[Debate] Unraid based on a another OS for security and stability


Recommended Posts

Does it make sense for Unraid "a server" to be base on slackware?

Slackware is mainly mantained by 1 person Patrick Volkerding - Wikipedia, when he was ill the future of Slackware wasn't clear, the truth is that no one what will happen with Slackware if he stops working on it.

Other distros based on Redhat or Debian, are server grade / enterprise ready, they should be more stable, more tested, you get security updates instantly, SElinux support, it would be easier to do administrative task for Unraid users, etc.

Currently in Unraid we lack of any way to monitor the security via audit logs, with redhat or debian based distros this could be easily solved even by the Users.

 

I understand that Slackware for Unraid allows to use very little space and RAM but I don't see how would be a problem if unraid needs 200 mb of ram instead 100 to work.

If a more flexible distro is a must then Arch linux could be another option.

 

The same with dockerman, I understand why dockerman was develop but currently with docker compose, dockerman should be deprecated or at least provide full support for docker compose in Unraid.

 

I think Unraid core needs a modernization before adding new features, and the sooner the better.

Edited by L0rdRaiden
  • Like 1
Link to comment
36 minutes ago, L0rdRaiden said:

Does it make sense for Unraid "a server" to be base on slackware?

No, but all other distros are also bad.

UNRAID should use a "real" os instead like FreeBSD (not fancy, but rock solid and with the same directory structure for the last 40yrs).

Everything on Linux is added from different sources, see ZFS now beeing a real cripple on UNRAID. Why not using an OS with native support for it? Even for boot partitions.

Or networking, more or less everybody in the world is copyiing BSD stacks, more or less successful.

And it is the "less" part on Linux Distributions that makes me stay away from them if possible. Its the "is working on X, but lacks feature A on Y" or "symlinked to X" or "naming scheme Z". These things all slow down people, who has "learned" on Distro X cannot fully move over to Distro Y. He has to relearn a lot, this is totally unnecessary and only wastes time and brain ressources.

 

  • Like 1
Link to comment
On 10/3/2023 at 9:17 AM, MAM59 said:

No, but all other distros are also bad.

UNRAID should use a "real" os instead like FreeBSD (not fancy, but rock solid and with the same directory structure for the last 40yrs).

Everything on Linux is added from different sources, see ZFS now beeing a real cripple on UNRAID. Why not using an OS with native support for it? Even for boot partitions.

Or networking, more or less everybody in the world is copyiing BSD stacks, more or less successful.

And it is the "less" part on Linux Distributions that makes me stay away from them if possible. Its the "is working on X, but lacks feature A on Y" or "symlinked to X" or "naming scheme Z". These things all slow down people, who has "learned" on Distro X cannot fully move over to Distro Y. He has to relearn a lot, this is totally unnecessary and only wastes time and brain ressources.

 

 

That doesn't make any sense, if you go to freebsd what happens with docker? and virtualization? bhyve is not as good and tested like kvm.

 

With a linux based OS more supported than slackware it would be easier for the users to do things with Unraid that not features available. 

Edited by L0rdRaiden
Link to comment
On 10/3/2023 at 2:33 AM, L0rdRaiden said:

Does it make sense for Unraid "a server" to be base on slackware?

Consider instead that unRAID is not "a server" os but rather a "home NAS appliance os". It is more spirituality akin to the Synology OS or whatever runs on QNAP. It doesnt provide all the administrative tools of a more general linux os because the user is expected (though not required) to administer their NAS within the unRAID paradigm. It lacks many of the more sophisticated security tools because they are generally unnecessary for a home user on a home network which is unRAIDs target audience (alibi the more advanced home user).

On 10/3/2023 at 2:33 AM, L0rdRaiden said:

If a more flexible distro is a must then Arch linux could be another option.

A flexible distro is, I think, exactly what unRAID is trying to avoid. Slackware's lack of simple package management is a benefit to unRAID in that it helps to enforce the "dont modify the base os" tenet.

