display0 Posted August 14, 2022 Share Posted August 14, 2022 Hi all. I hope someone can help me. I would like to prevent that a person with physical access to the flash drive resets the password and gain access as root. I read the New User Basic blog #1. It states that to reset your root password do the following: - Shutdown your server. - Plug your USB flash into a laptop or another computer. - Open the USB folder and delete the files "config/shadow" and "config/smbpasswd" (do not delete "config/passwd). This will reset all user passwords, including the root user, to none, ie blank. - Now eject your USB and reboot it on your NAS server and you’re in. You can then set a new password in the Users tab of the Unraid webgui. Source: https://unraid.net/blog/unraid-new-users-blog-series I've searched the forums and found this previous thread: The user "JonathanM" mentions that some files could be moved to an encrypted volume. Would that be possible with the files "config/shadow" and "config/smbpasswd" to prevent someone gaining root acces to the server? Is there another way of achieving this? As I understand encryption of the flash drive is not a possibility though that is what i would like. Thank you in advance. Quote Link to comment
Kilrah Posted August 14, 2022 Share Posted August 14, 2022 Probably the best is either to increase physical security... or encrypt the whole array, that way even if someone can get root access to the server they can't do anything with it without wiping everything on it. Quote Link to comment
display0 Posted August 14, 2022 Author Share Posted August 14, 2022 Thank you for replying. The array is encrypted, but the flash drive would still give away shares created, the config of the server and plugins installed etc. I would like to prevent that if possible. Quote Link to comment
itimpi Posted August 14, 2022 Share Posted August 14, 2022 56 minutes ago, display0 said: Thank you for replying. The array is encrypted, but the flash drive would still give away shares created, the config of the server and plugins installed etc. I would like to prevent that if possible. Sounds like you want the flash drive mounted internally on the server, and a case for it you can lock? 1 Quote Link to comment
display0 Posted August 14, 2022 Author Share Posted August 14, 2022 3 hours ago, itimpi said: Sounds like you want the flash drive mounted internally on the server, and a case for it you can lock? That would be a nice simple solution. If I had the option to lock it away in a safe it could work. Thank you for you're suggestion. Should I draw from this that there is no software solution to securing the flash drive? Quote Link to comment
itimpi Posted August 14, 2022 Share Posted August 14, 2022 2 hours ago, display0 said: Should I draw from this that there is no software solution to securing the flash drive? Not that I know of. It is in FAT32 format so does not support encryption or anything like that. Quote Link to comment
JonathanM Posted August 14, 2022 Share Posted August 14, 2022 8 hours ago, display0 said: If I had the option to lock it away in a safe it could work. Here you go. https://senior.com/products/sentry-safe-electronic-water-resistant-fire-safe-usb-data-link Quote Link to comment
ConnerVT Posted August 15, 2022 Share Posted August 15, 2022 Couldn't someone just steal the safe? Quote Link to comment
itimpi Posted August 15, 2022 Share Posted August 15, 2022 1 hour ago, ConnerVT said: Couldn't someone just steal the safe? Most safes would be bolted to the floor/wall and to get at the bolts one has to get inside the safe anyway. Quote Link to comment
JonathanM Posted August 15, 2022 Share Posted August 15, 2022 1 hour ago, ConnerVT said: Couldn't someone just steal the safe? Normally it would be lag bolted from the inside of the safe to the floor or wall studs, ideally both. But yes, if not properly implemented you could just walk off with the whole outfit. Quote Link to comment
Kilrah Posted August 15, 2022 Share Posted August 15, 2022 You might be able to use a hardware-encrypted flash drive like https://istorage-uk.com/product/datashur/ Obviously with the drawback that you need physical access to it for a cold boot, and there may be other niggles. Quote Link to comment
gubbgnutten Posted August 15, 2022 Share Posted August 15, 2022 17 hours ago, JonathanM said: Here you go. https://senior.com/products/sentry-safe-electronic-water-resistant-fire-safe-usb-data-link Just keep in mind that this does virtually nothing to prevent the scenario described in the first post. Sure, the flash drive can’t be removed, but all the bad guy has to do is to bring a laptop and the passwords are toast. Quote Link to comment
ConnerVT Posted August 16, 2022 Share Posted August 16, 2022 14 hours ago, ConnerVT said: Couldn't someone just steal the safe? 12 hours ago, itimpi said: Most safes would be bolted to the floor/wall and to get at the bolts one has to get inside the safe anyway. My post was a bit "tongue in cheek" sarcasm. Just the way I am. Need to find the appropriate smilie. They say that locks only keep honest people honest. The basics of security breaks down into two main phases: Physical security and network security. Since we are talking physical security, put your computer in a location which only authorized people can access (the less, the better). If you connect to a network, all parts of the network need be secured - cabling, switches, other systems, etc. The two things that usually compromise security are cost and convenience. This is where the big decisions are made. How valuable is what I'm trying to protect, and how much time and money do I wish to spend? Most users visiting this forum don't likely need to lock down a NAS for the NSA. If you are needing to do this, then Unraid might not be the best platform to be running. Quote Link to comment
display0 Posted August 19, 2022 Author Share Posted August 19, 2022 On 8/14/2022 at 7:34 PM, itimpi said: Not that I know of. It is in FAT32 format so does not support encryption or anything like that. Allright. Thank you. Quote Link to comment
display0 Posted August 19, 2022 Author Share Posted August 19, 2022 On 8/15/2022 at 4:54 PM, Kilrah said: You might be able to use a hardware-encrypted flash drive like https://istorage-uk.com/product/datashur/ Obviously with the drawback that you need physical access to it for a cold boot, and there may be other niggles. Thank you for the suggestion. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.