JK252 Posted January 30, 2022 Share Posted January 30, 2022 Hello, I am totally new to unraid. I currently have it on my local pc and loved it. I am planning to use it on my dell server. However, I would like to have a 2FA on login page. DUO provides free account up to 10 users and love it. I use with my RDP. It also supports webSDK. Can any one help where to start to use DUO 2FA on login page? DUO website: http://duo.com Thanks JK Quote Link to comment
[email protected] Posted January 31, 2022 Share Posted January 31, 2022 seen ppl ask for 2fa a few times before, don't think there's any option. You should not expose login page directly to the internet. just use it local or with a vpn. (wireguard is built in) Quote Link to comment
ich777 Posted January 31, 2022 Share Posted January 31, 2022 21 hours ago, JK252 said: DUO provides free account up to 10 users and love it. You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI. Quote Link to comment
JK252 Posted January 31, 2022 Author Share Posted January 31, 2022 (edited) Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page. Edited January 31, 2022 by JK252 Quote Link to comment
ich777 Posted February 14, 2022 Share Posted February 14, 2022 On 1/31/2022 at 6:17 PM, JK252 said: Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page. I don't know if DUO is the way to go, for some users it might be too complicated to setup. Also keep in mind if you've set it once in SWAG you can use it for every app that you reverse proxy through SWAG and even for unRAID itself. Quote Link to comment
danioj Posted February 28, 2022 Share Posted February 28, 2022 On 2/1/2022 at 1:57 AM, ich777 said: You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI. While “do-able” I think this is really poor advice. To the @JK252 please see the formal security recommendations from @limetech https://unraid.net/blog/unraid-server-security-best-practices TLDR: don’t expose your unRAID server to the internet. ESPECIALLY the maintenance GUI. Someone gets access and a web based command prompt with root permissions is a click away. Quote Link to comment
ich777 Posted February 28, 2022 Share Posted February 28, 2022 46 minutes ago, danioj said: To the @JK252 please see the formal security recommendations from @limetech Only double checking but it's actually not mentioned that you shouldn't expose your WebGUI on this page or am I wrong? Basically the My Servers plugin does the same... I think with Authelia in front of the Unraid WebGUI you are pretty secure because it gives you another layer of security before you even can reach the WebGUI itself. 50 minutes ago, danioj said: While “do-able” I think this is really poor advice. At least from my perspective this is way better than use just the password for Authentication to the WebGUI because you will be redirected to Authelia where you have 2FA with a user and password and additionally a OTP or Push message (depends on how you set it up). Quote Link to comment
JK252 Posted February 28, 2022 Author Share Posted February 28, 2022 (edited) Even if we don’t want to expose UnRAID to internet, 2FA is some thing that can make it more secure . I use RDP only from local..still have DUO 2FA setup. Edited February 28, 2022 by JK252 Quote Link to comment
Dreeas Posted May 29, 2022 Share Posted May 29, 2022 Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? Is Authelia or other 2FA possible with NGINX? I need to be able to access from my company computer and I have no possibility to connect through VPN from here. Quote Link to comment
ich777 Posted May 31, 2022 Share Posted May 31, 2022 On 5/29/2022 at 10:57 PM, Dreeas said: Is Authelia or other 2FA possible with NGINX? Sure thing, look at the SWAG Docker container from @linuxserver.io it ticks all your boxes and is also prepared for Authelia and can be enabled pretty quick. Quote Link to comment
iXNyNe Posted July 5, 2022 Share Posted July 5, 2022 I'd like to see general TOTP support. Duo supports TOTP, so users can opt to use Duo if they want, or use any TOTP app they prefer. Quote Link to comment
Casadream_1 Posted July 7, 2022 Share Posted July 7, 2022 Hello, I have Nginx Proxy Manager with services that I open externally with Authelia 2FA. When I call a service, npm points to Authelia which I configured to work with Duo. I receive a notification and I can say Yes or No and the service launches On Air I really like Duo, it brings a professional vision. Unfortunately as on each application there is always a login / password to enter. It's a double protection but I dream of a unique and global solution for all applications in order to enter directly into it once past Authelia. This would require that the applications are all compatible with everything. Very complicated because often the app has its own 2FA (Authy and more) Quote Link to comment
rob1000 Posted November 8, 2022 Share Posted November 8, 2022 If you have your domain from CloudFlare you can use ZeroTrust to send you an email and there is a one-time code inside. And when you go to your sub-domain or domain then you will be forced to authenticate. Quote Link to comment
Xaero Posted November 27, 2022 Share Posted November 27, 2022 (edited) On 5/29/2022 at 3:57 PM, Dreeas said: Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? This is worth replying to, and I noticed that nobody had yet. The concern isn't exactly that your password would be insecure against an attacker; but rather that the Unraid WebUI does not undergo regular penetration testing and security auditing, and as such should not be considered hardened against other attacks. These attacks could bypass the need for a password entirely, which is a much bigger concern. 2FA systems, when implemented correctly, would prevent this type of attack, but still would not make it safe to expose the WebUI directly to the internet. Since it isn't audited and hardened, and has endpoints that directly interact with the OS, it's likely that an attacker could easily find a surface that allows them read/write access to the filesystem as the root user, and the ability to remotely execute arbitrary code, including opening a reverse SSH tunnel to their local machine giving them full terminal access to your server without ever having to know a username or password. As far as the effort required - it's going to vary greatly, but many of these types of vulnerabilities hackers have written automated toolkits that scan and exploit these vulnerabilities for them with no interaction required on their part. TL;DR: Don't expose your WebUI to the internet. This has been stressed heavily by both Limetech and knowledgeable members of the community for a reason. Extend this further to NEVER expose a system with ONLY an administrator or system level account to the internet. P.S. If I am wrong on the regular security auditing, please do let me know and I will remove that claim from this post, but as far as I am aware and Limetech has made public knowledge there is no such testing done, which is fine for a system that does not get exposed to the internet. Edited November 27, 2022 by Xaero 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.