NY152 Posted March 26, 2023 Share Posted March 26, 2023 I'm writing this post because I don't quite understand unraid's policy regarding root and non-root users Why impose root for the WebUI and for SSH? This is a big flaw in my opinion. For those who do a little research, they already know the user to brute-force! The user could at least have the choice to disable root and choose a user instead, at least for SSH, must be able to have a choice right? Not to mention that unraid does not even allow you to configure a fail2ban by default. There is a plugin, but I highly doubt its effectiveness. What do you think ? ____________________________________________________________________________________________________________________ J'écris ce post car je ne comprends pas trop la politique d'unraid concernant root et les utilisateurs non-root Pourquoi imposer root pour la WebUI et pour le SSH ? C'est une grosse faille selon moi. Pour celui qui se renseigne un peu, il connait déjà l'utilisateur à brute-forcer ! L'utilisateur pourrait au moins avoir le choix de désactiver root et choisir un utilisateur à sa place, au moins pour SSH, doit pouvoir avoir le choix non ? Sans compter qu'unraid ne permet même pas de configurer un fail2ban par dafaut. Il existe un plugin, mais je doute grandement de son efficaicté. Qu'en pensez-vous ? Quote Link to comment
Symen Posted March 30, 2023 Share Posted March 30, 2023 The usual security advice with unraid is "don't expose your unraid server to the internet." There was a huge security flaw in the web UI some versions ago (< 6.8.1 according to a quick google search, don't quote me on that), and the devs said something along the line of "Yeah we fixed it but unraid is an appliance so it's ok"... The worst part is not that there is a default "root" user, but everything runs under root. If there is a security issue with any of the programs running on your unraid machine, full acces for the attacker. In short, use a vpn server to access your local network. With that said, if your root user has a strong-enough password, brute-forcing is not an attack vector at all. Changing the root username is just security by obscurity, which doesn't work if someone really wants to hack you. Quote Link to comment
NY152 Posted April 3, 2023 Author Share Posted April 3, 2023 Tank's for information ! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.