 

On 10/3/2023 at 2:33 AM, L0rdRaiden said:

The same with dockerman, I understand why dockerman was develop but currently with docker compose, dockerman should be deprecated or at least provide full support for docker compose in Unraid.


One of the benefits of dockerman is that it steers users toward the unRAID way of using docker, i.e. single container apps, bind mounts instead of volumes, simple network topology, curated apps from an appstore. Again geared toward the home user rather than the professional.

 

On 10/3/2023 at 2:33 AM, L0rdRaiden said:

I think Unraid core needs a modernization before adding new features, and the sooner the better.

For my money I would rather see limetech focus on improving the core NAS capabilities (though not ZFS, way to much time spent on that already) and commit to faster / more security patches between feature releases.

  • Like 1
Link to comment
On 10/8/2023 at 9:10 PM, DivideBy0 said:

This argument is dead in the water from the beginning :) Says who that UnRaid is not secure nor stable? I would start with that first :) 

 

Nothing to see and nothing to debate here, end of story.

 

Do you consider Unraid stable? Do you follow what happens in the forums after each release?

Unraid not being as secure as a standard distro is a fact for 3 reasons:

 

Unraid devs have stated several times in the forums that Unraid is not intended to be used to publish services to internet. Why? at least 2 reasons but there could be more

a) Unraid doesn't go through any hardening process, redhat, ubuntu are verified against security frameworks (DISA,CIS) before release to ensure that the defaults are safe. Unraid does not, we just asume that the OS is safe, but actually no one knows, no ones cares.

b) Have you ever seen an extraordinary release of Unraid to patch a CVE? I have never seen one and I have been around many years. The CVE persist in unraid for weeks or months just waiting for the next regular release to be patched or not. With a "standard" distro you get those in hours.

 

This is a fact, end of the story 😊

  • Upvote 1
Link to comment

cool down 🙂

Yeah, UNRAID is not bullet proof, but rather cheap and almost working. The problem is (as usual) that people demand fancy things that do not really belong here (focus should stay "fileserver"). The more you add, the weaker it gets. And you end up with so many possible configurations that are not able to be handled anymore.

Sometimes it is worth to say "NO" to new feature requests or even throw out weak stuff again.

People always expect "the egg-laying-wool-and-milk-giving animal", but this is hard to create and usually also not desireable.

 

  • Upvote 1
Link to comment
On 10/8/2023 at 8:56 PM, primeval_god said:

Consider instead that unRAID is not "a server" os but rather a "home NAS appliance os". It is more spirituality akin to the Synology OS or whatever runs on QNAP. It doesnt provide all the administrative tools of a more general linux os because the user is expected (though not required) to administer their NAS within the unRAID paradigm. It lacks many of the more sophisticated security tools because they are generally unnecessary for a home user on a home network which is unRAIDs target audience (alibi the more advanced home user).

A flexible distro is, I think, exactly what unRAID is trying to avoid. Slackware's lack of simple package management is a benefit to unRAID in that it helps to enforce the "dont modify the base os" tenet.

 


One of the benefits of dockerman is that it steers users toward the unRAID way of using docker, i.e. single container apps, bind mounts instead of volumes, simple network topology, curated apps from an appstore. Again geared toward the home user rather than the professional.

 

For my money I would rather see limetech focus on improving the core NAS capabilities (though not ZFS, way to much time spent on that already) and commit to faster / more security patches between feature releases.

 

I know exactly what Unraid is, but whatever you want to call it, is still a server.

 

I'm refering to the intrinsic securty of the OS, not to the addition of other security tools.

 

The concept of dockerman is fine, the problem of dockerman is that is based on docker run and not docker compose so you have to rely on unsuported and community dockers instead on the offial ones in many cases, particularly when the app requries more than one container. So you still use dockerman the same UI but the backend should be docker compose.

