Best Security Practices, What Plugins/Dockers to use, External devices.

[ved]

Hello, i am looking to harden the security on my unraid machine and i need some kind of guidance on how to do it.

I will start with describing how my unraid machine is configured, I use NPM for SSL and domains redirection, the domain is local only, For remote access i use tailscale, Every docker that has a login page i am using it with strong passwords.

But honestly the security feels thin, i am kinda protected from outside attacks due to accessing it only by vpn but i also use some IoT devices inside the network that for sure have crap security.

Related to Unraid what can i do to have better security ? Different users for each docker if thats possible ? Certain docker programs like fail2ban, authelia etc. ( please recommend me some if there are others ) , Other stuff ?

Related to the network itself, I think i should implement VLANs for the IoT devices and different wifi networks linked to those VLANs, Dedicated Firewall machine like OPNSense/Pfsense with geoblocking rules and approved only devices that can use the server ? For the network router i use mikrotik.

Sorry if the post is kinda chaotic.

[McWhizky]

I Am no security expert however I Only have one port forwarded on my router and the port points to swag proxy manager. Then I am using cloudflare DNS with proxy enabled for all my sub domains. Cloudflare is nice IMO because you can block and allow access to specific parts of the world. For me Cloudflare configured to only allow connections from within the United States, all others will be blocked. Also it allows you to block connections to specific URLs, I have /admin blocked (used by vaultwarden) so that can only be manged locally. The rules you can configure with Cloudflare are almost limitless. Its obviously not an all in one solution to security, but it does its share of work.

Edited February 11 by McWhizky

[sir_storealot]

On 2/9/2024 at 10:49 AM, ved said:

But honestly the security feels thin, i am kinda protected from outside attacks due to accessing it only by vpn but i also use some IoT devices inside the network that for sure have crap security.
 

 

I totally feel you. Hope this will get some good answers on the Unraid side, would be interested myself.

 

However, as far as the IoT devices are concerned, did you think about assigning them to their own wifi network which has client isolation and only (NAT) outside access (kinda like DMZ)?

[Rysz]

My best security practice is don't expose anything directly to the internet and use a VPN to access any services instead.

 

If you trust only people you know on your internal network and use 2FA where possible I'd say you minimized 99% of the risk.

Unraid is a OS mostly aimed at storage ease of use rather than security, so there's only so much you can do on the OS itself.

 

Network-wise you can do a lot more, such as separating insecure devices on their own VLANs and set up separation via firewalling.

But honestly it always depends on your use case and how much of a target you consider yourself plus the possible vectors of attack.

 

And if you're concerned about all that you're probably better off setting up a more secure VM with your services on top of your Unraid.

There's Linux distributions that offer more fine-grained control of access and users compared to running services from your data server.

 

Personally I only run services on Unraid which strictly require access to the data I'm storing on my Unraid system itself.

For the rest of my services I'm using VMs which are set up with more fine-grained controls, regular security updates etc.

 

Edited February 25 by Rysz