WHY is opening a router port to UnRaid "unsecure" - A gentlemens discussion

[jumperalex]

What is it that actually makes it so unsecure?  

 

I'm considering forwarding specific ports from my router to allow access to Plex and Crashplan which are then of course listening on specific ports and only those ports would be open.

 

The standard mantra on UnRaid is simply don't do it, if you have to ask you can't possibly do it right, ZOMG THE HAXORZ ARE EVERYWHERE!!!  I read through an epic thread where that was repeated over and over again yet no one really explained:

 

- Why is it any different than running these same applications on a full Linux distro? or Win7?  

- If I am willing to trust / risk Plex and Crashplan running on those operating systems what makes it so much more of a risk on UnRaid?

- Is UnRaid somehow more vulnerable once someone exploits a weakness in those services?  I mean assuming elevation, root is root and I'm screwed either way.

 

Or is it this all just a function of RISK = LIKELYHOOD x CONSEQUENCE and everyone considers the CONSEQUENCE (data loss) unacceptable given equivelent RISK?  Or is RISK really not equivalent?  

 

Then again, I used to keep all my data on Win7 and would not have thought twice about running Plex or Crashplan with an open port to the world (and people also do it now with torrents). So I reiterate: Why should I look at this differently now that the OS is UnRaid?

 

PS: this assumes suitably strong passwords ... mine happens to be >12 char using upper/lower/num/spec ...

[internetfriend]

I'm curious about this too, I'd like to have my Couchpotato, sickbeard and plex accessible from my phone but it sounds like its a bad idea even with strong passwords. is there a way to do some sort of SSH tunnel from the phone or will that not get around the problem?

[jumperalex]

a good question ... of course my question (or additional questions) are:

 

Aren't you still trusting / hoping that your ssh service doesn't get exploited? and that your password is strong enough?

 

Basically, any ssh, vpn, alien dna derived secure communication path is still just a service you trust not to be exploited and I am trying to figure out why this is now a bigger risk on unraid than it is on a Linux Distro or Win 7

 

 

[jumperalex]

As I was rereading your response, and rereading my response to you, it made me thinkg about Plex a little more.  I have not even tried to connect with my android yet but when I connected with my Roku I didn't remember there being any password.  So then I starting thinking about how it authenticates outside users, like say my android over 3g.

 

A little google later and I found this very informative thread: http://forums.plexapp.com/index.php/topic/34508-v9-myplex-and-security-concern/page__p__220095__hl__security__fromsearch__1#entry220095

 

Highlites: you have to connect first via myPlex which then gives your client a token which is passed to Plex Media Server.  Without that token you get a login screen which you can't even really log into.

 

So for plex, the haxor has to steal your token, and even then they only get access to your media, and/or they have to exploit Plex Server to get deeper into UnRaid via elevation or <hacking mechanism I'm not smart enough to know>.

 

But the point is, there IS a "password" to access Plex from the intertubes even without SSH or VPN.  All you get with SSH is encrypted data stream (I don't need that) and another password layer.  And another service to expand your attack surface area.

[kizer]

My thought on allowing my unRAID server access to the freeworld is simple.

 

For every window (port) you open you are allowing others to peak through and hoping the Screen is strong enough for them not to push through.

 

With that in mind. I honestly do not run anything on my machine like Couchpotato, sickbeard, Transmission or any other service that lets others connect to me or is initialized from my machine. I have a low powered windows machine sitting in my office that I paid 400bucks for with simple anti-virus software on it and it connects to my unRAID machine using a few scripts. If anybody was to hack anything they could do their best to it and I would simply re-image it and it would be back up and running. If I feel my data might be at risk I simply turn off my windows machine and its off the network with no impact to my unRAID machine what so ever. Heck I don't even use User Shares to write to my array. Simply some scripts I put together that use Disk Shares.