 

NAS capabilities is the only thing being developed in Unraid the last 4-5 years, or even more. Docker, VM's, networking, etc are untouched.

 

Regarding CVE and security see my post above. 

  • Like 1
Link to comment
Just now, MAM59 said:

cool down 🙂

Yeah, UNRAID is not bullet proof, but rather cheap and almost working. The problem is (as usual) that people demand fancy things that do not really belong here (focus should stay "fileserver"). The more you add, the weaker it gets. And you end up with so many possible configurations that are not able to be handled anymore.

Sometimes it is worth to say "NO" to new feature requests or even throw out weak stuff again.

People always expect "the egg-laying-wool-and-milk-giving animal", but this is hard to create and usually also not desireable.

 

 

LoL so a minimun security is a fancy thing?

I'm not asking to add anything in the distro, not a single new package. If they don't plan to do a properly support of the distro an alternative would be to base Unraid in a distro that will do what work for them.

You could still build unraid base on Arch, using exactly the same packages but you will get security updates in hours not months.

  • Like 1
Link to comment
1 minute ago, L0rdRaiden said:

LoL so a minimun security is a fancy thing?

if you take in respect how unraid works, yes.

CVE can happen daily, even hourly. Unraid boots from an image on a stick, for each update, this image would had to be downloaded und written to the stick. This would put a heavy write load to the stick (and a reboot would be needed too each time).

(btw: I really HATE this "bound to stick because of UUID" thing, but that is their choice)

Would need a serious redesign so that UNRAID boots off a more solid source as a real disk or ssd and only configs/key would remain on the stick.

Security problems usually only occur, if UNRAID is open to the internet (mine is not and never will be).

 

And, as long everything runs as "root", the word "security" is not really serious :-)))

 

For the docker stuff, I dont know anything, if there are several ways for creating and using dockers, it is one more point for me to stay away of this strange idea...

 

Link to comment

With the small footprint of unraid it wont happen't even weekly but it will happend.

Writing a few mb in a USB stick won't broke it, it could still last a decade if you look at the TBW specification of the devices.

That "strange" idea of compose is the way docker is meant to be run, and is more convinient and easier to manage than "docker run", it's a standard. For the users would be transparent, for the community apps, maintainers or more advance users, would be a complete advantage.

  • Like 1
Link to comment
4 minutes ago, L0rdRaiden said:

it could still last a decade if you look at the TBW specification of the devices

Yeah, sadly reality told me already two times that TBW means nothing sometimes 😞

For me the stick is sacred, I avoid every unneccessary write. But ok, there would be a way around it if somebody would like to (storing the updates on an HD and incorporating them at boot/unpack time for instance)

 

  • Upvote 1
Link to comment
6 hours ago, L0rdRaiden said:

I know exactly what Unraid is, but whatever you want to call it, is still a server.

My point was less about NAS vs server and more about general linux server os vs appliance os that happens to be based on linux. My opinion is that appliance devices targeted at home networks have a much lower security requirement than server software targeted at business or enterprise. 

Link to comment

My stuff is behind the firewall and in a DMZ.  Nothing is allowed inbound including the UnRaid cloud plugin.  My IPS/IDS can and will see and block anything inbound/outbound.  Is called defense in depth, multiple layers of defense.  That being said I am to lazy to do this but have at it and report back:

 

nmap -sV --script=vulscan/vulscan.nse www.example.com

 

nmap --script nmap-vulners/ -sV www.example.com

 

https://securitytrails.com/blog/nmap-vulnerability-scan

 

Link to comment
4 hours ago, DivideBy0 said:

My stuff is behind the firewall and in a DMZ.  Nothing is allowed inbound including the UnRaid cloud plugin.  My IPS/IDS can and will see and block anything inbound/outbound.  Is called defense in depth, multiple layers of defense.  That being said I am to lazy to do this but have at it and report back:

 

nmap -sV --script=vulscan/vulscan.nse www.example.com

 

nmap --script nmap-vulners/ -sV www.example.com

 

https://securitytrails.com/blog/nmap-vulnerability-scan

 

Unless you are doing ssl offloading in your IPS, is going to see only the 1% of what is happening.

