January 30, 20224 yr Hello, I am totally new to unraid. I currently have it on my local pc and loved it. I am planning to use it on my dell server. However, I would like to have a 2FA on login page. DUO provides free account up to 10 users and love it. I use with my RDP. It also supports webSDK. Can any one help where to start to use DUO 2FA on login page? DUO website: http://duo.com Thanks JK
January 31, 20224 yr seen ppl ask for 2fa a few times before, don't think there's any option. You should not expose login page directly to the internet. just use it local or with a vpn. (wireguard is built in)
January 31, 20224 yr 21 hours ago, JK252 said: DUO provides free account up to 10 users and love it. You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI.
January 31, 20224 yr Author Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page. Edited January 31, 20224 yr by JK252
February 14, 20224 yr On 1/31/2022 at 6:17 PM, JK252 said: Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page. I don't know if DUO is the way to go, for some users it might be too complicated to setup. Also keep in mind if you've set it once in SWAG you can use it for every app that you reverse proxy through SWAG and even for unRAID itself.
February 28, 20224 yr On 2/1/2022 at 1:57 AM, ich777 said: You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI. While “do-able” I think this is really poor advice. To the @JK252 please see the formal security recommendations from @limetech https://unraid.net/blog/unraid-server-security-best-practices TLDR: don’t expose your unRAID server to the internet. ESPECIALLY the maintenance GUI. Someone gets access and a web based command prompt with root permissions is a click away.
February 28, 20224 yr 46 minutes ago, danioj said: To the @JK252 please see the formal security recommendations from @limetech Only double checking but it's actually not mentioned that you shouldn't expose your WebGUI on this page or am I wrong? Basically the My Servers plugin does the same... I think with Authelia in front of the Unraid WebGUI you are pretty secure because it gives you another layer of security before you even can reach the WebGUI itself. 50 minutes ago, danioj said: While “do-able” I think this is really poor advice. At least from my perspective this is way better than use just the password for Authentication to the WebGUI because you will be redirected to Authelia where you have 2FA with a user and password and additionally a OTP or Push message (depends on how you set it up).
February 28, 20224 yr Author Even if we don’t want to expose UnRAID to internet, 2FA is some thing that can make it more secure . I use RDP only from local..still have DUO 2FA setup. Edited February 28, 20224 yr by JK252
May 29, 20224 yr Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? Is Authelia or other 2FA possible with NGINX? I need to be able to access from my company computer and I have no possibility to connect through VPN from here.
May 31, 20224 yr On 5/29/2022 at 10:57 PM, Dreeas said: Is Authelia or other 2FA possible with NGINX? Sure thing, look at the SWAG Docker container from @linuxserver.io it ticks all your boxes and is also prepared for Authelia and can be enabled pretty quick.
July 5, 20224 yr I'd like to see general TOTP support. Duo supports TOTP, so users can opt to use Duo if they want, or use any TOTP app they prefer.
July 7, 20224 yr Hello, I have Nginx Proxy Manager with services that I open externally with Authelia 2FA. When I call a service, npm points to Authelia which I configured to work with Duo. I receive a notification and I can say Yes or No and the service launches On Air I really like Duo, it brings a professional vision. Unfortunately as on each application there is always a login / password to enter. It's a double protection but I dream of a unique and global solution for all applications in order to enter directly into it once past Authelia. This would require that the applications are all compatible with everything. Very complicated because often the app has its own 2FA (Authy and more)
November 8, 20223 yr If you have your domain from CloudFlare you can use ZeroTrust to send you an email and there is a one-time code inside. And when you go to your sub-domain or domain then you will be forced to authenticate.
November 27, 20223 yr On 5/29/2022 at 3:57 PM, Dreeas said: Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? This is worth replying to, and I noticed that nobody had yet. The concern isn't exactly that your password would be insecure against an attacker; but rather that the Unraid WebUI does not undergo regular penetration testing and security auditing, and as such should not be considered hardened against other attacks. These attacks could bypass the need for a password entirely, which is a much bigger concern. 2FA systems, when implemented correctly, would prevent this type of attack, but still would not make it safe to expose the WebUI directly to the internet. Since it isn't audited and hardened, and has endpoints that directly interact with the OS, it's likely that an attacker could easily find a surface that allows them read/write access to the filesystem as the root user, and the ability to remotely execute arbitrary code, including opening a reverse SSH tunnel to their local machine giving them full terminal access to your server without ever having to know a username or password. As far as the effort required - it's going to vary greatly, but many of these types of vulnerabilities hackers have written automated toolkits that scan and exploit these vulnerabilities for them with no interaction required on their part. TL;DR: Don't expose your WebUI to the internet. This has been stressed heavily by both Limetech and knowledgeable members of the community for a reason. Extend this further to NEVER expose a system with ONLY an administrator or system level account to the internet. P.S. If I am wrong on the regular security auditing, please do let me know and I will remove that claim from this post, but as far as I am aware and Limetech has made public knowledge there is no such testing done, which is fine for a system that does not get exposed to the internet. Edited November 27, 20223 yr by Xaero
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.