 

Am I parinoid? Honestly no, but my data is very important to me and to dangle that carrot out there somebody some day might take a bite. In my older days I had a Linux machine sitting out there and the logs would be hundreds of lines long with people attempting to get in from all over the world. Is it really worth the risk just to be able to connect to your machine with subsonic or something of the sort from outside when there are other things you do? I would stick with Wifi and keep your machine off the internet.

[jumperalex]

But ... Once your windows machine is hacked, before you notice it, they have full access to anything it can access, like your UnRaid machine disk shares.  Sounds to me like you are at greater risk because you are likely surfing the web with your windows machine and that is surely a huge attack surface.

 

But I'm not 100% confident in my statement and that is why I want to know WHY ... not just hear more "it isn't safe don't do it".  Because any machine with access to the internet (or a thumbdrive you stick into it) is at risk and once they are inside your network they can access anything on your network.

 

Again, what makes it less safe to run something like Plex or Sickbeard on my unraid machine than it does on my Windows machine? 

 

Wifi doesn't help me access unraid via my phone when out of the house.  Not sure what you mean by this, it has no impact at all on my situation.

[Johnm]

Like Kizer,

 

I also have a windows frontend box that sits there (now a virtual machine, but it used to be a physical cheap $250 atom box).

 

I run nothing on my unraid other then unraid. it is to me a storage server.

I am sure that kizer like myself, do not use that windows head for any other tasks other then what it is.. no web surfing or games. Like him, i do not have any mapped drives. just scripts that use read only unc paths with a user id with no right.

 

For remote access to my files, I have a VPN portal that takes me to a secure windows box (sounds like an oxymoron) that then can then pluck read only copies of what I want from my network or watch what movies  I want in over the internet. I am still a leming hoping that symantec corporate edition and malwarebytes pro will tell me if it is compromised. If that box does get hijacked, it has no actual rights on my network. I'll just reload it from a ghost image and change the passwords (that do change every 2 months). it is disposable.

 

Like kizer, my logs are filled with script kiddies banging on my boxes trying to get in.

You should see my FTP server logs and auto ban list. While i have no government secrets or illegal stuff on my servers.. people see a box and want in.

 

while i did not answer your question and I am also not overly paranoid, I just know there are safer ways to do what you want and  keep your data mostly safe.

 

I do recall reading enabling ssh opens back doors.

[jumperalex]

Yeah see I call your setup paranoid   Seriously though ...

 

You say they aren't mapped on your clients, but they are still shared from UnRAID correct?  That means a network scan might find them.  The only thing helping you is that they are read only.  But your UnRaid management console is still available, so if someone gets into a box on your network they can try to scan for anything responding on your internal IP (not hard to poll 10.0.0.[1:255]) and then see if they can hack into your unraid.

 

So we still have the problem that if a box on our network getting hacked, which ever box it is, means unRAID is at risk.

 

The network, and other boxen on the network, are only as secure as the weakest link and I want to know WHY unraid+plex/crashplan/transmission is considered less secure than Win7+plex/crashplan/transmission.

 

SSH: but see that is no different than SSH being open on any other machine on the network.  Unless you are telling me that UnRAID+SSH is less secure than Slackware+SSH or Windows+SSH

 

EDITORIAL: Let me add here that from my perspective at least, and I believe many others, in the Risk = Likelyhood x Consequence calculation, only a small portion of my data is irreplacable and that data is backed up off-line for exactly all the reasons I state about weakest link.  So that means for me, the consequence is that I lose media.  Media that is either a torrent or a personal rip.  Media that might be annoying to have deleted, but really is not THAT critical.  Thus my risk calculation is not dominated by Consequence any more than it is Likelyhood.  It sounds like, for you and Kizer, that the consequences of you losing data from UnRAID might be much higher than mine, and might be why we have different perceptions of Risk.

[kizer]

jumperalex,

 

Don't get me wrong. I'm not perfect and I do things that I shouldn't do eithere. I was just pointing out that every system has its weakness and my setup is just my setup. It works for me and I guess I sleep at night knowing that its ok in my mind. LOL . I've done the dangle the Linux machine on the wire a few times to watch others try to hack it to pieces because it was an adventure for them.