That is your use case but I guess many people publish or want to publish services hosted in unraid to internet, and vulnerability and hardening in the host is also defense in depth.

Nmap won't detect anything serious or not obvious but you can use Nessus scanner essentials for free up to 16 IPs.

Link to comment
1 hour ago, L0rdRaiden said:

Unless you are doing ssl offloading in your IPS, is going to see only the 1% of what is happening.

That is your use case but I guess many people publish or want to publish services hosted in unraid to internet, and vulnerability and hardening in the host is also defense in depth.

Nmap won't detect anything serious or not obvious but you can use Nessus scanner essentials for free up to 16 IPs.

 

But of course you had a rebuttal :) So that leaves my UnRaid vulnerable / flying blind at SSL mercy.  Enlighten me now what's the worse can and will happen with my UnRaid over SSL.  Keep the facts objective, quantitative and not what you read or what you heard :) I have no need to hear what could potentially happen. Hard facts strictly related to UnRaid which you claim is unsecure but have no data or evidence to offer. 

 

By the way Nessus will use the same scanning engines / plugins as the nmap ones, which really tells me how well versed you're in the world of cybersecurity if you don't know the difference. 

 

And I don't believe you're grasping the concept of defense in depth.  What the hell is "vulnerability and hardening in the host is also defense in depth."

Link to comment
7 hours ago, DivideBy0 said:

 

But of course you had a rebuttal :) So that leaves my UnRaid vulnerable / flying blind at SSL mercy.  Enlighten me now what's the worse can and will happen with my UnRaid over SSL.  Keep the facts objective, quantitative and not what you read or what you heard :) I have no need to hear what could potentially happen. Hard facts strictly related to UnRaid which you claim is unsecure but have no data or evidence to offer. 

 

By the way Nessus will use the same scanning engines / plugins as the nmap ones, which really tells me how well versed you're in the world of cybersecurity if you don't know the difference. 

 

And I don't believe you're grasping the concept of defense in depth.  What the hell is "vulnerability and hardening in the host is also defense in depth."

 

I don't understand your arrogance, but you will learn something today xD

That is the problem, now one cares about your setup and no one is talking about your particular use case, if you don't have services hosted in Unraid exposed to internet of course reaching unraid will require the compromise of another asset in your network. But the problem is that there is many people exposing services hosted in Unraid to internet, and we have no assurance that the host is properly hardened and Unraid as a "company" is doing a propper vulnerability management, probably not because they never release patches with security updates, the release Unraid updates whenever they can and it comes with the patches of the last months, that means that Unraid has CVE for months not being patched.

 

So the evidence is clear and is a fact that vulnerability management is not done by Unraid, they don't release security updates out of the regular updates. Crystal clear.

Regading hardening, (configuration management), I doubt they are doing it, looking at the changes in the past but I don't have the proof, I havent scanned Unraid agasint DISA stig or CIS or any other hardeninig guide. Don't worry I will explaint you what is hardening in a second.

 

I have used Nmap and Nessus and qualys among others professionally for years, maybe is my fault because I was assuming that you have a basic knowledge about security and I didn't extend a lot my explanation. I was trying to be kind and explain in case you or others didn't know that for free you have a better option than nmap to scan the vulnerabilities in your environment, not only a unauthenticated network scan that is what nmap does. I know perfectly what Nessus is capable and its plugins Plugins | Tenable® not only for vulnerability management but for hardening.


 

Quote

 

And I don't believe you're grasping the concept of defense in depth.  What the hell is "vulnerability and hardening in the host is also defense in depth."

