use DUO 2FA on Unraid login page


JK252

Recommended Posts

Hello, 

 

  I am totally new to unraid. I currently have it on my local pc and loved it. I am planning to use it on my dell server. However, I would like to have a 2FA on login page. DUO provides free account up to 10 users and love it. I use with my RDP. It also supports webSDK. Can any one help where to start to use DUO 2FA on login page? DUO website: http://duo.com

 

Thanks

JK

Link to comment
  • 2 weeks later...
On 1/31/2022 at 6:17 PM, JK252 said:

Thanks ich. This sound like an option. However I am trying to keep it simple..like edit UnRAID login page and use duo websdk in that page.

I don't know if DUO is the way to go, for some users it might be too complicated to setup.

Also keep in mind if you've set it once in SWAG you can use it for every app that you reverse proxy through SWAG and even for unRAID itself. ;)

Link to comment
  • 2 weeks later...
On 2/1/2022 at 1:57 AM, ich777 said:

You can use it in combination with Authelia, SWAG and Redis and simply Reverse Proxy the WebGUI if you really want to so that you have Authelia (with DUO 2FA) in front of the unRAID WebGUI.


While “do-able” I think this is really poor advice.

 

To the @JK252 please see the formal security recommendations from @limetech

 

https://unraid.net/blog/unraid-server-security-best-practices

 

TLDR: don’t expose your unRAID server to the internet. ESPECIALLY the maintenance GUI. Someone gets access and a web based command prompt with root permissions is a click away. 

Link to comment
46 minutes ago, danioj said:

To the @JK252 please see the formal security recommendations from @limetech

Only double checking but it's actually not mentioned that you shouldn't expose your WebGUI on this page or am I wrong? Basically the My Servers plugin does the same...

 

I think with Authelia in front of the Unraid WebGUI you are pretty secure because it gives you another layer of security before you even can reach the WebGUI itself.

 

50 minutes ago, danioj said:

While “do-able” I think this is really poor advice.

At least from my perspective this is way better than use just the password for Authentication to the WebGUI because you will be redirected to Authelia where you have 2FA with a user and password and additionally a OTP or Push message (depends on how you set it up).

Link to comment
  • 3 months later...

Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? 

Is Authelia or other 2FA possible with NGINX? 
I need to be able to access from my company computer and I have no possibility to connect through VPN from here.

Link to comment
  • 1 month later...

Hello,

 

I have Nginx Proxy Manager with services that I open externally with Authelia 2FA.

When I call a service, npm points to Authelia which I configured to work with Duo.

I receive a notification and I can say Yes or No and the service launches On Air :)

 

I really like Duo, it brings a professional vision.

Unfortunately as on each application there is always a login / password to enter.

It's a double protection but I dream of a unique and global solution for all applications in order to enter directly into it once past Authelia.

 

This would require that the applications are all compatible with everything.

Very complicated because often the app has its own 2FA (Authy and more)

Link to comment
  • 4 months later...
  • 3 weeks later...
On 5/29/2022 at 3:57 PM, Dreeas said:

Humor me, with a reverse proxy (NGINX and cloudflare) and a long complex password generated from a password manager, how much trouble would a hacker go through just to get access through my exposed WebGUI to my humble server? 


This is worth replying to, and I noticed that nobody had yet. The concern isn't exactly that your password would be insecure against an attacker; but rather that the Unraid WebUI does not undergo regular penetration testing and security auditing, and as such should not be considered hardened against other attacks. These attacks could bypass the need for a password entirely, which is a much bigger concern. 2FA systems, when implemented correctly, would prevent this type of attack, but still would not make it safe to expose the WebUI directly to the internet.

Since it isn't audited and hardened, and has endpoints that directly interact with the OS, it's likely that an attacker could easily find a surface that allows them read/write access to the filesystem as the root user, and the ability to remotely execute arbitrary code, including opening a reverse SSH tunnel to their local machine giving them full terminal access to your server without ever having to know a username or password.

As far as the effort required - it's going to vary greatly, but many of these types of vulnerabilities hackers have written automated toolkits that scan and exploit these vulnerabilities for them with no interaction required on their part.

TL;DR:

Don't expose your WebUI to the internet. This has been stressed heavily by both Limetech and knowledgeable members of the community for a reason. Extend this further to NEVER expose a system with ONLY an administrator or system level account to the internet.


P.S. If I am wrong on the regular security auditing, please do let me know and I will remove that claim from this post, but as far as I am aware and Limetech has made public knowledge there is no such testing done, which is fine for a system that does not get exposed to the internet.

Edited by Xaero
  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.