 

Is my solution the best? Probably not. The reason my shares are not writeable is simply to keep script kiddies and common viruses from using mapped drives and blowing my machine apart.

 

Am I saying you should not dangle your system at there for trusted appications? In my opinion NO, but at the sametime everybody built their systems for different reasons and like myself we use them differently. You are right I don't have all my vital data backed up else where, but I'm more or less working on a Plan B and hopefully some day I'll get off my lazy horse and take care of that. LOL

 

unRAID right out of the box is not the most secure setup. FTP enabled, Telnet enabled and various other little things that should be wrapped up before its hung out there in the public.

[queeg]

I hope this doesn't sound over the top but there are *bad* people and programs that are constantly searching for open ports and will pound on them.  If your server has any weakness on the port - it will be discovered and exploited.  It's that simple.  

 

Using obscure port numbers can help a bit.  But you better use good passwords and monitor the port activity every so often, like looking at the router logs, to see if it's being actively probed.  

Place any externally facing machines on the routers DMZ network and only open ports from it to your inner lan that you absolutely need.  That way, if the outer machine gets hacked, they can't use it as a platform to get to all your machines on the inner lan.

[jumperalex]

I was just pointing out that every system has its weakness and my setup is just my setup. It works for me and I guess I sleep at night knowing that its ok in my mind. LOL . I've done the dangle the Linux machine on the wire a few times to watch others try to hack it to pieces because it was an adventure for them.

 

Yeah I hear that.  I guess I'm just still not clear (and really I'm not playing devils advocate) how UnRaid is any less secure than any other box I might open a port too.  Which, I think, is different than "dangle"ing a linux machine to see who tries to pown it.

 

That is really the crux of my question: Why should I be more scared about running Plex or Crashplan on UnRAID vs Linux Distro X or Windows or MacOS.  A port on my router is open regardless (just routing to a different machine) and I either trust those services to be secure or I do not.  Once they are in they are in and my network and data is at risk regardless of the machine they hack in on.

 

Is my solution the best? Probably not. The reason my shares are not writeable is simply to keep script kiddies and common viruses from using mapped drives and blowing my machine apart.

 

A VERY reasonable approach for sure.  Not just script kiddies, but network guests, spouses and childrens  

 

But once they ARE in on another machine, what is stopping them from scanning your network for the UnRAID management console, ftp, telnet, ssh (to reference what you mention below).  Those are as much at risk from a hacker on your network as they are from without. 

 

Though I will admit, it is another layer at least to have to hack one machine and then the other.  Just not sure if it is enough to matter to someone able and willing to get that far in the first place.

 

unRAID right out of the box is not the most secure setup. FTP enabled, Telnet enabled and various other little things that should be wrapped up before its hung out there in the public.

 

Ok again, fair, but of course I am not forwarding my router to those ports, only to the Plex and Crashplan ports.  Also I might just go ahead and shut FTP and telnet down.  Maybe even SSH if I'm really worried, but again, ssh is on a port that my router is not going to forward to.  But still, how are those any less secure on UnRAID than they are on another OS??

[jumperalex]

I hope this doesn't sound over the top but there are *bad* people and programs that are constantly searching for open ports and will pound on them.  If your server has any weakness on the port - it will be discovered and exploited.  It's that simple.  

 

Using obscure port numbers can help a bit.  But you better use good passwords and monitor the port activity every so often, like looking at the router logs, to see if it's being actively probed.  

Place any externally facing machines on the routers DMZ network and only open ports from it to your inner lan that you absolutely need.  That way, if the outer machine gets hacked, they can't use it as a platform to get to all your machines on the inner lan.

 

You are absolutely right, and I know I sound like a broken record, but why is it less secure on UnRAID than on my Widows box?  I'm sure one answer is, "well you shouldn't be opening a port for Plex or Crashplan no matter what." But we know darn well people are doing it, especially for torrent clients, and at least so far I don't hear about mass hacks of people's machines via those applications.  Though would I?? [shrug]

 

As for hammering my router: how will they know it is open if they don't get a ping response?  I suppose if they happen to send a Plex or Crashplan request then my service will respond, but I mean at some point I have to ask, "why not just sleep in my bunker wrapped in a bubble?"  ;-)

 

Seriously though, that is good food for thought.  I hear what you are saying about the DMZ.