 

 

Arrogance and ignorance are bad partners. So you talk about defense in depth and you mention 2 network security controls, IPS/IDS and traffic encryption. This is the youtube level knowledge of defense in depth. So basically you have 2 security controls in one of the layers of defense in depth. Can you call it defense in depth? well innacurate but yeah... I didn't complain about it the first time you wrote it, but then you were so arrogant to say that you know what defense in depth is and I had no idea.

 

So where it is configuration and vulnerability management in defense in depth, they are in the host/device/compute layer.

And configuration management (hardening) involves many things but basically is ensure the secure configuration of the assets. for example you can follow the recomandation of DISA, or CIS or whatever you preffer

Complete STIG List (stigviewer.com)

Red Hat Enterprise Linux 8 Security Technical Implementation Guide (stigviewer.com)  Sadly there is nothing for slackware becuase is not used by almost anyone but most of the controls are valid among different distros. In any case you have the same for ubuntu, debian, suse...

image.png.000559ad24bebf6263c1b242609afa8d.png

image.png.a199fe36c7df5aee84f0aa873bd5ba7d.png

 

Bonus track, I'm sure you know how an IPS works, and that 90+% of the rules of the IPS are created to work with unencrypted traffic, so in order to have an effective IPS you need to do SSL offloading (traffic decryption) in you IPS, if not only a few basic rules will work and app detection based on SNI (which can be easily faked). The same happens with a WAF.

So if you want to use the IPS to be effective you have to deploy certs in unraid, dockers, vms, ideally deploying an internal PKI and configuring ssl offloading or traffic decryption in your FW (in case the IPS is there).

 

 

Link to comment

Hey folks, calm down.

I am sure, you all have your different views of "security". From "I dont care about it" to "my server is my castle".

We all are aware that UNRAID does not focus on security. If you want this, move to NetBSD or something (all Linux is crap when it comes to security and networking).

But if you can live with the risk, all ist fine.

 

And about "CVEs fixed fast", I get three CVE warnings for two weeks now already from my FreeBSD box. No patch yet.

FreeBSD-kernel-13.2_3 is vulnerable:
  FreeBSD -- msdosfs data disclosure
  CVE: CVE-2023-5368
  WWW: https://vuxml.FreeBSD.org/freebsd/fefcd340-624f-11ee-8e38-002590c1f29c.html

  FreeBSD -- copy_file_range insufficient capability rights check
  CVE: CVE-2023-5369
  WWW: https://vuxml.FreeBSD.org/freebsd/e261e71c-6250-11ee-8e38-002590c1f29c.html

  FreeBSD -- arm64 boot CPUs may lack speculative execution protections
  CVE: CVE-2023-5370
  WWW: https://vuxml.FreeBSD.org/freebsd/162a675b-6251-11ee-8e38-002590c1f29c.html

3 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.

Checking for packages with security vulnerabilities:
Database fetched: Mi. 11 Okt. 2023 03:41:02 CEST
samba413-4.13.17_5
curl-8.1.2

Should I be concerned? Yeah!

Should I panic? NO!

Should I kick their lazy ~!@? NO (they would correctly tell me, I should fix them myself or wait until they have time for it. At least they are already aware of them)

 

So, make peace with UNRAID, if you feel too unsafe, move on.

 

Edited by MAM59
Link to comment
5 minutes ago, MAM59 said:

Hey folks, calm down.

I am sure, you all have your different views of "security". From "I dont care about it" to "my server is my castle".

We all are aware that UNRAID does not focus on security. If you want this, move to NetBSD or something (all Linux is crap when it comes to security and networking).

But if you can live with the risk, all ist fine.

 

And about "CVEs fixed fast", I get three CVE warnings for two weeks now already from my FreeBSD box. No patch yet.

Should I be concerned? Yeah!

Should I panic? NO!

