peering running it over an Argo tunnel. I run NPM presently and have been patiently waiting for it to have Fail2Ban support without hacking something together. Most everything I have is behind authelia anyways, which has a few security measures built in to prevent brute force attempts. The trade off is that there aren't historical IP blocks or dedicated jails like with Fail2Ban, but it is also really easy for an attacker to change their IP also. This is pretty much where I am at honestly. I have NPM handling all my SSL needs with subdomain/cloudflare type of setup, currently no other port forwards except the NPM ports I selected forwarded for 80/443. I still get hit all the time with automated bots etc scanning my network so its quite fun blocking all of them. I will have to check out Authelia and see if I will benefit from it.. Because in reality, the only public face I have right now is Jellyfin, which all of my users only have basic accounts no admin and a randomly 30 character generated password as well as running over SSL. I imagine for now, I am pretty set. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.