 

But my basic question still remains unanswered.  Or I'm simply too stubborn / ignorant to understand the answer.  I really am willing to accept that, but so far I think I've understood what has been said.

 

EDIT: rereading ... as to the DMZ ... but if I open a port between the DMZ and my LAN. and they own the machine in the DMZ, what stops them from using the ports I forward into my LAN just the same?  I thought the point of the DMZ is to put something out there that has NO connection to your internal LAN?

[kizer]

I wouldn't say its less secure than windows. LOL I don't think anything is less secure than windows in nature. Of course they are making windows more and more secure since the addition to that annoying popup do you wish to allow connections thing.

 

Does Plex and CrashPlan require port forwarding from the router?

[jumperalex]

For plex, it is listening on a given port so that your client (smartphone, laptop, whatever) can talk to it, authenticate, ask for a stream, and then receive it.  In their instructions they discuss needing to forward a port from your router to your Plex Media Server.

 

Basically, the same applies for Crashplan if you want to allow a friend to use your machine as a backup location.  Usually with a reciprocal agreement.

 

Ok so, given your first statement, and really and truly this is coming from a place of ignorance looking to be educated: *IF* a person were willing to open a port into their network for Plex or Crashplan or Transmission ... what reasons are there to not put it on UnRAID vs any other machine on my network? 

 

Is it just worse to be the first machine in the chain so let's not make it UnRAID? 

 

But what if my Windows PC is actually the machine I'm more worried about because it is what I use to Bank, store irreplaceable / sensative files (which are backed up with encryption to UnRaid), write my emails, etc.  I suppose that is the other part of this equation and why it is different for each person: my UnRaid box is actually the machine on my system I'm least worried about being compromised in a hack attack.

[adammerkley]

My unRAID box has no ports open to the Internet.  CouchPotato, Sickbeard, SAB etc are all running on my MacPro.  I had been toying with the idea of moving those over to unRAID, but this thread has me thinking twice about that.

[queeg]

Ok, I see that your question is more about what machine should have open ports to them.  That's a little bit different an issue.

 

So, what ports/protocols are safer than others to open up is a reasonable topic.  Opening up ftp services versus telnet access versus plex and so on.

I'd answer that in a couple of layers. First, my outward facing machine is seriously locked down and only specific ports are opened.  There are what I consider to be secure applications listening to the ports and the protocols are enforced by them which allows controlled access to my outside machine. 

That's pretty locked down and I never have a problem with that.  No one could break into my machine via crashplan ports or something like that.

 

Then I also want remote access to my machines for admin purposes.  So I open obscure ports for remote access.  I make it hard for hackers to discover what the ports are and further what protocols are needed to get in.  Generally, I have remote access to my DMZ machine and in that one I have remote access to my lan machines.  It takes quite a bit of specific knowlege about my setup to even know how to get to the DMZ machine and even more to make it to my inner lan.  You can lock down linux, windows or mac to a sufficient level to do this.

 

So I believe you can open a plex port to your unRAID box - just do it smart.  But I always am afraid of being loose with advice because some readers (for various reasons) will interpret this to mean it's safe to have ftp or telnet or whatever. 

[jumperalex]

hahah if THIS thread is making you think twice about it, then don't go reading some other threads out there, they are straight doom and gloom fire and brimstone

[jumperalex]

Ok, I see that your question is more about what machine should have open ports to them.  That's a little bit different an issue.

 

I suppose that is a natural next step to my question ... if not Unraid then what else ... but also, as someone who wants to understand, why not Unraid.

 

 

So I believe you can open a plex port to your unRAID box - just do it smart.  But I always am afraid of being loose with advice because some readers (for various reasons) will interpret this to mean it's safe to have ftp or telnet or whatever. 