Should I kick their lazy ~!@? NO (they would correctly tell me, I should fix them myself or wait until they have time for it. At least they are already aware of them)

 

So, make peace with UNRAID, if you feel too unsafe, move on.

 

well you can panic depending on how the CVEs can be exploited and where in your network is the FreeBSD.

Still the fact is that Unraid doesn't care at all about CVEs and that could be quite bad, maybe not too bad for people who knows how to harden their environments but for noobs, since Unraid is aiming mainly for this kind of customers.

I understand that doing this in slackware for them can be a lot of work but is a irresponsability from their side promote the use of unraid to install things like plex, home assistant, jellyfin immich, netxcloud, and you would want those probably publised to internet and don't care about the basics of keeping unraid patched. What happens if there is a vulnerability in any of these apps? with docker and the SO unpached... is a recepy for a disaster at some point.

 

I mean how many post do you see here and in reddit of people asking for help to publish someting hosted in unraid and they don't even know how to open the ports of their routers, or what are the implications of that.

 

 

Link to comment
15 minutes ago, L0rdRaiden said:

but is a irresponsability from their side promote the use of unraid to install things like plex, home assistant, jellyfin immich, netxcloud, and you would want those probably publised to internet and don't care about the basics of keeping unraid patched. What happens if there is a vulnerability in any of these apps? with docker and the SO unpached... is a recepy for a disaster at some point.

If there's a vuln in these apps they get access to their container and that's it. It would take a docker vuln to escape that, and you can be sure if there was one Unraid would get patched for that 

 

On 10/10/2023 at 9:18 AM, L0rdRaiden said:

Unraid devs have stated several times in the forums that Unraid is not intended to be used to publish services to internet.

No, they're saying that Unraid itself (GUI, SSH, FTP, SMB...) should not. Nothing to do with the containerized services.

Edited by Kilrah
Link to comment
8 minutes ago, Kilrah said:

If there's a vuln in these apps they get access to their container and that's it. It would take a docker vuln to escape that, and you can be sure if there was one Unraid would get patched for that 

 

No, they're saying that Unraid itself (GUI, SSH, FTP, SMB...) should not. Nothing to do with the containerized services.

 

That could be a little bit optimistic. Lets assume the normal setup of an average user. Lets use a pentester mindset.

 

Once you breach a container basically you have access to the whole network so I don't need to break docker to reach the host.

Once in the network I might have access to

  • Unraid GUI, SSH, FTP, SMB (remember when the default config of samba in unraid wan't secure a coupe of years ago? not because a CVE but due to config)
  • Other container services
  • Other physical devices in the network
  • Other VM's
  • Etc.

There are too many posibilities and some of them can be prevented having a OS properly maintained. 

 

The other problem is that there are ton of people that doesn't upgrade unraid because they are afraid of breaking things (which happens a lot)... this is why regular OS have LTS versions with security patches at least guaranted.

Link to comment

Leave out Dockers in this discussion. If users use them, its their own risk. Limetech cannot do much about broken or leaking docker.

But docker is currently a hype, and you cannot prevent it. You need to wait until it blows up an vanishes into thin air.

("Dockers are the way to go! Sadly the wrong one!").

 

(But I am complaining at a high level, for simplicity I also use dockers like crushftp and NPM, but I would sleep much better if these could also be installed without the evil docker stuff (I know they could, but it is very uncomfortable on UNRAID))

 

Link to comment
44 minutes ago, L0rdRaiden said:

well you can panic depending on how the CVEs can be exploited and where in your network is the FreeBSD.

I can assure you, they cannot harm anything here. You could check with nmap (but only once, my blocking policy is very strict, ONE Try, LIFETIME Ban...)

 

Link to comment

Sorry mate but you're a child. I would be scared to hire you in this filed even as an intern. That being said I disengage from your nonsense ranting.  I politely asked, show me the money and you  kept on ranting. Unless you have objective proof take the backseat and you may learn something. 

Edited by DivideBy0
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.