 

And of course the "just do it smart" is the trick.  I see think I understand what youre describing for your setup.  Except for going with a DMZ, that is pretty much what i had in mind.  But once I had that plan in my head, I was left to wonder, well if I take all those steps, why would doing it on one OS be any worse than another. 

 

That was my real sticking point I guess because I jsut didn't hear people scream ZOMG DON"T OPEN PORTS TO YOUR WINDOWS MACHINE.  Though I sure did always hear that having an ftp server up was dangerous, as was telenet, and for the love of puppies don't expose a windows share to the web!!!

 

I hear ya on the advice thing.  That is why i was trying to limit my questions to just seeking an understanding of the landscape so I could make an informed decision.  The mechanics after that, well that is why I use google like it is my bitch, annoy my buddy who knows way more about networking than I do who (uses unraid as well) with endless questions, and whom is trolling this thread.  I'm paying him back by walking him through a 4.7 to 5b14 upgrade and Plex install >;-)  Which really just means I save him the time searching the boards to figure it out on his own the lazy git.

 

Now of course, that is one man's opinion by queeg (and thank you for it) ... anyone else wanna chime in?

[arcane]

I do have sabnzbd, couchpotato and sickbeard running on my unraid box.  However, now this thread has given me some pause about whether that's safe.  I don't think I explicitly opened any ports on unraid, but where and what should I be looking for to see if it's being probed?  Is that logged somewhere (I don't see anything in the syslog)?  Would having good firewalls rules on the router and/or unraid help?  One thing that I really liked about unraid was that I got offload those programs from my main system so I wouldn't have to keep it on for processing.

 

Thanks and great thread!

[kizer]

From memory I belive the old security log was

/var/log/security

 

However I don't see that in unRAID. Then again between switching from Redhat->Slackware->Redhat->->Slackware->FreeBSD->Slackware I seem to often forget a few things now and then. LOL

[adammerkley]

I don't think I explicitly opened any ports on unraid, but where and what should I be looking for to see if it's being probed?

 

If you go to grc.com and run Shield's Up, you can scan all of your IP's service ports, and see which ones are coming up as replying (ie open).

[arcane]

From memory I belive the old security log was

/var/log/security

 

However I don't see that in unRAID. Then again between switching from Redhat->Slackware->Redhat->->Slackware->FreeBSD->Slackware I seem to often forget a few things now and then. LOL

 

Yah, I tried grep -ir failed (accepted, etc.) /var/log/* but didn't come up with anything useful.

 

 

If you go to grc.com and run Shield's Up, you can scan all of your IP's service ports, and see which ones are coming up as replying (ie open).

 

Would that yield any useful information concerning the unraid box?  Since both the computer and server are behind a router with private IPs, how would that check the server for probing attempts?  And if my main PC is off, are others still potentially able to access unraid?

[Johnm]

one thing I would be concerned about.

please forgive my ignorance of *nix environments. I could be wrong about this...

 

That once an exploit is found in a certain kernel that can be exploited from the web, with a true flavor of that *NIX (slackware in this case) you can usually upgrade to the newer kernel or application with improved security to that exploit. 

 

because unRAID is only updated once in a great moon going months sometimes (look at the age of 4.7 ATM). That known exploit stays open for attack for that entire duration until the next update. If it is even patched at all in the update. the older the exploit, the more script kiddies try it to hijack the box.

 

The more apps and ports you add to box or open and expose to the web, the higher this chance of a vulnerability goes.

[squirrellydw]

 

 

 

If you go to grc.com and run Shield's Up, you can scan all of your IP's service ports, and see which ones are coming up as replying (ie open).

 

Would that yield any useful information concerning the unraid box?  Since both the computer and server are behind a router with private IPs, how would that check the server for probing attempts?  And if my main PC is off, are others still potentially able to access unraid?

 

I would like to know this to, anyone know?

[jumperalex]

from the console run "nestat -tulp" to see what ports are open and listening.